Comments (4)
I also thing this code is suspect and dangerous.
But I have no idea what to do.
The best way to fix this is to understand where/when this special case is used in OpeSC. But this would involve using many different cards with many different ASN.1 encoded data. Not easy.
from opensc.
ASN.1 formatted data that is padded with '0x00' to fill a fixed size file is very common on smart cards. Would sc_asn1_read_tag still ignore the junk at the end or would it rather throw an error (which would be wrong)?
from opensc.
On 10/1/2014 4:05 PM, Frank Morgner wrote:
ASN.1 formatted data that is padded with '0x00' to fill a fixed size file is very common on smart cards. Would sc_asn1_read_tag still ignore the junk at the end or would it rather throw an error
(which would be wrong)?
http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
defines an "End of Content" for BER.
8.1.5 End-of-contents octets
The end-of-contents octets shall be present if the length is encoded as specified in 8.1.3.6, otherwise they shall not be
present.
The end-of-contents octets shall consist of two zero octets.
NOTE – The end-of-contents octets can be considered as the encoding of a value whose tag is universal class, whose form is
primitive, whose number of the tag is zero, and whose contents are absent, thus:
End-of-contents Length Contents
A Layman's Guide to a Subset of ASN.1, BER, and DER
that can be found in a number of places also talks about end-of-contents
http://luca.ntop.org/Teaching/Appunti/asn1.html
3.3 Constructed, indefinite-length method
In both cases, it is 00 00, and only if indefinite-length is used.
Most of the ASN.1 we use is DER.
Does the length of the top most ASN.1 include the length of padding?
In which case it is not valid ASN.1 and should be an error.
Or is the padding after the last of the ASN.1 bytes to fill the buffer?
i.e. the length of the buffer is larger then the ASN.1 data.
This could OK, as the padding is not part of the ASN.1
OpenSC could relax the restriction that the length passed to the
decode not have any left over bytes. or all the leftove rbytes
are zeros.)
—
Reply to this email directly or view it on GitHub #190 (comment).
Douglas E. Engert [email protected]
from opensc.
It would be safe to do the following:
- C*) Set tag_out = 0, tag_len = 0 before calling
sc_asn1_parse
.sc_asn1_parse
can be left untouched then.
Could you provide a patch?
from opensc.
Related Issues (20)
- libopensc.so not found when using non-default install prefix HOT 2
- Failed to decrypt certain emails in Outlook that can be decrypted with CardOS minidriver HOT 25
- pkcs11-tool test suite fails on latest SoftHSM HOT 1
- Annoying notifications by Firefox's native os client certificate implementation for Windows
- Avoid prompting for pin on pinpad without the implicit call to `C_Login()`
- Examples are lacking leading to use confusion. HOT 6
- [pkcs11-tool] --slot parameter expects ID in decimal form HOT 2
- SC-HSM: OpenSC 0.23.0 broken on Cygwin current HOT 82
- Smartcard-HSM --keypairgen results in PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5) HOT 5
- Montgomery and (Edwards) Key Generation, Use, and Interoperability HOT 14
- C_SignFinal failed: rv = CKR_GENERAL_ERROR with pkcs11-tool --test --login --pin XXXX HOT 30
- Import Generic Key HOT 15
- No certificates recognized on a Gemalto IDPrime 940 HOT 21
- Segmentation fault on macOS HOT 6
- closed
- Invalid ASN.1 object error when using myeid profile in pkcs15-init -C command HOT 15
- OpenSC 0.24.0 broken on Windows 10 and 11 both at 22H2 for some devices HOT 4
- MacOS build failure with OpenSSL 3.0 HOT 6
- Add support for NIST SP 800-78-5? HOT 2
- pkcs11-tool: Edwards curve show_key OID issue HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.