that discrepancy between spec & implementation of DSIG hashing (RE: First draft of the ballot comments on the new amendment)

Hin-Tak Leung htl10 at users.sourceforge.net
Sun Nov 20 21:27:26 CET 2016


Hi Ali,

No. Referring to this section in from http://www.microsoft.com/typography/otspec/dsig.htm .
The anomaly is that the microsoft signing code (nor the verifying code in verifying) does not perform
step 1.4 - " Zero out the file checksum in the head table. ".

   Format 1: For whole fonts, with either TrueType outlines and/or CFF data

   PKCS#7 or PKCS#9. The signed content digest is created as follows:
    1. If there is an existing DSIG table in the font,
         1. Remove DSIG table from font.
         2. Remove DSIG table entry from sfnt Table Directory.
         3. Adjust table offsets as necessary.
         4. Zero out the file checksum in the head table.
         5. Add the usFlag (reserved, set at 1 for now) to the stream of bytes

I am asking that somebody at Microsoft who has access to the source code of mssipotf.dll (which AFAIK contains Microsoft's implementation of both font signing and verifying), and sufficient programming/technical know-how, to confirm that step 1.4 is not performed. If a Microsoft folk can confirm this, I propose that the OpenType spec to adjust to match, since for a long time the Microsoft implementation is the major one one uses, if not the only one. 


Hin-Tak

--------------------------------------------
On Thu, 22/9/16, Basit Ali <alib at microsoft.com> wrote:


 
 Hi Hin-Tak, 
 
 Sorry for not getting back to
 you. The anomaly you are talking about is that in practice
 we have a v2 header even though the version stated is 1?
 
 Ali
 



More information about the mpeg-otspec mailing list