[security-dev 00851]: Re: Code review request: 6813340: X509Factory should not depend on is.available()==0

Xuelei Fan Xuelei.Fan at Sun.COM
Mon May 25 07:21:23 PDT 2009

Max (Weijun) Wang wrote:
>>>> 3. 584 ~ EOF
>>>> You assume that the tag occupy only one byte, that's incorrect, the 
>>>> tag would occupy more than one byte when it is bigger than 30. The 
>>>> assume would make the following length parser code incorrect.
>>>> You assume that the end of indefinite length is only one zero byte, 
>>>> that's incorrect, it is zero of two bytes.
>>> readBERInternal() reads 2 bytes at EOC, on 588 and 595.
>> OK, I just realized line 605 is incorrect, which will treat the 
>> content as a TLV component, which is not always correct. For example, 
>> if the indefinite-length is "0x80 0x06 0x07 0x01 0x00 0x00", "0x06 
>> 0x07 0x01" is the content bytes, the 0x06 will be parsed as tag, the 
>> ox07 will be parsed as length, and then try to read 0x07 bytes from 
>> the stream.
>> If you want to support indefinite-length, I think you can simply keep 
>> reading until get two zero bytes.
> As I understand, "0x80 0x06 0x07 0x01 0x00 0x00" is not an indef-len BER.
You're right, it is not a valid indef-len BER. I will look twice of 
readBERInternal() tomorrow.

> An indef-len BER is always a constructed type, which includes an 
> arrays of data ended with an EOC, so it should be something like:
>   TAG 0x80
>            TAG1 0x02 a b
>            TAG2 0x03 a b c
>            0x00 0x00
> The following lines are extracted from "A Layman's Guide to ASN.1, BER 
> and DER" [1]
>     In each method, the BER encoding has three or four parts:
>     Identifier octets. These identify the class and tag number
>     of the ASN.1 value, and indicate whether the method is
>     primitive or constructed.
>     Length octets. For the definite-length methods, these give
>     the number of contents octets. For the constructed,
>     indefinite-length method, these indicate that the length
>     is indefinite.
>     Contents octets. For the primitive, definite-length method,
>     these give a concrete representation of the value. For the
>     constructed methods, these give the concatenation of the
>     BER encodings of the components of the value.
>     End-of-contents octets. For the constructed, indefinite-
>     length method, these denote the end of the contents. For
>     the other methods, these are absent.
> Max
> [1] http://luca.ntop.org/Teaching/Appunti/asn1.html

More information about the security-dev mailing list