proposal: crypto/x509: decryption of PEM file failure not being caught #43504
I'd like to propose a way of early and fast detection of PEM decryption errors.
How this check works: it uses the ASN.1 basic encoding rules (BER) to parse the first length field. This length field will contain a number which, when [properly decoded and] parsed, contains the length of the PEM encoded message blob (plus the 2-4 bytes declaring this length). The power of doing this size comparison check via length field is that the decoding routine will then have a verification, with high certainty, that the blob was decoded properly -- and since this does not depend on knowing which kind of crypto pkcs PEM file is being decoded, it is not tied to the knowing or testing any of the pkcs formats; thus it is forward compatible.
Please see the proposal here
and pull request here
View pull request discussion here
The text was updated successfully, but these errors were encountered: