[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5070) Issues in X.509 certificate parsing
On Aug 2, 2007, at 10:48 PM, ando@sys-net.it wrote:
> ando@sys-net.it wrote:
>
>> I've an issue with X.509 certificate parsing in HEAD/re24. The
>> certificate,
>> according to OpenSSL, has a SerialNumber c8:5b:9a:dd:ea:bf:f9:fa
>> and HEAD fails
>> to parse it because it is an integer with length equal to 9, which
>> is larger
>> than sizeof(ber_int_t), as tested in ber_getnint() at decode.c:
>> 254. The DER
>> encoded value is: 2 9 0 200 91 154 221 234 191 249 250.
>> Seems to be time
>> to get past the sizeof(ber_int_t) limitation...
>
> ... which would violate RFC 4511 where it states that INTEGER means
> from
> 0 up to 2^31-1...
This and other RFC 4511 BER restrictions do not apply to
BER/DER-encoded attribute values, such as certificates.
> I have a simple solution for this problem, at the
> cost of partially violating rfc 4523: if an integer is larger than
> 2^31-1, it could be represented in the certificateExactMatch
> normalization in hexadecimal form, much like OpenSSL does. This would
> increase interoperability with OpenSSL and be at least self-
> consistent,
> since all serialNumbers that large would be consistently expanded that
> way. Another solution, preserving the decimal representation, would
> probably require some arbitrary precision support from external
> libraries. If there's consensus, I'd post my simple patch.
>
> p.
>
>
>
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
>
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ---------------------------------------
> Office: +39 02 23998309
> Mobile: +39 333 4963172
> Email: pierangelo.masarati@sys-net.it
> ---------------------------------------
>
>
>