gnutls can't check object identifier value correctly
An error occurred when I verified a certificate, and the certificate contains an object identifier(TLV) of
"0x06,0x11, 0xfa, 0x80, 0x0, 0x0, 0x0, 0xe, 0x1, 0xe, 0xfa, 0x80,0x0, 0x0, 0x0, 0xe, 0x63, 0x6f".
The error is "error parsing CRTs: ASN1 parser: Error in DER parsing."
Through debugging,I found that an error occurred while parsing that object identifier. The reason is the leading octet have the value 0x80. But,in the object identifier value, the leading octet is 0xfa.
The basis of this check is
x.690 8.19 (Encoding of an object identifier value).
After careful debugging, I found that the
asn1_get_object_id_der function always checks the second byte instead of the leading byte of object identifier value.
In lib/decoding.c : asn1_get_object_id_der(), the
der points to the length of the TLV structure instead of the tag， and
der[len_len + k] is the second byte of the object identifier value instead of the leading byte. Therefore, the function cannot properly check the encoding of the object identifier.