Result BitStringWithNoUnusedBits(Reader& input, /*out*/ Input& value) { Reader valueWithUnusedBits; Result rv = ExpectTagAndGetValue(input, BIT_STRING, valueWithUnusedBits); if (rv != Success) { return rv; } uint8_t unusedBitsAtEnd; if (valueWithUnusedBits.Read(unusedBitsAtEnd) != Success) { return Result::ERROR_BAD_DER; } // XXX: Really the constraint should be that unusedBitsAtEnd must be less // than 7. But, we suspect there are no real-world values in OCSP responses // or certificates with non-zero unused bits. It seems like NSS assumes this // in various places, so we enforce it too in order to simplify this code. If // we find compatibility issues, we'll know we're wrong and we'll have to // figure out how to shift the bits around. if (unusedBitsAtEnd != 0) { return Result::ERROR_BAD_DER; } Reader::Mark mark(valueWithUnusedBits.GetMark()); valueWithUnusedBits.SkipToEnd(); return valueWithUnusedBits.GetInput(mark, value); }
Result SignedData(Reader& input, /*out*/ Reader& tbs, /*out*/ SignedDataWithSignature& signedData) { Reader::Mark mark(input.GetMark()); Result rv; rv = ExpectTagAndGetValue(input, SEQUENCE, tbs); if (rv != Success) { return rv; } rv = input.GetInput(mark, signedData.data); if (rv != Success) { return rv; } rv = SignatureAlgorithmIdentifier(input, signedData.algorithm); if (rv != Success) { return rv; } rv = BitStringWithNoUnusedBits(input, signedData.signature); if (rv == Result::ERROR_BAD_DER) { rv = Result::ERROR_BAD_SIGNATURE; } return rv; }