[
https://issues.apache.org/jira/browse/DIRKRB-776?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939445#comment-17939445
]
Michael Osipov commented on DIRKRB-776:
---------------------------------------
Sample class:
{code:java}
import java.io.IOException;
import java.util.Base64;
import org.apache.kerby.asn1.Asn1;
import org.apache.kerby.asn1.type.Asn1Type;
public class LongLengthBelow127 {
public static void main(String[] args) throws IOException {
byte[] octetString = new byte[] {0x04, (byte) 0x84, 0x00, 0x00,
0x00, 0x05, (byte) 0xCA, (byte) 0xFE, (byte) 0xBA, (byte) 0xBE, 0x00};
System.out.println(Base64.getEncoder().encodeToString(octetString));
System.out.println("Len: " + octetString.length);
Asn1Type decode = Asn1.decode(octetString);
System.out.println(decode);
System.out.println(Base64.getEncoder().encodeToString(decode.encode()));
octetString = new byte[] {0x30, (byte) 0x84, 0x00, 0x00, 0x00,
0x0A, 0x04, (byte) 0x84, 0x00, 0x00, 0x00, 0x04, (byte) 0xCA, (byte) 0xFE,
(byte) 0xBA, (byte) 0xBE};
System.out.println(Base64.getEncoder().encodeToString(octetString));
System.out.println("Len: " + octetString.length);
decode = Asn1.decode(octetString);
}
}
{code}
> Cannot decode ASN.1 types of length is multibyte, but does not require them
> ---------------------------------------------------------------------------
>
> Key: DIRKRB-776
> URL: https://issues.apache.org/jira/browse/DIRKRB-776
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Michael Osipov
> Priority: Blocker
>
> Consider these two examples extracted from an LDAP response from Active
> Directory:
> 1, {{BIQAAAAFyv66vgA=}}: Length is encoded with 4 bytes, but the actual
> length is just 5
> Kerby ASN.1 reports: {{octet string [tag=0x04, len=2+5] <5 octets>}}, but it
> should be {{len=6+5}}
> 2. {{MIQAAAAKBIQAAAAEyv66vg==}}: Again, length is 4 bytes, but actual length
> is 10. Kerby ASN.1 fails:
> {noformat}
> Exception in thread "main" java.io.IOException: Bad length of more than 4
> bytes: 126
> at
> org.apache.kerby.asn1.parse.Asn1Reader.readLength(Asn1Reader.java:109)
> at org.apache.kerby.asn1.parse.Asn1Reader.readHeader(Asn1Reader.java:40)
> at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:67)
> at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:37)
> at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:78)
> at org.apache.kerby.asn1.parse.Asn1Parser.parse(Asn1Parser.java:59)
> at org.apache.kerby.asn1.Asn1.decode(Asn1.java:73)
> at org.apache.kerby.asn1.Asn1.decode(Asn1.java:66)
> {noformat}
> Sample reponse from Active Directory:
> {{MIQAAABdAgEBZIQAAABUBAAwhAAAAEwwhAAAAEYECE5ldGxvZ29uMYQAAAA2BDQTAFwAXABBAFIAQgBVAEUAQQBEAEMAMAAxAEEAAAAAAEEARAAwADAAMQAAAAEAAAD/////}}
> My understanding is the ASN.1 encoder in Active Directory (always) uses a
> uint32 to encode any length instead of being as short as possible.
> {{Asn1Util.lengthOfBodyLength(int)}} is used throughout and assumes an
> efficient encoding which does not apply here.
> Kerby needs to be changed to obey the amount of bytes for the length instead
> assuming the most compact one.
> Both https://lapo.it/asn1js and and {{openssl-asn1parse}} properly process
> the data.
> So for me the library is unusable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
