-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty Extensions Sequence #1479
Comments
We could also consider such positions for more strict checks: bc-java/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLEntryObject.java Line 265 in 91c3c60
to change to:
And similar positions like bc-java/prov/src/main/java/org/bouncycastle/jce/provider/X509CRLEntryObject.java Line 256 in 91c3c60
|
I think this is now covered. Thanks for the report. |
It is possible to create an empty sequence of extensions in certificates, CRLs and probably other PKI structures that use extensions.
The ASN.1 specification requires that the sequence is not empty:
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
A small programm that creates an empty sequence of extensions is the following:
The caller of the constructor should not place empty extensions at all on the first place. However, if this done then the extenions are created as an empty sequence. We propose a more strict cheking in BC to disallow this behaviour, for example by checking if the length of the array is 0 and throwing an appropriate exception.
For example
bc-java/core/src/main/java/org/bouncycastle/asn1/x509/Extensions.java
Line 86 in e04ee7f
Thic could also be addittionally captured here
bc-java/core/src/main/java/org/bouncycastle/asn1/x509/Extensions.java
Line 50 in e04ee7f
Also a minor change could be done here:
bc-java/core/src/main/java/org/bouncycastle/asn1/x509/Extension.java
Line 17 in e04ee7f
to describe that the extension object can be used in CRLs and CRL entries, OCSP etc., e.g.
or simply:
The text was updated successfully, but these errors were encountered: