fix(x509): handle hex.DecodeString error in FormatOID() instead of discarding#720
Open
srpatcha wants to merge 2 commits into
Open
fix(x509): handle hex.DecodeString error in FormatOID() instead of discarding#720srpatcha wants to merge 2 commits into
srpatcha wants to merge 2 commits into
Conversation
srpatcha
force-pushed
the
fix/pki-hex-decode-error-handling
branch
from
d67e349 to
93f9dea
Compare
Contributor
ashcherbakov
left a comment
ashcherbakov
left a comment
There was a problem hiding this comment.
- It looks like the
x/auditmodule shouldn't be part of this PR, should it? Can you please remove it keeping only the x509 validation fix. - It would also be great to add some tests in https://github.com/zigbee-alliance/distributed-compliance-ledger/blob/master/x/pki/x509/x509_test.go reproducing and fixing the issue.
…scarding
Malformed hex strings in certificate subject fields could previously
produce corrupt decoded output because the error from hex.DecodeString
was discarded with `decoded, _ := ...`. In a compliance ledger this
is a security concern: an attacker-controlled or accidentally truncated
certificate could yield bogus normalized OIDs in indexed fields.
After this fix, malformed entries are skipped and the original (unmodified)
subject value remains in the output, so consumers see the raw OID rather
than a silently-corrupted normalized one.
Adds regression tests to x/pki/x509/x509_test.go that exercise the bug:
- Test_FormatOID_HexDecodeError: 5 cases covering non-hex chars,
odd-length hex, embedded whitespace, mixed valid/invalid OIDs,
and the positive-path regression guard.
- Test_FormatOID_NoCorruptOutput: explicit assertion that the buggy
output pattern ("vid=0x" with empty/null bytes) cannot occur.
These tests fail with the pre-fix code and pass with the fix applied.
Per reviewer feedback: removed unrelated x/audit module changes from
this PR — they will be submitted separately if there's interest.
Signed-off-by: Srikanth Patchava <srpatcha@users.noreply.github.com>
srpatcha
force-pushed
the
fix/pki-hex-decode-error-handling
branch
from
0609a0e to
47e8a64
Compare
Author
|
Hi, thanks for the focused review! Both items addressed in the force-push ( ✅ 1. Removed
|
| Input | Expectation |
|---|---|
Non-hex chars in last 8 (#1304ZZNOTHEX) |
Original entry preserved unchanged |
| Odd-length hex (invalid) | Original entry preserved unchanged |
| Whitespace-containing value | Original entry preserved unchanged |
| Valid hex (positive-path regression guard) | Normalizes correctly to vid=0x6006 |
| Multiple OIDs, one valid + one invalid | Only the invalid one stays raw |
Test_FormatOID_NoCorruptOutput — explicit assertion that the buggy output pattern (vid=0x followed by empty/null bytes) cannot occur. This is the security-relevant regression guard.
Both tests fail with the pre-fix code (which silently emitted truncated/empty hex) and pass with the fix applied.
📊 Final PR scope
x/pki/x509/x509.go (+5 / -2)
x/pki/x509/x509_test.go (+82 / -0)
One commit, one author email, ready for re-review!
srpatcha
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Malformed hex strings in certificate subject fields could previously produce corrupt decoded output because the error from
hex.DecodeStringwas discarded withdecoded, _ := .... In a compliance ledger this is a security concern: an attacker-controlled or accidentally truncated certificate could yield bogus normalized OIDs in indexed fields.Fix
After this fix, malformed entries are skipped and the original (unmodified) subject value remains in the output, so consumers see the raw OID rather than a silently-corrupted normalized one.
Tests
Adds two test functions to
x/pki/x509/x509_test.goexercising the bug:Test_FormatOID_HexDecodeError— 5 cases: non-hex chars, odd-length hex, embedded whitespace, mixed valid/invalid OIDs, and the positive-path regression guardTest_FormatOID_NoCorruptOutput— explicit assertion thatvid=0xfollowed by empty/null bytes cannot appear in outputBoth tests fail with the pre-fix code and pass with the fix applied.
Scope
Single concern, single commit, single author email.