Closed Feelemoon closed 2 years ago
Your data doesn't seem OCSP response. OCSP response is ASN.1 sequence and starts with "30". That's why response can't be parsed. When you need to parse arbitrary string as a OCSP response or a CRL, you need to validate your input by ASN1HEX.strictCheckDER or ASN1HEX.isASN1HEX before parsing.
Digital content can be protected using a cryptogrpahic message syntax (CMS) container with digital signatures. The public part of the key to create the signature can be attached to the CMS container as a certificate. This certificate could have been revoked and has to be validated.
This requires to download the latest revocation status of the certificate. The revocation status is available via a Certification Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) request, normally. Both are signed using the key of the certification authority or a delegated signer.
The access points are part of the certificate and use the
http:
(orldap:
) protocol, normally. When downloaded over insecure networks, the CRL or OCSP response might be exchanged with malicous documents.The only line of defense to validate the downloaded documents (the OCSP response or the CRL (see #547)) is to parse it cleanly and verify its signature. This process should be as robust as possible. It should not use excessive resources, or crash the program executing it.
The following example shows, how a malicous OCSP response can crash node.js:
When executed the following output is generated: