[gnutls-devel] GnuTLS | gnutls can't check object identifier value correctly (#886)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Dec 23 10:33:42 CET 2019



llqll created an issue: https://gitlab.com/gnutls/gnutls/issues/886



An error occurred when I verified a certificate, and the certificate contains an object identifier(TLV) of `"0x06,0x11, 0xfa, 0x80, 0x0, 0x0, 0x0, 0xe, 0x1, 0xe, 0xfa, 0x80,0x0, 0x0, 0x0, 0xe, 0x63, 0x6f"`.

 The error is "error parsing CRTs: ASN1 parser: Error in DER parsing."

Through debugging,I found that an error occurred while parsing that object identifier. The reason is the leading octet have the value 0x80. But,in the object identifier value, the leading octet is 0xfa.

The basis of this check is `x.690 8.19` (Encoding of an object identifier value).

 ![image text](https://github.com/llqll/image/raw/master/g2.png)

 After careful debugging, I found that the `asn1_get_object_id_der` function always checks the second byte instead of the leading byte of object identifier value. 

 ![image text](https://github.com/llqll/image/raw/master/g1.png)

In lib/decoding.c : asn1_get_object_id_der(), the `der` points to the length of the TLV structure instead of the tag, and `der[len_len + k]` is the second byte of the object identifier value instead of the leading byte.  Therefore, the function cannot properly check the encoding of the object identifier.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/886
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191223/4393b079/attachment.html>


More information about the Gnutls-devel mailing list