You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found that the Botan will return Aborted (core dump) but not verification failed when using Botan::x509_path_validate() if the input certificate chain is not a desired string type/has an encoding error.
For example, if matching CN=aa to CN=<graphicString>aa, the echo would be
"terminate called after throwing an instance of 'Botan::Invalid_Argument'
Unknown string type";
and if the CN=aa match CN=<universalString>aa(0x6161) (malformed), the echo would be
"terminate called after throwing an instance of 'Botan::Decoding_Error'
CERTIFICATE decoding failed with Invalid length for UCS-4 string".
Both of the above two examples will abort with a core dumped.
Question: Does the (crash) behavior work as intended?
Many thanks and looking forward to your reply.
The text was updated successfully, but these errors were encountered:
I do not understand why you would characterize an (apparently uncaught) exception during certificate parsing as a crash.
Rejecting a GraphicsString CN at parsing time seems entirely appropriate as RFC 5280's DirectoryString and X520CommonName types do not include this string type. Thus the certificate could not possibly be valid.
Likewise outright rejecting at parse time a certificate with an invalid UCS-4 encoding seems appropriate since likewise the certificate cannot possibly be valid.
For the GraphicsString CN, I concur with your point. I have previously used CN=<utf8>aa to match CN=<ia5>aa (out of DirectoryString scope), and it was successful. So I used to misunderstand that Botan might not perform strict string-type checking.
And for the UniversalString case, I think I understand your point. Thanks very much. I found some other libraries will reject (return invalid) while Botan will throw an exception (abouted), so I ask the question out of curiosity.
It would indeed be great if everything worked as intended. And many thanks for your reply.
Hi there,
I found that the
Botan
will returnAborted (core dump)
but not verification failed when usingBotan::x509_path_validate()
if the input certificate chain is not a desired string type/has an encoding error.For example, if matching
CN=aa
toCN=<graphicString>aa
, the echo would be"terminate called after throwing an instance of 'Botan::Invalid_Argument'
Unknown string type";
and if the
CN=aa
matchCN=<universalString>aa(0x6161)
(malformed), the echo would be"terminate called after throwing an instance of 'Botan::Decoding_Error'
CERTIFICATE decoding failed with Invalid length for UCS-4 string".
Both of the above two examples will abort with a core dumped.
Question: Does the (crash) behavior work as intended?
Many thanks and looking forward to your reply.
The text was updated successfully, but these errors were encountered: