parsing invalid DER
Dave Coombs
dcoombs at carillon.ca
Thu Sep 1 12:21:21 UTC 2022
Hello,
I have in my possession some smartcards whose pkcs15 objects contain
incorrectly structured DER encodings, and I need to get these cards
working in my card management tool. I've made structs corresponding to
the relevant parts of pkcs15 using openssl's ASN1 module, but naturally
the invalid encodings are not surviving contact with my d2i_ABC()
functions.
I'm using openssl 1.1.1o, I should say. I should also add these
structures on the cards are read-only, so I can't even fix them, I just
have to deal with them.
These are the 2 invalid encodings I have seen:
First, a bit-string used for flags, encoded as (hex) 030108. That is,
the number of unused bits is set to 8, and no other content, presumably
indicating no flags are set. DER would have this be 030100 instead.
My d2i is resulting in ASN1_R_INVALID_BIT_STRING_BITS_LEFT in
c2i_ASN1_BIT_STRING().
Second, a positive integer with leading 00 padding which is not
necessary, encoded as 80020042. (It has an implicit [0] tag.) DER
would have this be 800142. My d2i is resulting in
ASN1_R_ILLEGAL_PADDING in c2i_ibuf().
So! Is it possible to work around these, using ASN1_MACRO trickery or
what-have-you? It's pretty clear I should end up with an empty bit-
string and integer value 0x42, so is there a way to loosen the parser's
pickiness and achieve this?
I could sanitize the inputs myself first, but at that point I'd be
writing my own parser and I wouldn't need openssl's. :/
Any help would be appreciated. Thanks,
-Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7151 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220901/e82f898b/attachment.p7s>
More information about the openssl-users
mailing list