On Sun, Jul 8, 2018 at 2:34 PM Kurt Roeckx <[email protected]> wrote: > On Sun, Jul 08, 2018 at 04:41:27PM -0400, Ryan Sleevi wrote: > > > > Is that because you believe it forbidden by spec, or simply unwise? > > It's because nobody implements the spec. Those the claim some > support for it are just broken. I have yet to see a certificate > that doesn't just put latin1 in it, which should get rejected. > > Anyway, at some point I started writing a proper parser for > teletexstring. But I don't think it's worth my time if there are 0 > valid certificates using it. If someone can point me to a proper > parser of it, that is open source, I'm willing to use that.
My solution was a somewhat pragmatic and somewhat lazy: https://github.com/awslabs/certlint/blob/master/lib/certlint/certlint.rb#L138 NULL is always bad. Other than that, if we find any escape characters in the string let it pass unchecked, otherwise do what Kurt suggested. This avoids false hits of properly encoded strings at the cost of skipping some improperly encoded strings. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
