Michael Osipov created DIRKRB-776: ------------------------------------- Summary: Cannot decode ASN.1 types of length is multibyte, but does not require them Key: DIRKRB-776 URL: https://issues.apache.org/jira/browse/DIRKRB-776 Project: Directory Kerberos Issue Type: Bug Affects Versions: 2.1.0 Reporter: Michael Osipov
Consider these two examples extracted from an LDAP response from Active Directory: 1, {{BIQAAAAFyv66vgA=}}: Length is encoded with 4 bytes, but the actual length is just 5 Kerby ASN.1 reports: {{octet string [tag=0x04, len=2+5] <5 octets>}}, but it should be {{len=6+5}} 2. {{MIQAAAAKBIQAAAAEyv66vg==}}: Again, length is 4 bytes, but actual length is 10. Kerby ASN.1 fails: {noformat} Exception in thread "main" java.io.IOException: Bad length of more than 4 bytes: 126 at org.apache.kerby.asn1.parse.Asn1Reader.readLength(Asn1Reader.java:109) at org.apache.kerby.asn1.parse.Asn1Reader.readHeader(Asn1Reader.java:40) at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:67) at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:37) at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:78) at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:59) at org.apache.kerby.asn1.Asn1.decode(Asn1.java:73) at org.apache.kerby.asn1.Asn1.decode(Asn1.java:66) {noformat} Sample reponse from Active Directory: {{MIQAAABdAgEBZIQAAABUBAAwhAAAAEwwhAAAAEYECE5ldGxvZ29uMYQAAAA2BDQTAFwAXABBAFIAQgBVAEUAQQBEAEMAMAAxAEEAAAAAAEEARAAwADAAMQAAAAEAAAD/////}} My understanding is the ASN.1 encoder in Active Directory (always) uses a uint32 to encode any length instead of being as short as possible. {{Asn1Util.lengthOfBodyLength(int)}} is used throughout and assumes an efficient encoding which does not apply here. Kerby needs to be changed to obey the amount of bytes for the length instead assuming the most compact one. Both https://lapo.it/asn1js and and {{openssl-asn1parse}} properly process the data. So for me the library is unusable. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org