From 99a35d9af06b2cf251cd73862fe456f8d4a22528 Mon Sep 17 00:00:00 2001
From: Arthur Gautier <baloo@superbaloo.net>
Date: Sun, 27 Jul 2025 02:15:12 +0000
Subject: [PATCH] cms: decode a MessageDigest from an Attribute

---
 cms/src/attr.rs | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/cms/src/attr.rs b/cms/src/attr.rs
index 6617fcf69..891273d5d 100644
--- a/cms/src/attr.rs
+++ b/cms/src/attr.rs
@@ -5,8 +5,10 @@ use core::borrow::Borrow;
 use der::{
     DecodeValue, EncodeValue, FixedTag, Length, Tag,
     asn1::{OctetString, OctetStringRef},
+    oid::db::rfc6268,
 };
-use x509_cert::time::Time;
+
+use x509_cert::{attr::Attribute, time::Time};
 
 use crate::signed_data::SignerInfo;
 
@@ -101,6 +103,30 @@ impl From<MessageDigest> for vec::Vec<u8> {
     }
 }
 
+impl TryFrom<&Attribute> for MessageDigest {
+    type Error = der::Error;
+
+    fn try_from(attr: &Attribute) -> Result<Self, Self::Error> {
+        if attr.oid != rfc6268::ID_MESSAGE_DIGEST {
+            return Err(der::ErrorKind::OidUnknown { oid: attr.oid }.into());
+        }
+
+        // A message-digest attribute MUST have a single attribute value, even
+        // though the syntax is defined as a SET OF AttributeValue.  There MUST
+        // NOT be zero or multiple instances of AttributeValue present.
+
+        if attr.values.len() != 1 {
+            return Err(der::ErrorKind::Value { tag: Tag::Set }.into());
+        }
+        let message_digest = attr
+            .values
+            .get(0)
+            .expect("Invariant violation, only one value is present in the attribute");
+
+        message_digest.decode_as::<OctetString>().map(Self)
+    }
+}
+
 /// The `SigningTime` attribute is defined in [RFC 5652 Section 11.3].
 ///
 /// ```text