GpgFrontend/gpgme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

core: Also detect legacy X.509 v0 certificates.

Browse Source 
* src/data-identify.c (basic_detection): Loose the detection of X.509
certs.
This commit is contained in:
Werner Koch 2023-03-08 15:54:54 +01:00
parent 76351c4877
commit c1f6535f14
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 31 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/data-identify.c
View File

@ -336,8 +336,10 @@ basic_detection (char *data, size_t datalen)
SEQUENCE SEQUENCE [0] INTEGER INTEGER SEQU SEQUENCE SEQUENCE [0] INTEGER INTEGER SEQU
(tbs) (version) (s/n) (Algo) (tbs) (version) (s/n) (Algo)
Thus we need to read at least 22 bytes, we add 2 bytes to cope with Thus we need to read at least 22 bytes, we add 2 bytes to cope
length headers stored with 4 bytes. with length headers stored with 4 bytes. For a v0 certificate the
tag and the bersion are missin (they are implicit) - detect this
too as a cert becuase some root CA use this.
*/ */
@ -357,24 +359,34 @@ basic_detection (char *data, size_t datalen)
{ {
if (parse_tlv (&s, &n, &ti)) if (parse_tlv (&s, &n, &ti))
goto try_pgp; goto try_pgp;
if (!(ti.cls == ASN1_CLASS_CONTEXT && ti.tag == 0 if (ti.cls == ASN1_CLASS_CONTEXT && ti.tag == 0
&& ti.is_cons && ti.length == 3 && n >= ti.length)) && ti.is_cons && ti.length == 3 && n >= ti.length)
goto try_pgp; {
if (parse_tlv (&s, &n, &ti))
goto try_pgp;
if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons && ti.length == 1 && n && (*s == 1 || *s == 2)))
goto try_pgp;
s++;
n--;
if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons))
goto try_pgp;
/* Because the now following S/N may be larger than the sample
data we have, we stop parsing here and don't check for the
algorithm ID. */
return GPGME_DATA_TYPE_X509_CERT; /* regular cert. */
}
if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons)
{
/* Because this S/N may be larger than the sample data we
have, we can't check that a SEQUENCE follows. */
return GPGME_DATA_TYPE_X509_CERT; /* v0 cert with implict tag. */
}
goto try_pgp;
if (parse_tlv (&s, &n, &ti))
goto try_pgp;
if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons && ti.length == 1 && n && (*s == 1 || *s == 2)))
goto try_pgp;
s++;
n--;
if (!(ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons))
goto try_pgp;
/* Because the now following S/N may be larger than the sample
data we have, we stop parsing here and don't check for the
algorithm ID. */
return GPGME_DATA_TYPE_X509_CERT;
} }
if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER if (ti.cls == ASN1_CLASS_UNIVERSAL && ti.tag == ASN1_TAG_INTEGER
&& !ti.is_cons && ti.length == 1 && n && *s == 3) && !ti.is_cons && ti.length == 1 && n && *s == 3)