Closed leechristensen closed 1 year ago
Thanks for report, I will take a look into it. Stuff in SysadminsLV.Asn1Parser.Asn1Utils
is mostly obsolete. There is more proper ASN.1 OBJECT_IDENTIFIER handler: https://github.com/PKISolutions/Asn1DerParser.NET/blob/master/Asn1Parser/Universal/Asn1ObjectIdentifier.cs
it treats tokens as unsigned 64-bit QWORDs. But it may be reasonable to use BigInt
s for safety just in case if someone gets really mad and use enormous values. Either way, this needs to be reviewed and addressed.
A follow-up. I've updated Asn1Parser library to address mentioned issues as follows:
Asn1ObjectIdentifier
to handle really big numbers, which are larger than unsigned QWORDsAsn1Utils.EncodeObjectIdentifier
and Asn1Utils.DecodeObjectIdentifier
to use Asn1ObjectIdentifier
class for encoding and decoding and which doesn't use .NET shortcuts (like CryptoConfig
or X509EnhancedKeyUsageExtension
classes). Instead, it relies on a pure math and BigInteger
to represent OID arcs.Here is the test (in PowerShell):
PS C:\> $oid = New-Object SysadminsLV.Asn1Parser.Universal.Asn1ObjectIdentifier "1.2.999.18446744073709551615456"
PS C:\> [SysadminsLV.Asn1Parser.Asn1Utils]::DecodeObjectIdentifier($oid.RawData)
Value FriendlyName
----- ------------
1.2.999.18446744073709551615456
PS C:\> [SysadminsLV.Asn1Parser.Asn1Utils]::DecodeObjectIdentifier($oid.RawData)
Value FriendlyName
----- ------------
1.2.999.18446744073709551615456
I chose 18446744073709551615456
value which is larger than QWORD and encoder/decoder functions handle this.
Awesome! I appreciate the really fast response!
Multiple places in the code and its dependent libraries end up calling .NET's
CryptoConfig.EncodeOID
:SysadminsLV.Asn1Parser.Asn1Utils.EncodeObjectIdentifier
uses it as well and it is used extensively throughout the code base:There appears to be an integer parsing bug in
CryptoConfig.EncodeOID
. The following PowerShell demonstrates this bug.The bug is due to the following code in .NET's
CryptoConfig.EncodeOID
function:Note that the code use splits the OID string by periods, and then attempts to parse each numeric value using
int.Parse
. The bug is2473183039
is a valid OID value, but it is too large forint.Parse
to handle. As such, theValue was either too large or too small for an Int32.
exception gets thrown.We originally encountered bug when using PSPKI's
Get-CATemplate
cmdlet in an environment where AD CS assigned a template OID that caused the exception. In that case,pkix.net
appears to useCryptoConfig.EncodeOID
primarly for OID input validation (just making sure it's a well-formed OID). I'd suggest implementing your own function to do the validation until .NET can fix the bug upstream. Other places in the code, however, appear to useSysadminsLV.Asn1Parser.Asn1Utils.EncodeObjectIdentifier
to get the OID bytes, so a replacement forCryptoConfig.EncodeOID
may be needed in those instances.