[security-dev 00850]: Re: Code review request: 6813340: X509Factory should not depend on is.available()==0
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Mon May 25 13:24:14 UTC 2009
>>> 3. 584 ~ EOF
>>> You assume that the tag occupy only one byte, that's incorrect,
>>> the tag would occupy more than one byte when it is bigger than 30.
>>> The assume would make the following length parser code incorrect.
>>>
>>> You assume that the end of indefinite length is only one zero
>>> byte, that's incorrect, it is zero of two bytes.
>>
>> readBERInternal() reads 2 bytes at EOC, on 588 and 595.
>>
> OK, I just realized line 605 is incorrect, which will treat the
> content as a TLV component, which is not always correct. For
> example, if the indefinite-length is "0x80 0x06 0x07 0x01 0x00
> 0x00", "0x06 0x07 0x01" is the content bytes, the 0x06 will be
> parsed as tag, the ox07 will be parsed as length, and then try to
> read 0x07 bytes from the stream.
>
> If you want to support indefinite-length, I think you can simply
> keep reading until get two zero bytes.
As I understand, "0x80 0x06 0x07 0x01 0x00 0x00" is not an indef-len
BER. An indef-len BER is always a constructed type, which includes an
arrays of data ended with an EOC, so it should be something like:
TAG 0x80
TAG1 0x02 a b
TAG2 0x03 a b c
0x00 0x00
The following lines are extracted from "A Layman's Guide to ASN.1, BER
and DER" [1]
In each method, the BER encoding has three or four parts:
Identifier octets. These identify the class and tag number
of the ASN.1 value, and indicate whether the method is
primitive or constructed.
Length octets. For the definite-length methods, these give
the number of contents octets. For the constructed,
indefinite-length method, these indicate that the length
is indefinite.
Contents octets. For the primitive, definite-length method,
these give a concrete representation of the value. For the
constructed methods, these give the concatenation of the
BER encodings of the components of the value.
End-of-contents octets. For the constructed, indefinite-
length method, these denote the end of the contents. For
the other methods, these are absent.
Max
[1] http://luca.ntop.org/Teaching/Appunti/asn1.html
More information about the security-dev
mailing list