Forbid empty integer in DER encoder

jschanck · jschanck · commit f96f75384de0 · 2023-09-15T12:38:39.000-07:00
diff --git a/src/crypto/der.rs b/src/crypto/der.rs
@@ -45,14 +45,16 @@ fn write_tag_and_length(out: &mut Vec<u8>, tag: u8, len: usize) -> Result<()> {
 }
 
 pub fn integer(val: &[u8]) -> Result<Vec<u8>> {
+    if val.is_empty() {
+        return Err(CryptoError::MalformedInput);
+    }
     // trim leading zeros, leaving a single zero if the input is the zero vector.
     let mut val = val;
     while val.len() > 1 && val[0] == 0 {
         val = &val[1..];
     }
-
     let mut out = Vec::with_capacity(MAX_TAG_AND_LENGTH_BYTES + 1 + val.len());
-    if !val.is_empty() && val[0] & 0x80 != 0 {
+    if val[0] & 0x80 != 0 {
         // needs zero prefix
         write_tag_and_length(&mut out, TAG_INTEGER, 1 + val.len())?;
         out.push(0x00);
diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs
@@ -724,9 +724,9 @@ impl COSEEC2Key {
         der::sequence(&[
             // algorithm: AlgorithmIdentifier
             &der::sequence(&[
-                /* algorithm */
+                // algorithm
                 &der::object_id(der::OID_EC_PUBLIC_KEY_BYTES)?,
-                /* parameters */
+                // parameters
                 &der::object_id(der::OID_SECP256R1_BYTES)?,
             ])?,
             // subjectPublicKey
@@ -759,9 +759,10 @@ impl COSEOKPKey {
         der::sequence(&[
             // algorithm: AlgorithmIdentifier
             &der::sequence(&[
-                /* algorithm */
+                // algorithm
                 &der::object_id(der::OID_ED25519_BYTES)?,
-                /* parameters (absent as per RFC 8410) */
+                // parameters
+                // (absent as per RFC 8410)
             ])?,
             // subjectPublicKey
             &der::bit_string(
@@ -787,8 +788,10 @@ impl COSERSAKey {
         der::sequence(&[
             // algorithm: AlgorithmIdentifier
             &der::sequence(&[
-                /* algorithm */ &der::object_id(der::OID_RS256_BYTES)?,
-                /* parameters */ &der::null()?,
+                // algorithm
+                &der::object_id(der::OID_RS256_BYTES)?,
+                // parameters
+                &der::null()?,
             ])?,
             // subjectPublicKey
             &der::bit_string(
