fix(auth): require bit strings to have no unused bits

This is already checked by the crypto module or by mbedTLS, but checking
it in the X.509 parser is harmless.

Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 244f1c95e52fa24f994bdc950d9bf7288c18885a..87f280c133ca7671c24730cebfc1268fe1ec3bd5 100644 (file)
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c
@@ -281,7 +281,8 @@ static int cert_parse(void *img, unsigned int img_len)
        }
        p += len;
 
-       ret = mbedtls_asn1_get_tag(&p, pk_end, &len, MBEDTLS_ASN1_BIT_STRING);
+       /* Key is a BIT STRING and must use all bytes in SubjectPublicKeyInfo */
+       ret = mbedtls_asn1_get_bitstring_null(&p, pk_end, &len);
        if ((ret != 0) || (p + len != pk_end)) {
                return IMG_PARSER_ERR_FORMAT;
        }
@@ -422,7 +423,7 @@ static int cert_parse(void *img, unsigned int img_len)
         * signatureValue       BIT STRING
         */
        signature.p = p;
-       ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
+       ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
        if (ret != 0) {
                return IMG_PARSER_ERR_FORMAT;
        }