Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adopt cryptobyte's updated ReadOptionalASN1Boolean #7225

Closed
wants to merge 1 commit into from
Closed

Adopt cryptobyte's updated ReadOptionalASN1Boolean #7225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions linter/lints/cabf_br/lint_crl_validity_period.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,15 +90,15 @@ func (l *crlValidityPeriod) Execute(c *x509.RevocationList) *lint.LintResult {
// sanity checks.
idp := lints.NewIssuingDistributionPoint()
onlyContainsUserCertsTag := cryptobyte_asn1.Tag(1).ContextSpecific()
if !lints.ReadOptionalASN1BooleanWithTag(&idpv, &idp.OnlyContainsUserCerts, onlyContainsUserCertsTag, false) {
if !idpv.ReadOptionalASN1Boolean(&idp.OnlyContainsUserCerts, onlyContainsUserCertsTag, false) {
return &lint.LintResult{
Status: lint.Warn,
Details: "Failed to read IssuingDistributionPoint onlyContainsUserCerts",
}
}

onlyContainsCACertsTag := cryptobyte_asn1.Tag(2).ContextSpecific()
if !lints.ReadOptionalASN1BooleanWithTag(&idpv, &idp.OnlyContainsCACerts, onlyContainsCACertsTag, false) {
if !idpv.ReadOptionalASN1Boolean(&idp.OnlyContainsCACerts, onlyContainsCACertsTag, false) {
return &lint.LintResult{
Status: lint.Warn,
Details: "Failed to read IssuingDistributionPoint onlyContainsCACerts",
Expand Down
56 changes: 0 additions & 56 deletions linter/lints/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
package lints

import (
"bytes"
"net/url"
"time"

"github.com/zmap/zcrypto/encoding/asn1"
"github.com/zmap/zcrypto/x509/pkix"
"github.com/zmap/zlint/v3/lint"
"golang.org/x/crypto/cryptobyte"
cryptobyte_asn1 "golang.org/x/crypto/cryptobyte/asn1"
)

const (
Expand Down Expand Up @@ -76,56 +73,3 @@ func GetExtWithOID(exts []pkix.Extension, oid asn1.ObjectIdentifier) *pkix.Exten
}
return nil
}

// ReadOptionalASN1BooleanWithTag attempts to read and advance incoming to
// search for an optional DER-encoded ASN.1 element tagged with the given tag.
// Unless out is nil, it stores whether an element with the tag was found in
// out, otherwise out will take the default value. It reports whether all reads
// were successful.
func ReadOptionalASN1BooleanWithTag(incoming *cryptobyte.String, out *bool, tag cryptobyte_asn1.Tag, defaultValue bool) bool {
// ReadOptionalASN1 performs a peek and will not advance if the tag is
// missing, meaning that incoming will retain bytes.
var valuePresent bool
var valueBytes cryptobyte.String
if !incoming.ReadOptionalASN1(&valueBytes, &valuePresent, tag) {
return false
}
val := defaultValue
if valuePresent {
/*
X.690 (07/2002)
https://www.itu.int/rec/T-REC-X.690-200207-S/en

Section 8.2.2:
If the boolean value is:
FALSE
the octet shall be zero.
If the boolean value is
TRUE
the octet shall have any non-zero value, as a sender's option.

Section 11.1 Boolean values:
If the encoding represents the boolean value TRUE, its single contents octet shall have all eight
bits set to one. (Contrast with 8.2.2.)

Succinctly, BER encoding states any nonzero value is TRUE. The DER
encoding restricts the value 0xFF as TRUE and any other: 0x01,
0x23, 0xFE, etc as invalid encoding.
*/
boolBytes := []byte(valueBytes)
if bytes.Equal(boolBytes, []byte{0xFF}) {
val = true
} else if bytes.Equal(boolBytes, []byte{0x00}) {
val = false
} else {
// Unrecognized DER encoding of boolean!
return false
}
}
if out != nil {
*out = val
}

// All reads were successful.
return true
}
100 changes: 0 additions & 100 deletions linter/lints/common_test.go
View file
Open in desktop

This file was deleted.

4 changes: 2 additions & 2 deletions linter/lints/cpcps/lint_crl_has_idp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,15 +99,15 @@ func (l *crlHasIDP) Execute(c *x509.RevocationList) *lint.LintResult {
}

onlyContainsUserCertsTag := cryptobyte_asn1.Tag(1).ContextSpecific()
if !lints.ReadOptionalASN1BooleanWithTag(&idpv, &idp.OnlyContainsUserCerts, onlyContainsUserCertsTag, false) {
if !idpv.ReadOptionalASN1Boolean(&idp.OnlyContainsUserCerts, onlyContainsUserCertsTag, false) {
return &lint.LintResult{
Status: lint.Error,
Details: "Failed to read IssuingDistributionPoint onlyContainsUserCerts",
}
}

onlyContainsCACertsTag := cryptobyte_asn1.Tag(2).ContextSpecific()
if !lints.ReadOptionalASN1BooleanWithTag(&idpv, &idp.OnlyContainsCACerts, onlyContainsCACertsTag, false) {
if !idpv.ReadOptionalASN1Boolean(&idp.OnlyContainsCACerts, onlyContainsCACertsTag, false) {
return &lint.LintResult{
Status: lint.Error,
Details: "Failed to read IssuingDistributionPoint onlyContainsCACerts",
Expand Down
Loading