Michael Osipov created DIRKRB-776:
-------------------------------------

             Summary: Cannot decode ASN.1 types of length is multibyte, but 
does not require them
                 Key: DIRKRB-776
                 URL: https://issues.apache.org/jira/browse/DIRKRB-776
             Project: Directory Kerberos
          Issue Type: Bug
    Affects Versions: 2.1.0
            Reporter: Michael Osipov


Consider these two examples extracted from an LDAP response from Active 
Directory:

1, {{BIQAAAAFyv66vgA=}}: Length is encoded with 4 bytes, but the actual length 
is just 5
Kerby ASN.1 reports: {{octet string [tag=0x04, len=2+5] <5 octets>}}, but it 
should be {{len=6+5}}
2. {{MIQAAAAKBIQAAAAEyv66vg==}}: Again, length is 4 bytes, but actual length is 
10. Kerby ASN.1 fails:
{noformat}
Exception in thread "main" java.io.IOException: Bad length of more than 4 
bytes: 126
        at 
org.apache.kerby.asn1.parse.Asn1Reader.readLength(Asn1Reader.java:109)
        at org.apache.kerby.asn1.parse.Asn1Reader.readHeader(Asn1Reader.java:40)
        at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:67)
        at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:37)
        at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:78)
        at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:59)
        at org.apache.kerby.asn1.Asn1.decode(Asn1.java:73)
        at org.apache.kerby.asn1.Asn1.decode(Asn1.java:66)
{noformat}

Sample reponse from Active Directory:
{{MIQAAABdAgEBZIQAAABUBAAwhAAAAEwwhAAAAEYECE5ldGxvZ29uMYQAAAA2BDQTAFwAXABBAFIAQgBVAEUAQQBEAEMAMAAxAEEAAAAAAEEARAAwADAAMQAAAAEAAAD/////}}

My understanding is the ASN.1 encoder in Active Directory (always) uses a 
uint32 to encode any length instead of being as short as possible. 
{{Asn1Util.lengthOfBodyLength(int)}} is used throughout and assumes an 
efficient encoding which does not apply here.

Kerby needs to be changed to obey the amount of bytes for the length instead 
assuming the most compact one.

Both https://lapo.it/asn1js and and {{openssl-asn1parse}} properly process the 
data.

So for me the library is unusable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Reply via email to