[security-dev 00850]: Re: Code review request: 6813340: X509Factory should not depend on is.available()==0

Max (Weijun) Wang Weijun.Wang at Sun.COM
Mon May 25 06:24:14 PDT 2009

>>> 3. 584 ~ EOF
>>> You assume that the tag occupy only one byte, that's incorrect,  
>>> the tag would occupy more than one byte when it is bigger than 30.  
>>> The assume would make the following length parser code incorrect.
>>> You assume that the end of indefinite length is only one zero  
>>> byte, that's incorrect, it is zero of two bytes.
>> readBERInternal() reads 2 bytes at EOC, on 588 and 595.
> OK, I just realized line 605 is incorrect, which will treat the  
> content as a TLV component, which is not always correct. For  
> example, if the indefinite-length is "0x80 0x06 0x07 0x01 0x00  
> 0x00", "0x06 0x07 0x01" is the content bytes, the 0x06 will be  
> parsed as tag, the ox07 will be parsed as length, and then try to  
> read 0x07 bytes from the stream.
> If you want to support indefinite-length, I think you can simply  
> keep reading until get two zero bytes.

As I understand, "0x80 0x06 0x07 0x01 0x00 0x00" is not an indef-len  
BER. An indef-len BER is always a constructed type, which includes an  
arrays of data ended with an EOC, so it should be something like:

   TAG 0x80
            TAG1 0x02 a b
            TAG2 0x03 a b c
            0x00 0x00

The following lines are extracted from "A Layman's Guide to ASN.1, BER  
and DER" [1]

     In each method, the BER encoding has three or four parts:

     Identifier octets. These identify the class and tag number
     of the ASN.1 value, and indicate whether the method is
     primitive or constructed.

     Length octets. For the definite-length methods, these give
     the number of contents octets. For the constructed,
     indefinite-length method, these indicate that the length
     is indefinite.

     Contents octets. For the primitive, definite-length method,
     these give a concrete representation of the value. For the
     constructed methods, these give the concatenation of the
     BER encodings of the components of the value.

     End-of-contents octets. For the constructed, indefinite-
     length method, these denote the end of the contents. For
     the other methods, these are absent.


[1] http://luca.ntop.org/Teaching/Appunti/asn1.html

More information about the security-dev mailing list