cert: UniqueIdentifier explicit -> implicit parse.

The `UniqueIdentifier` field of a TBSCertificate was being parsed as an explicitly tagged bit string when RFC 5280 describes it as implicit. This commit fixes `parse` to expect implicit tagging and adds a unit test to ensure a certificate with subject/issuer UIDs can be parsed successfully.
rusticata · Dec 19, 2023 · 6a43441 · 6a43441
1 parent 409fb98
commit 6a43441
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 2 deletions.
diff --git a/assets/unique_ids.der b/assets/unique_ids.der
diff --git a/src/certificate.rs b/src/certificate.rs
@@ -13,7 +13,7 @@ use crate::x509::{
 
 #[cfg(feature = "verify")]
 use crate::verify::verify_signature;
-use asn1_rs::{BitString, FromDer, OptTaggedExplicit};
+use asn1_rs::{BitString, FromDer, OptTaggedImplicit};
 use core::ops::Deref;
 use der_parser::ber::Tag;
 use der_parser::der::*;
@@ -737,7 +737,7 @@ impl<'a> UniqueIdentifier<'a> {
     //
     // UniqueIdentifier  ::=  BIT STRING
     fn parse<const TAG: u32>(i: &[u8]) -> BerResult<Option<UniqueIdentifier>> {
-        let (rem, unique_id) = OptTaggedExplicit::<BitString, Error, TAG>::from_der(i)?;
+        let (rem, unique_id) = OptTaggedImplicit::<BitString, Error, TAG>::from_der(i)?;
         let unique_id = unique_id.map(|u| UniqueIdentifier(u.into_inner()));
         Ok((rem, unique_id))
     }

diff --git a/tests/readcert.rs b/tests/readcert.rs
@@ -14,6 +14,7 @@ static EMPTY_CRL_DER: &[u8] = include_bytes!("../assets/empty.crl");
 static MINIMAL_CRL_DER: &[u8] = include_bytes!("../assets/minimal.crl");
 static DUPLICATE_VALUE_IN_AIA: &[u8] =
     include_bytes!("../assets/duplicate_value_in_authority_info_access.der");
+static UNIQUE_IDS_DER: &[u8] = include_bytes!("../assets/unique_ids.der");
 
 #[test]
 fn test_x509_parser() {
@@ -358,3 +359,33 @@ fn test_x509_parser_no_ext() {
         assert_eq!(ext.parsed_extension(), &ParsedExtension::Unparsed);
     }
 }
+
+#[test]
+fn test_tbscert_unique_identifiers() {
+    let mut parser = X509CertificateParser::new().with_deep_parse_extensions(false);
+    let (_, x509) = parser.parse(UNIQUE_IDS_DER).expect("parsing failed");
+    assert_eq!(
+        &x509
+            .tbs_certificate
+            .issuer_uid
+            .expect("missing issuer uid")
+            .0
+            .as_ref(),
+        &[
+            0x30, 0x16, 0x80, 0x14, 0xc5, 0x78, 0x84, 0xb8, 0xc, 0x6e, 0x8c, 0x4c, 0xce, 0xb9,
+            0x94, 0x6f, 0x98, 0xfc, 0xf3, 0x8a, 0x54, 0xb1, 0x80, 0xe0
+        ]
+    );
+    assert_eq!(
+        &x509
+            .tbs_certificate
+            .subject_uid
+            .expect("missing subject uid")
+            .0
+            .as_ref(),
+        &[
+            0x4, 0x14, 0xdf, 0x13, 0xac, 0x69, 0x14, 0x90, 0x62, 0xdb, 0x3d, 0xe9, 0xb4, 0x56,
+            0xe6, 0xa6, 0x90, 0x26, 0xbf, 0x2c, 0xef, 0x81
+        ]
+    );
+}