Make truncation in ASN1_BIT_STRING_set_bit() explicit

Instead of relying on i2c_ASN1_BIT_STRING() to determine the "unused"
bits on encoding, set them explicitly in abs->flags via a call to
asn1_abs_set_unused_bits(). This means ASN1_STRING_FLAGS_BITS_LEFT is
now set on a bit string, which was previously explicitly cleared.

This also means that the encoding of a non-zero ASN1_BIT_STRING
populated by setting the bits individually will now go through the
if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) path in i2c_ASN1_BIT_STRING().

The most prominent usage of this function is in X.509 for the keyUsage
extension or the CRL reason codes. There's also the NS cert type, TS
PKIFailureInfo and general BITLIST config strings.

The reason for the truncation logic comes from the DER for NamedBitLists
X.690, 11.2.2 below:

  X.680, 22.7:

   When a "NamedBitList" is used in defining a bitstring type ASN.1
   encoding rules are free to add (or remove) arbitrarily any trailing 0
   bits to (or from) values that are being encoded or decoded. Application
   designers should therefore ensure that different semantics are not
   associated with such values which differ only in the number of trailing
   0 bits.

  X.690, 11.2.2

   Where ITU-T Rec. X.680 | ISO/IEC 8824-1, 22.7, applies, the bitstring
   shall have all trailing 0 bits removed before it is encoded.

   Note 1 - In the case where a size constraint has been applied, the
   abstract value delivered by a decoder to the application will be one of
   those satisfying the size constraint and differing from the transmitted
   value only in the number of trailing zero bits.

   Note 2 - If a bitstring value has no 1 bits, then an encoder shall
   encode the value with a length of 1 and an initial octet set to 0.

ok kenjiro (on an earlier version) jsing

0 files changed, 0 insertions, 0 deletions