Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Be explicit about rejection of malformatted public key data #6

Open
ounsworth opened this issue Nov 18, 2023 · 0 comments
Open

Be explicit about rejection of malformatted public key data #6

ounsworth opened this issue Nov 18, 2023 · 0 comments

Comments

@ounsworth
Copy link
Collaborator

David Hook:

I think Section 2.1 should also say the recipient of the encoded data should reject any encoding which is not valid DER. For something like this that just means checking that primitive length encoding has been used and the pad bits in the BIT STRING are zero - neither of these checks are onerous to implement, but they will mean someone can't present something which has been based on what can get through the ASN.1 parser, rather than what's actually expected.

The following might be a useful reference on that one:

https://dl.gi.de/server/api/core/bitstreams/3161b2cb-ef5a-44f3-b319-66953bceeaf1/content

The full reference is
"M. Gebhardt, G. Illies, and W. Schindler. A note on the practical value of single hash collisions for special file formats. In Sicherheit 2006, Sicherheit – Schutz und Zuverlässigkeit, pages 333–344. Gesellschaft für Informatik e.V., 2006."
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ounsworth