Adds graceful handling of superfluous bits in bit strings (#459)

Co-authored-by: Kelly Brazil <kellyjonbrazil@gmail.com>
2025-07-07 00:57:22 +02:00 · 2023-10-01 00:12:18 +02:00
parent f602043642
commit 1b3985c2d7
4 changed files with 33 additions and 2 deletions
--- a/jc/parsers/asn1crypto/core.py
+++ b/jc/parsers/asn1crypto/core.py
@ -2333,8 +2333,8 @@ class BitString(_IntegerBitString, Constructable, Castable, Primitive, ValueMap)
            if self._map:
                self._native = set()
                for index, bit in enumerate(bits):
-                    if bit:
-                        name = self._map.get(index, index)
+                    if bit and index in self._map:
+                        name = self._map.get(index)
                        self._native.add(name)
            else:
                self._native = bits
--- a/tests/fixtures/generic/x509-cert-superfluous-bits.json
+++ b/tests/fixtures/generic/x509-cert-superfluous-bits.json
@ -0,0 +1 @@
+[{"tbs_certificate": {"version": "v3", "serial_number": "39:cc:ff:59:4d:25:68:30:24:0e:db:80:98:d1:94:e0:69:95:b7:49", "signature": {"algorithm": "sha256_rsa", "parameters": null}, "issuer": {"common_name": "cryptography.io"}, "validity": {"not_before": 1695218897, "not_after": 1697897297, "not_before_iso": "2023-09-20T14:08:17+00:00", "not_after_iso": "2023-10-21T14:08:17+00:00"}, "subject": {"common_name": "cryptography.io"}, "subject_public_key_info": {"algorithm": {"algorithm": "rsa", "parameters": null}, "public_key": {"modulus": "a3:cf:40:41:89:98:21:ad:22:e3:b3:fe:30:95:cf:b6:6b:f6:45:11:c5:6f:51:e3:51:01:a1:38:fc:f8:43:48:5b:ed:e2:8c:69:d0:e1:13:92:04:dd:08:c5:5f:bb:ab:fe:1c:20:d3:3b:18:cd:52:f2:cf:44:9e:c6:9d:60:e4:62:26:a6:cc:2b:27:85:58:1f:4e:2f:48:27:9a:6c:b3:7e:61:5d:c7:d8:e1:20:a4:22:4b:97:38:2f:53:97:ca:3d:3f:28:22:43:24:be:50:3f:07:e9:d4:ef:06:07:ea:9c:1c:58:32:4e:ec:5c:0f:fa:6d:72:6c:66:1e:40:a3:a5:ce:01:d1:08:a7:e0:15:82:27:2c:01:8e:26:a4:21:49:49:7f:05:44:8b:1c:ce:29:25:5e:ba:15:b1:9a:dc:0c:05:5d:82:b5:57:67:b3:34:f0:13:d0:59:59:b4:88:90:20:c2:ae:19:5d:4b:db:4b:59:b5:d8:32:34:0c:95:f1:3f:fe:25:54:47:59:02:b6:00:55:13:a0:ec:a9:7d:95:02:2a:9a:69:d4:a3:e7:3d:47:c4:b1:41:47:46:5d:44:c9:8e:b0:bb:68:00:1f:a3:0a:7f:93:99:c8:ef:b4:45:ea:3b:45:5f:3d:68:5b:41:ea:53:9b:1b:17:dc:41", "public_exponent": 