diff options
| author | Fan Wu <wufan@kernel.org> | 2025-09-15 21:15:50 +0000 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2025-09-28 11:54:48 +0800 |
| commit | 5851afffe2ab323a53e184ba5a35fddf268f096b (patch) | |
| tree | 79bb532d01970b3ab33f2217ea63f169b7e4293d /scripts/rustdoc_test_gen.rs | |
| parent | b73f28d2f847c24ca5d858a79fd37055036b0a67 (diff) | |
KEYS: X.509: Fix Basic Constraints CA flag parsing
Fix the X.509 Basic Constraints CA flag parsing to correctly handle
the ASN.1 DER encoded structure. The parser was incorrectly treating
the length field as the boolean value.
Per RFC 5280 section 4.1, X.509 certificates must use ASN.1 DER encoding.
According to ITU-T X.690, a DER-encoded BOOLEAN is represented as:
Tag (0x01), Length (0x01), Value (0x00 for FALSE, 0xFF for TRUE)
The basicConstraints extension with CA:TRUE is encoded as:
SEQUENCE (0x30) | Length | BOOLEAN (0x01) | Length (0x01) | Value (0xFF)
^-- v[2] ^-- v[3] ^-- v[4]
The parser was checking v[3] (the length field, always 0x01) instead
of v[4] (the actual boolean value, 0xFF for TRUE in DER encoding).
Also handle the case where the extension is an empty SEQUENCE (30 00),
which is valid for CA:FALSE when the default value is omitted as
required by DER encoding rules (X.690 section 11.5).
Per ITU-T X.690-0207:
- Section 11.5: Default values must be omitted in DER
- Section 11.1: DER requires TRUE to be encoded as 0xFF
Link: https://datatracker.ietf.org/doc/html/rfc5280
Link: https://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
Fixes: 30eae2b037af ("KEYS: X.509: Parse Basic Constraints for CA")
Signed-off-by: Fan Wu <wufan@kernel.org>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'scripts/rustdoc_test_gen.rs')
0 files changed, 0 insertions, 0 deletions