QuickDER decoder does not detect invalid empty OPTIONAL sequences

RESOLVED INVALID

Status

NSS
Libraries
P2
normal
RESOLVED INVALID
12 years ago
12 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Julien Pierre)

Tracking

3.11.1
3.11.3

Firefox Tracking Flags

(Not tracked)

Details

Bug 340776 documents an OCSP response that includes an empty OPTIONAL 
SEQUENCE-OF.  Our QuickDER decoder did not detect it and report it as
invalid DER.  Our encode correctly re-encoded the response without the 
optional.  That is, the optional part was omitted because it was empty.
We detected the invalid DER repsonse because we compared the input to 
the decoder with the output of the encoder, and they did not match.

IMO, the QuickDER decoder should at least have an option to detect these
errors.  Perhaps we will at times wish to ignore these errors, but that
should be the optional behavior, not the default.
(Reporter)

Updated

12 years ago
Priority: -- → P2
Target Milestone: --- → 3.11.3
(Reporter)

Comment 1

12 years ago
Maybe Bug 340776 isn't such a good example.  
Perhaps it wasn't empty after all.
But I believe this RFE is still valid.  
I don't think any of our ASN.1 decoders detects an empty optional.
(Assignee)

Comment 2

12 years ago
Actually a SEQUENCE OF is allowed to have zero elements in the general case. This is valid to encode and decode. Some ASN.1 structures may be constrained in size and require a minimum or maximum of elements, which our templates are currently unable to express, and thus the decoders/encoders don't enforce it.
Thus, I think this bug may be invalid.
(Reporter)

Comment 3

12 years ago
Upon rereading X.690, I cannot find any rule that requires empty optional 
values to be omitted.  So, I must reluctantly mark this invalid. :(
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.