reject trailing data when parsing signed certificate timestamps#15046
Open
dxbjavid wants to merge 1 commit into
Open
reject trailing data when parsing signed certificate timestamps#15046dxbjavid wants to merge 1 commit into
dxbjavid wants to merge 1 commit into
Conversation
alex
reviewed
Jun 16, 2026
|
|
||
| // Builds a minimal but well-formed SCT body (version, log id, timestamp, | ||
| // empty extensions, hash/signature algorithm and an empty signature). | ||
| fn minimal_sct_body() -> Vec<u8> { |
Member
There was a problem hiding this comment.
In general, unless there's a compelling reason to do otherwise, we prefer to test things from the Python API.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed Certificate Timestamps embedded in a certificate are parsed by a small hand-rolled TLS reader rather than the DER machinery. The reader walks the length-prefixed list and then each fixed SCT structure, but it never checks that it reached the end of either, so any bytes left over after the list, or after the final signature field inside an individual SCT entry, were quietly discarded. Since the SCT bytes come straight from an untrusted certificate extension, a malformed encoding with appended padding parsed as a valid SCT, and the leftover bytes still ended up in the stored raw data used for equality and hashing. I noticed it while comparing this reader against the DER and SSH parsers, both of which reject leftover input. The fix verifies each reader is empty once the expected fields have been consumed. I kept it inside parse_scts and added a regression test covering both leftover positions.