Perform bh validation first

Instead of doing bh validation as the last step, do it at the very
start. This way we can recognize body content modifications early on
before needing to do any signature validation at all.

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>

1 files changed, 4 insertions, 3 deletions

diff --git a/patatt/__init__.py b/patatt/__init__.py
index 8365a4d..042a747 100644
--- a/patatt/__init__.py
+++ b/patatt/__init__.py
@@ -188,6 +188,10 @@ class DevsigHeader:
 
     def validate(self, keyinfo: Union[str, bytes, None]) -> str:
         self.sanity_check()
+        # Start by validating the body hash. If it fails to match, we can
+        # bail early, before needing to do any signature validation.
+        if self.get_field('bh') != self._body_hash:
+            raise BodyValidationError('Body content validation failed')
         # Check that we have a b= field
         if not self.get_field('b'):
             raise RuntimeError('Missing "b=" value')
@@ -214,9 +218,6 @@ class DevsigHeader:
         vdigest = hashed.digest()
         if sdigest != vdigest:
             raise ValidationError('Header validation failed')
-        # Now validate body hash
-        if self.get_field('bh') != self._body_hash:
-            raise BodyValidationError('Body content validation failed')
 
         return signtime