ehn-dcc-development / ehn-sign-verify-javascript-trivial

Trivial eHN-Simple implementation in plain/simplified javascript
European Union Public License 1.2
32 stars 12 forks source link

@fidm/asn1 OID parser is flawed #3

Open monai opened 3 years ago

monai commented 3 years ago

@fidm/asn1 OID parser is naive and has a common implementation bug. It supports second arc decoding up to 39, although only 0.x and 1.x arcs are limited to 39 while the 2.x is unlimited.

The specification, i.e., ITU-T X.690 (08/2015) 8.1.94 has explicit note on this:

This packing of the first two object identifier components recognizes that only three values are allocated from the root node, and at most 39 subsequent values from nodes reached by X = 0 and X = 1.

OIDs are the essential building block of an X509 certificate, and using a flawed parser may lead to unforeseen consequences and bugs.

Test case

Encoded OID: 0603883703 Expected decoded value: 2.999.3 Actual decoded value: 3.16.55.3; NB: the first arc of 3 is invalid

const { ASN1 } = require("@fidm/asn1");
const buf = Buffer.from('0603883703', 'hex');
console.log(ASN1.fromDER(buf).value);

See more:

https://misc.daniel-marschall.de/asn.1/oid_facts.html https://misc.daniel-marschall.de/asn.1/oid-converter/online.php