[security-dev 00851]: Re: Code review request: 6813340: X509Factory should not depend on is.available()==0
Xuelei Fan
Xuelei.Fan at Sun.COM
Mon May 25 14:21:23 UTC 2009
Max (Weijun) Wang wrote:
>>>> 3. 584 ~ EOF
>>>> You assume that the tag occupy only one byte, that's incorrect, the
>>>> tag would occupy more than one byte when it is bigger than 30. The
>>>> assume would make the following length parser code incorrect.
>>>>
>>>> You assume that the end of indefinite length is only one zero byte,
>>>> that's incorrect, it is zero of two bytes.
>>>
>>> readBERInternal() reads 2 bytes at EOC, on 588 and 595.
>>>
>> OK, I just realized line 605 is incorrect, which will treat the
>> content as a TLV component, which is not always correct. For example,
>> if the indefinite-length is "0x80 0x06 0x07 0x01 0x00 0x00", "0x06
>> 0x07 0x01" is the content bytes, the 0x06 will be parsed as tag, the
>> ox07 will be parsed as length, and then try to read 0x07 bytes from
>> the stream.
>>
>> If you want to support indefinite-length, I think you can simply keep
>> reading until get two zero bytes.
>
> As I understand, "0x80 0x06 0x07 0x01 0x00 0x00" is not an indef-len BER.
You're right, it is not a valid indef-len BER. I will look twice of
readBERInternal() tomorrow.
Andrew
> An indef-len BER is always a constructed type, which includes an
> arrays of data ended with an EOC, so it should be something like:
>
> TAG 0x80
> TAG1 0x02 a b
> TAG2 0x03 a b c
> 0x00 0x00
>
> The following lines are extracted from "A Layman's Guide to ASN.1, BER
> and DER" [1]
>
> In each method, the BER encoding has three or four parts:
>
> Identifier octets. These identify the class and tag number
> of the ASN.1 value, and indicate whether the method is
> primitive or constructed.
>
> Length octets. For the definite-length methods, these give
> the number of contents octets. For the constructed,
> indefinite-length method, these indicate that the length
> is indefinite.
>
> Contents octets. For the primitive, definite-length method,
> these give a concrete representation of the value. For the
> constructed methods, these give the concatenation of the
> BER encodings of the components of the value.
>
> End-of-contents octets. For the constructed, indefinite-
> length method, these denote the end of the contents. For
> the other methods, these are absent.
>
> Max
>
> [1] http://luca.ntop.org/Teaching/Appunti/asn1.html
>
More information about the security-dev
mailing list