GpgFrontend/gpgme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

core: Also detect legacy X.509 v0 certificates.

Browse Source 
* src/data-identify.c (basic_detection): Loose the detection of X.509
certs.
This commit is contained in:
Werner Koch 2023-03-08 15:54:54 +01:00
parent 76351c4877
commit c1f6535f14
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 31 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/data-identify.c
View File

@ -336,8 +336,10 @@ basic_detection (char *data, size_t datalen)
SEQUENCE SEQUENCE [0] INTEGER INTEGER SEQU SEQUENCE SEQUENCE [0] INTEGER INTEGER SEQU
(tbs) (version) (s/n) (Algo) (tbs) (version) (s/n) (Algo)
Thus we need to read at least 22 bytes, we add 2 bytes to cope with Thus we need to read at least 22 bytes, we add 2 bytes to cope
length headers stored with 4 bytes. with length headers stored with 4 bytes. For a v0 certificate the
tag and the bersion are missin (they are implicit) - detect this
too as a cert becuase some root CA use this.
*/ */
@ -357,10 +359,9 @@ basic_detection (char *data, size_t datalen)
{ {
if (parse_tlv (&s, &n, &ti)) if (parse_tlv (&s, &n, &ti))
goto try_pgp; goto try_pgp;
if (!(ti.cls == ASN1_CLASS_CONTEXT && ti.tag == 0 if (ti.cls == ASN1_CLASS_CONTEXT && ti.tag == 0
&& ti.is_cons && ti.length == 3 && n >= ti.length)) && ti.is_cons && ti.length == 3 && n >= ti.length)
goto try_pgp; {
if (parse_tlv (&s, &n, &ti)) if (parse_tlv (&s, &n, &ti))
goto try_pgp; goto try_pgp;
if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
@ -374,7 +375,18 @@ basic_detection (char *data, size_t datalen)
/* Because the now following S/N may be larger than the sample /* Because the now following S/N may be larger than the sample
data we have, we stop parsing here and don't check for the data we have, we stop parsing here and don't check for the
algorithm ID. */ algorithm ID. */
return GPGME_DATA_TYPE_X509_CERT; return GPGME_DATA_TYPE_X509_CERT; /* regular cert. */
}
if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons)
{
/* Because this S/N may be larger than the sample data we
have, we can't check that a SEQUENCE follows. */
return GPGME_DATA_TYPE_X509_CERT; /* v0 cert with implict tag. */
}
goto try_pgp;
} }
if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons && ti.length == 1 && n && *s == 3) && !ti.is_cons && ti.length == 1 && n && *s == 3)