Check for fatal errors before parsing DER

alex · Jan 23, 2016 · 8f65332 · 8f65332
1 parent cbdd098
commit 8f65332
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 14 deletions.
diff --git a/lib/certlint/extensions/basicconstraints.rb b/lib/certlint/extensions/basicconstraints.rb
@@ -23,19 +23,16 @@ class BasicConstraints < ASN1Ext
     def self.lint(content, cert, critical = false)
       messages = []
       messages += super(content, cert, critical)
+      if messages.any? { |m| m.start_with? 'F:' }
+        return messages
+      end
       v = OpenSSL::X509::Extension.new('2.5.29.19', content, critical).value
       if v.include? 'CA:TRUE'
         unless critical
           messages << 'E: basicConstraints must be critical in CA certificates'
         end
       else
-        begin
-          a = OpenSSL::ASN1.decode(content)
-        rescue OpenSSL::ASN1::ASN1Error
-          messages << 'E: ASN.1 broken in BasicConstraints'
-          return messages
-        end
-        if a.value.last.is_a? OpenSSL::ASN1::Integer
+        if OpenSSL::ASN1.decode(content).value.last.is_a? OpenSSL::ASN1::Integer
           messages << 'E: Must not include pathLenConstraint on certificates that are not CA:TRUE'
         end
       end

diff --git a/lib/certlint/extensions/certificatepolicies.rb b/lib/certlint/extensions/certificatepolicies.rb
@@ -36,13 +36,7 @@ def self.lint(content, cert, critical = false)
 
       # the qualifier in PolicyQualifierInfo is
       # defined as ANY, so we have to manually check
-      begin
-        a = OpenSSL::ASN1.decode(content)
-      rescue OpenSSL::ASN1::ASN1Error
-        messages << 'E: ASN.1 broken in CertificatePolicies'
-        return messages
-      end
-      a.value.each do |policy_information|
+      OpenSSL::ASN1.decode(content).value.each do |policy_information|
         # policiyQualifiers are optional
         pq = policy_information.value[1]
         if pq.nil?

diff --git a/lib/certlint/extensions/nameconstraints.rb b/lib/certlint/extensions/nameconstraints.rb
@@ -24,6 +24,10 @@ class NameConstraints < ASN1Ext
     def self.lint(content, cert, critical = false)
       messages = []
       messages += super(content, cert, critical)
+      # If we are busted, don't continue
+      if messages.any? { |m| m.start_with? 'F:' }
+        return messages
+      end
       # Content is a SEQUENCE of GeneralSubtrees which is tagged
       # X.509 says "At least one of permittedSubtrees and excludedSubtrees components shall be present."
       subtrees = 0

diff --git a/lib/certlint/extensions/subjectaltname.rb b/lib/certlint/extensions/subjectaltname.rb
@@ -32,6 +32,10 @@ def self.lint(content, cert, critical = false)
           messages << 'W: subjectAltName should not be critical'
         end
       end
+      # If we are busted, don't continue
+      if messages.any? { |m| m.start_with? 'F:' }
+        return messages
+      end
       # Content is a SEQUENCE of GeneralName (which is explicitly tagged)
       at_least_one = false
       OpenSSL::ASN1.decode(content).value.each do |genname|