This potentially changes behavior for applications requiring security
features that are available in Bouncy Castle but not the platform. To
mitigate this, execute this before such operations:
Security.addProvider(BouncyCastleProvider())
You will also need to configure this dependency:
implementation "org.bouncycastle:bcprov-jdk15on:1.65"
If the date is before 1950-01-01, use a four-digit year
If the self-delimiting object identifer exceeds the enclosing object's
size, fail.
If a nested object exceeds its enclosing object's size, fail.
We don't have API support for all of them, but we shouldn't crash when an
unsupported name is encountered.
Also encode attributes using UTF-8, not PrintableString. Both are permitted,
but UTF-8 supports more data.
* Add limits to what length values DerReader supports
With this change DerReader doesn't support reading values with a length
greater than Long.MAX_VALUE. That shouldn't be a problem in practice.
* Make DerReader check length is encoded in shortest form possible
* Spotless and IntelliJ disagree on import order
Co-authored-by: Jesse Wilson <jesse@swank.ca>
We don't implement the full feature set that Bouncycastle has, but
we also don't need it.
In follow up changes I intend to remove the Bouncycastle dependency
for everything but some test cases.
This gets us to the point where the byte-for-byte encoding is equiavalent
to what bouncycastle was producing.
This shook out some bugs:
- We weren't boxing the version
- We weren't clearing the constructed bit on boxed extensions
- We weren't encoding null when we needed to be
Previously the caller was responsible for decoding the tag on the
adapter it called. This was easy for basic tags, but proved problematic
for tags like CHOICE and ANY and typehint-dependent tags, because the
caller didn't have enough information.
This moves the tag reading and writing into the DerAdapter itself. If
it encounters a tag it can't understand, it assumes it's own value has
been skipped and returns a default.
This turns out to be a bit easier to reason about, and hopefully will
make it easier to implement AlgorithmIdentifier.parameters, which has
values that are optional or not depending on what the type hint is.
* Early implementation of an ASN.1 DER decoder
My goal is to finish the implementation to support an ASN.1 DER encoder
and then to change okhttp-tls to no longer depend on BouncyCastle.
* Update okhttp-tls/src/main/kotlin/okhttp3/tls/internal/der/DerReader.kt
Co-authored-by: Benoît Quenaudon <bquenaudon@squareup.com>
Co-authored-by: Benoît Quenaudon <bquenaudon@squareup.com>