65537}}, "issuer_unique_id": null, "subject_unique_id": null, "extensions": [{"extn_id": "key_usage", "critical": true, "extn_value": ["crl_sign", "data_encipherment", "decipher_only", "digital_signature", "encipher_only", "key_agreement", "key_cert_sign", "key_encipherment", "non_repudiation"]}], "serial_number_str": "329984069978047138672494938076577194533836928841"}, "signature_algorithm": {"algorithm": "sha256_rsa", "parameters": null}, "signature_value": "68:25:77:b8:cc:e2:d9:c0:38:18:16:d6:3f:b3:ea:1a:91:f9:6e:60:b8:d1:cc:88:b1:e1:3c:34:23:51:2d:68:31:bc:8a:f7:c5:23:03:d2:3c:e4:00:dc:23:fa:8b:9b:25:f2:63:32:37:d9:dc:8a:b0:7b:18:2f:19:95:33:be:15:9a:65:f9:ad:41:d7:08:08:d3:b5:c9:34:32:82:67:48:47:0b:6b:4a:42:20:8b:97:eb:dc:6a:0c:a6:00:9b:84:ac:0a:07:5e:49:19:4c:1a:63:74:18:c8:55:3c:50:38:47:76:fb:31:d6:a5:27:76:af:9d:f5:f9:9b:5e:5a:7c:5c:7f:6d:30:24:87:e4:3d:fe:2a:5a:77:43:58:c5:e2:85:ac:df:72:5c:4e:a4:ac:7c:e3:29:6a:cb:fc:5d:20:92:16:c6:91:67:77:6d:23:fb:05:0a:c9:c0:fd:c9:76:65:05:08:20:2a:2e:66:cf:67:6b:65:2a:a5:ba:b8:33:4a:32:e0:42:ef:1d:cc:e0:ec:f7:da:18:0e:77:a4:65:f5:cb:45:1e:8f:c6:3d:f0:70:42:50:9b:2a:86:d9:6b:6f:2d:60:d7:59:ae:ff:9b:f3:78:99:c8:d0:19:7a:7a:99:39:2c:91:1c:63:00:5a:60:f4:20:af:c0:b6:39"}]
--- a/tests/fixtures/generic/x509-cert-superfluous-bits.pem
+++ b/tests/fixtures/generic/x509-cert-superfluous-bits.pem
@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC1TCCAb2gAwIBAgIUOcz/WU0laDAkDtuAmNGU4GmVt0kwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMB4XDTIzMDkyMDE0MDgxN1oX
+DTIzMTAyMTE0MDgxN1owGjEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo89AQYmYIa0i47P+MJXPtmv2RRHF
+b1HjUQGhOPz4Q0hb7eKMadDhE5IE3QjFX7ur/hwg0zsYzVLyz0Sexp1g5GImpswr
+J4VYH04vSCeabLN+YV3H2OEgpCJLlzgvU5fKPT8oIkMkvlA/B+nU7wYH6pwcWDJO
+7FwP+m1ybGYeQKOlzgHRCKfgFYInLAGOJqQhSUl/BUSLHM4pJV66FbGa3AwFXYK1
+V2ezNPAT0FlZtIiQIMKuGV1L20tZtdgyNAyV8T/+JVRHWQK2AFUToOypfZUCKppp
+1KPnPUfEsUFHRl1EyY6wu2gAH6MKf5OZyO+0Reo7RV89aFtB6lObGxfcQQIDAQAB
+oxMwETAPBgNVHQ8BAf8EBQMDAP//MA0GCSqGSIb3DQEBCwUAA4IBAQBoJXe4zOLZ
+wDgYFtY/s+oakfluYLjRzIix4Tw0I1EtaDG8ivfFIwPSPOQA3CP6i5sl8mMyN9nc
+irB7GC8ZlTO+FZpl+a1B1wgI07XJNDKCZ0hHC2tKQiCLl+vcagymAJuErAoHXkkZ
+TBpjdBjIVTxQOEd2+zHWpSd2r531+ZteWnxcf20wJIfkPf4qWndDWMXihazfclxO
+pKx84ylqy/xdIJIWxpFnd20j+wUKycD9yXZlBQggKi5mz2drZSqlurgzSjLgQu8d
+zODs99oYDnekZfXLRR6Pxj3wcEJQmyqG2WtvLWDXWa7/m/N4mcjQGXp6mTkskRxj
+AFpg9CCvwLY5
+-----END CERTIFICATE-----
--- a/tests/test_x509_cert.py
+++ b/tests/test_x509_cert.py
@ -27,6 +27,9 @@ class MyTests(unittest.TestCase):
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-bad-email.pem'), 'rb') as f:
        x509_cert_bad_email = f.read()

