Closed Bug 340887 Opened 18 years ago Closed 18 years ago

QuickDER decoder does not detect invalid empty OPTIONAL sequences

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.11.1
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID
Milestone:
3.11.3

People

(Reporter: nelson, Assigned: julien.pierre)

Details

Bug 340776 documents an OCSP response that includes an empty OPTIONAL 
SEQUENCE-OF.  Our QuickDER decoder did not detect it and report it as
invalid DER.  Our encode correctly re-encoded the response without the 
optional.  That is, the optional part was omitted because it was empty.
We detected the invalid DER repsonse because we compared the input to 
the decoder with the output of the encoder, and they did not match.

IMO, the QuickDER decoder should at least have an option to detect these
errors.  Perhaps we will at times wish to ignore these errors, but that
should be the optional behavior, not the default.
Priority: -- → P2
Target Milestone: --- → 3.11.3
Maybe Bug 340776 isn't such a good example.  
Perhaps it wasn't empty after all.
But I believe this RFE is still valid.  
I don't think any of our ASN.1 decoders detects an empty optional.
Actually a SEQUENCE OF is allowed to have zero elements in the general case. This is valid to encode and decode. Some ASN.1 structures may be constrained in size and require a minimum or maximum of elements, which our templates are currently unable to express, and thus the decoders/encoders don't enforce it.
Thus, I think this bug may be invalid.

Upon rereading X.690, I cannot find any rule that requires empty optional 
values to be omitted.  So, I must reluctantly mark this invalid. :(
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.