Just to close the loop on this: Christopher Henderson has done some great work to get two new checks added to zlint testing for this circumstance: - https://github.com/zmap/zlint/pull/682 ensures that there is not a whole byte of zeros at the end of an encoded BIT STRING; and - https://github.com/zmap/zlint/pull/684 ensures that there are no trailing zeroes which are not counted in the "unused" bits of the BIT STRING
Thanks so much to Christopher and the ZMap team for working to add these lints! Aaron On Wednesday, June 22, 2022 at 8:34:31 PM UTC-7 [email protected] wrote: > 'Aaron Gable' via [email protected] <[email protected]> > writes: > > >Therefore the certificates are in violation of RFC5280, Section 4.1.1.3, > >which states that "The signatureValue field contains a digital signature > >computed upon the ASN.1 DER encoded tbsCertificate" (emphasis added). > > Technically they are, but I would assume that every implementer on the > planet > knows that that's one of the numerous parts of the spec that you need to > ignore if you want things to work: > > * There is only one encoding rule and that is memcpy() > * There is only one comparison rule and that is memcmp() > > In other words you take what the other side sends you and either memcpy() > or > memcmp() it as required without ever trying to do any re-coding or > canonicalisation or whatever, because all that'll ever do is break things. > This is illustrated by the fact that in the five years since those certs > were > issued and presumably billions of times they've been used, nothing even > noticed the non-DER encoding apart from a tool specially written to check > for > such violations. > > So it's really a minor encoding issue, not a significant problem. > > Peter. > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/e0c11946-a2f0-4e98-8f7a-2fcfc32d731dn%40mozilla.org.