+    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-superfluous-bits.pem'), 'rb') as f:
+        x509_cert_superfluous_bits = f.read()
+
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-negative-serial.pem'), 'rb') as f:
        x509_cert_negative_serial = f.read()

@ -49,6 +52,9 @@ class MyTests(unittest.TestCase):
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-bad-email.json'), 'r', encoding='utf-8') as f:
        x509_cert_bad_email_json = json.loads(f.read())

+    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-cert-superfluous-bits.json'), 'r', encoding='utf-8') as f:
+        x509_cert_superfluous_bits_json = json.loads(f.read())
+        
    with open(os.path.join(THIS_DIR, os.pardir, 'tests/fixtures/generic/x509-negative-serial.json'), 'r', encoding='utf-8') as f:
        x509_cert_negative_serial_json = json.loads(f.read())

@ -95,6 +101,12 @@ class MyTests(unittest.TestCase):
        """
        self.assertEqual(jc.parsers.x509_cert.parse(self.x509_cert_bad_email, quiet=True), self.x509_cert_bad_email_json)

+    def test_x509_cert_superfluous_bits(self):
+        """
+        Test 'cat x509-cert-superfluous-bits.pem' (PEM file with more bits set for the keyUsage extension than defined by the RFC)
+        """
+        self.assertEqual(jc.parsers.x509_cert.parse(self.x509_cert_superfluous_bits, quiet=True),
+                         self.x509_cert_superfluous_bits_json)
    def test_x509_cert_negative_serial(self):
        """
        Test 'cat x509-cert-bad-email.pem' (PEM file with a non-compliant email address)
				`@ -0,0 +1 @@`
				[{"tbs_certificate": {"version": "v3", "serial_number": "39:cc:ff:59:4d:25:68:30:24:0e:db:80:98:d1:94:e0:69:95:b7:49", "signature": {"algorithm": "sha256_rsa", "parameters": null}, "issuer": {"common_name": "cryptography.io"}, "validity": {"not_before": 1695218897, "not_after": 1697897297, "not_before_iso": "2023-09-20T14:08:17+00:00", "not_after_iso": "2023-10-21T14:08:17+00:00"}, "subject": {"common_name": "cryptography.io"}, "subject_public_key_info": {"algorithm": {"algorithm": "rsa", "parameters": null}, "public_key": {"modulus": "a3:cf:40:41:89:98:21:ad:22:e3:b3:fe:30:95:cf:b6:6b:f6:45:11:c5:6f:51:e3:51:01:a1:38:fc:f8:43:48:5b:ed:e2:8c:69:d0:e1:13:92:04:dd:08:c5:5f:bb:ab:fe:1c:20:d3:3b:18:cd:52:f2:cf:44:9e:c6:9d:60:e4:62:26:a6:cc:2b:27:85:58:1f:4e:2f:48:27:9a:6c:b3:7e:61:5d:c7:d8:e1:20:a4:22:4b:97:38:2f:53:97:ca:3d:3f:28:22:43:24:be:50:3f:07:e9:d4:ef:06:07:ea:9c:1c:58:32:4e:ec:5c:0f:fa:6d:72:6c:66:1e:40:a3:a5:ce:01:d1:08:a7:e0:15:82:27:2c:01:8e:26:a4:21:49:49:7f:05:44:8b:1c:ce:29:25:5e:ba:15:b1:9a:dc:0c:05:5d:82:b5:57:67:b3:34:f0:13:d0:59:59:b4:88:90:20:c2:ae:19:5d:4b:db:4b:59:b5:d8:32:34:0c:95:f1:3f:fe:25:54:47:59:02:b6:00:55:13:a0:ec:a9:7d:95:02:2a:9a:69:d4:a3:e7:3d:47:c4:b1:41:47:46:5d:44:c9:8e:b0:bb:68:00:1f:a3:0a:7f:93:99:c8:ef:b4:45:ea:3b:45:5f:3d:68:5b:41:ea:53:9b:1b:17:dc:41", "public_exponent": 65537}}, "issuer_unique_id": null, "subject_unique_id": null, "extensions": [{"extn_id": "key_usage", "critical": true, "extn_value": ["crl_sign", "data_encipherment", "decipher_only", "digital_signature", "encipher_only", "key_agreement", "key_cert_sign", "key_encipherment", "non_repudiation"]}], "serial_number_str": "329984069978047138672494938076577194533836928841"}, "signature_algorithm": {"algorithm": "sha256_rsa", "parameters": null}, "signature_value": "68:25:77:b8:cc:e2:d9:c0:38:18:16:d6:3f:b3:ea:1a:91:f9:6e:60:b8:d1:cc:88:b1:e1:3c:34:23:51:2d:68:31:bc:8a:f7:c5:23:03:d2:3c:e4:00:dc:23:fa:8b:9b:25:f2:63:32:37:d9:dc:8a:b0:7b:18:2f:19:95:33:be:15:9a:65:f9:ad:41:d7:08:08:d3:b5:c9:34:32:82:67:48:47:0b:6b:4a:42:20:8b:97:eb:dc:6a:0c:a6:00:9b:84:ac:0a:07:5e:49:19:4c:1a:63:74:18:c8:55:3c:50:38:47:76:fb:31:d6:a5:27:76:af:9d:f5:f9:9b:5e:5a:7c:5c:7f:6d:30:24:87:e4:3d:fe:2a:5a:77:43:58:c5:e2:85:ac:df:72:5c:4e:a4:ac:7c:e3:29:6a:cb:fc:5d:20:92:16:c6:91:67:77:6d:23:fb:05:0a:c9:c0:fd:c9:76:65:05:08:20:2a:2e:66:cf:67:6b:65:2a:a5:ba:b8:33:4a:32:e0:42:ef:1d:cc:e0:ec:f7:da:18:0e:77:a4:65:f5:cb:45:1e:8f:c6:3d:f0:70:42:50:9b:2a:86:d9:6b:6f:2d:60:d7:59:ae:ff:9b:f3:78:99:c8:d0:19:7a:7a:99:39:2c:91:1c:63:00:5a:60:f4:20:af:c0:b6:39"}]