[openssl-dev] [openssl.org #4301] [BUG] OpenSSL 1.1.0-pre2 fails to parse x509 certificate in DER format
Cristian Berneanu via RT
rt at openssl.org
Fri Feb 12 10:46:22 UTC 2016
FYI, I checked other machines that have a TPM device manufactured by STM,
but I could not find another with a serial number less than 20 bytes (I
guess they do padding in that case).
I also have a certificate from an Atmel device where I get a notice that
the serial number is negative.
For me personally, it would be perfectly fine if I could have a "relaxed
parsing" option that I could pass when I expect these kinds of broken
encodings.
On Fri, Feb 12, 2016 at 11:38 AM, Erwann Abalea <Erwann.Abalea at docusign.com>
wrote:
> Bonjour,
>
> Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu>
> a écrit :
>
> Again, you are right, but what's the lesser evil - being unable to use
> the new OpenSSL because it refuses to deal with the cert that some
> dim-witten TPM maker screwed up, or accept a certificate with a (minor)
> violation of DER (but not of BER)? What bad in your opinion could happen if
> OpenSSL allowed parsing an integer with a leading zero byte (when it
> shouldn't be there by DER)?
>
>
> As shown yesterday, this INTEGER encoding isn’t even valid BER.
>
> Being liberal in what you accept, when dealing with crypto, gives you
> stuff like this:
> https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/
>
> Cordialement,
> Erwann Abalea
>
>
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list