[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5070) Issues in X.509 certificate parsing

ando@sys-net.it wrote:
> ando@sys-net.it wrote:
>> I've an issue with X.509 certificate parsing in HEAD/re24.  The certificate,
>> according to OpenSSL, has a SerialNumber c8:5b:9a:dd:ea:bf:f9:fa and HEAD fails
>> to parse it because it is an integer with length equal to 9, which is larger
>> than sizeof(ber_int_t), as tested in ber_getnint() at decode.c:254.  The DER
>> encoded value is:   2   9   0 200  91 154 221 234 191 249 250.  Seems to be time
>> to get past the sizeof(ber_int_t) limitation...
> ... which would violate RFC 4511 where it states that INTEGER means from
> 0 up to 2^31-1...  I have a simple solution for this problem, at the
> cost of partially violating rfc 4523: if an integer is larger than
> 2^31-1, it could be represented in the certificateExactMatch
> normalization in hexadecimal form, much like OpenSSL does.  This would
> increase interoperability with OpenSSL and be at least self-consistent,
> since all serialNumbers that large would be consistently expanded that
> way.  Another solution, preserving the decimal representation, would
> probably require some arbitrary precision support from external
> libraries.  If there's consensus, I'd post my simple patch.

I would go with the hex representation. IMO LDAP/X.500 has long needed a hex 
integer syntax (or at least some other binary base, but hex is probably best), 
since we can parse/validate them bytewise without any word size limitations or 
expensive conversions.

And IMO GSER is a giant leap backward in network protocol efficiency. If it 
were merely a UI format, like LDIF, that would have been ok, but over the wire, 
that's ridiculous. (But that's a separate discussion entirely...)
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/