FYI, I checked other machines that have a TPM device manufactured by STM, but I could not find another with a serial number less than 20 bytes (I guess they do padding in that case). I also have a certificate from an Atmel device where I get a notice that the serial number is negative.
For me personally, it would be perfectly fine if I could have a "relaxed parsing" option that I could pass when I expect these kinds of broken encodings. On Fri, Feb 12, 2016 at 11:38 AM, Erwann Abalea <[email protected]> wrote: > Bonjour, > > Le 12 févr. 2016 à 01:11, Blumenthal, Uri - 0553 - MITLL <[email protected]> > a écrit : > > Again, you are right, but what's the lesser evil - being unable to use > the new OpenSSL because it refuses to deal with the cert that some > dim-witten TPM maker screwed up, or accept a certificate with a (minor) > violation of DER (but not of BER)? What bad in your opinion could happen if > OpenSSL allowed parsing an integer with a leading zero byte (when it > shouldn't be there by DER)? > > > As shown yesterday, this INTEGER encoding isn’t even valid BER. > > Being liberal in what you accept, when dealing with crypto, gives you > stuff like this: > https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/ > > Cordialement, > Erwann Abalea > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4301 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
