fix(auth): require bit strings to have no unused bits This is already checked by the crypto module or by mbedTLS, but checking it in the X.509 parser is harmless. Change-Id: Ifdbe3b4c6d04481bb8e93106ee04b49a70f50d5d Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>

commit: 4d1610baadcce0c63ea140e1940982d65c8cc74f [log] [tgz]
author: Demi Marie Obenour <demiobenour@gmail.com> Thu Dec 08 15:24:27 2022 -0500
committer: Sandrine Bailleux <sandrine.bailleux@arm.com> Tue Jan 03 17:48:51 2023 +0100
tree: 1665bb4e4b2bdc2df24a3e225649558321ecc4d3
parent: 916eebe1979b8919dfd3e12c0144d850f16c3abf [diff]
diff --git a/drivers/auth/mbedtls/mbedtls_x509_parser.c b/drivers/auth/mbedtls/mbedtls_x509_parser.c
index 244f1c9..87f280c 100644
--- a/drivers/auth/mbedtls/mbedtls_x509_parser.c
+++ b/drivers/auth/mbedtls/mbedtls_x509_parser.c

@@ -281,7 +281,8 @@
 	}
 	p += len;
 
-	ret = mbedtls_asn1_get_tag(&p, pk_end, &len, MBEDTLS_ASN1_BIT_STRING);
+	/* Key is a BIT STRING and must use all bytes in SubjectPublicKeyInfo */
+	ret = mbedtls_asn1_get_bitstring_null(&p, pk_end, &len);
 	if ((ret != 0) || (p + len != pk_end)) {
 		return IMG_PARSER_ERR_FORMAT;
 	}
@@ -422,7 +423,7 @@
 	 * signatureValue       BIT STRING
 	 */
 	signature.p = p;
-	ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_BIT_STRING);
+	ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
 	if (ret != 0) {
 		return IMG_PARSER_ERR_FORMAT;
 	}
commit	4d1610baadcce0c63ea140e1940982d65c8cc74f	[log] [tgz]
author	Demi Marie Obenour <demiobenour@gmail.com>	Thu Dec 08 15:24:27 2022 -0500
committer	Sandrine Bailleux <sandrine.bailleux@arm.com>	Tue Jan 03 17:48:51 2023 +0100
tree	1665bb4e4b2bdc2df24a3e225649558321ecc4d3
parent	916eebe1979b8919dfd3e12c0144d850f16c3abf [diff]