[gnutls-devel] libtasn1 | be smarter when writing an empty optional sequence specified with a minimum length (#36)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat May 15 00:38:50 CEST 2021



Daniel Kahn Gillmor created an issue: https://gitlab.com/gnutls/libtasn1/-/issues/36



## Description of problem:

Over in https://gitlab.com/gnutls/gnutls/-/issues/1238, I noted that `certtool` was emitting an empty sequence of policyQualifiers even though the ASN.1 specification for `policyQualifiers` clearly says `(1..MAX) OPTIONAL`.

If libtasn1 knows that a given `SEQUENCE` is `OPTIONAL` and it has a minimum length (e.g. `(1..MAX)`, or, regardless of the upper limit, even `(1..2)` really), and the data structure to be written is an *empty* sequence, then libtasn1 should be clever enough to omit the member entirely.

## Version of libtasn1 used:

4.16.0-2

## Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)

Debian

## How reproducible:

Steps to Reproduce:

```
printf 'policy1=1.2.3.4\ncn="test"' > foo.template
certtool --generate-privkey > foo.key
certtool --generate-self-signed --template foo.template --load-privkey foo.key --outder | dumpasn1 
```

## Actual results:

```
556   18:         SEQUENCE {
 558    3:           OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
 563   11:           OCTET STRING 30 09 30 07 06 03 2A 03 04 30 00
         :           }
```

The payload of the extension converts to:

```
$ xxd -r -c 256 <<<"0000 30 09 30 07 06 03 2A 03 04 30 00" | dumpasn1 -
  0   9: SEQUENCE {
  2   7:   SEQUENCE {
  4   3:     OBJECT IDENTIFIER '1 2 3 4'
  9   0:     SEQUENCE {}
       :     }
       :   }
$
```

## Expected results:

The payload of the extension should be `30 07 30 05 06 03 2A 03 04`, which is:

```
  0   7: SEQUENCE {
  2   5:   SEQUENCE {
  4   3:     OBJECT IDENTIFIER '1 2 3 4'
       :     }
       :   }
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/issues/36
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210514/62ba5f4f/attachment.html>


More information about the Gnutls-devel mailing list