enforce only int64 integers.

that's all the decoder/encoder can handle right now

Author: alandekok

share/dictionary/der/dictionary.common

@@ -42,9 +42,9 @@ END DirectoryName
 DEFINE	GeneralSubtree					sequence
 BEGIN GeneralSubtree
 DEFINE	base						sequence        clone=GeneralName
-DEFINE	minimum						integer         option=0,has_default
+DEFINE	minimum						int64		option=0,has_default
 VALUE	minimum				DEFAULT			0
-DEFINE	maximum						integer         option=1
+DEFINE	maximum						int64		option=1
 END GeneralSubtree
 
 DEFINE	Name						sequence

share/dictionary/der/dictionary.extensions

@@ -78,7 +78,7 @@ ATTRIBUTE	basicConstraints			2.5.29.19	sequence is_oid_leaf
 BEGIN 2.5.29.19
 DEFINE	cA						boolean has_default
 VALUE	cA				DEFAULT			false
-DEFINE	pathLenConstraint				integer
+DEFINE	pathLenConstraint				int64
 END 2.5.29.19
 
 ATTRIBUTE	nameConstraints				2.5.29.30	sequence        is_oid_leaf
@@ -192,4 +192,4 @@ DEFINE	cRLIssuer					group   ref=GeneralName,subtype=sequence,sequence_of=choice
 
 END distributionPoint
 
-ATTRIBUTE	inhibitAnyPolicy			2.5.29.54	integer is_oid_leaf
+ATTRIBUTE	inhibitAnyPolicy			2.5.29.54	int64 is_oid_leaf

share/dictionary/der/dictionary.rfc2986

@@ -7,7 +7,7 @@ BEGIN CertificateRequest
 
 DEFINE	certificationRequestInfo			tlv
 BEGIN certificationRequestInfo
-DEFINE	version						integer
+DEFINE	version						int64
 
 DEFINE	subject						tlv
 BEGIN subject

share/dictionary/der/dictionary.rfc5280

@@ -9,7 +9,7 @@ DEFINE	tbsCertificate					tlv
 BEGIN tbsCertificate
 DEFINE	version						tlv class=context-specific,tagnum=0,subtype=sequence
 BEGIN version
-DEFINE	VersionNum					integer
+DEFINE	VersionNum					int64
 END version
 DEFINE	serialNumber					octets tagnum=2
 DEFINE	signature					group ref=OID-Tree,is_pair

src/protocols/der/base.c

@@ -418,6 +418,24 @@ static bool attr_valid(fr_dict_attr_t *da)
 		return false;
 	}
 
+	/*
+	 *	The DER encoder / decoder assume that all pairs are FR_TYPE_INT64.
+	 *
+	 *	The "on the wire" DER data has variable-sized encoding for integers,
+	 *	and drops leading zeros.
+	 *
+	 *	For consistency, we disallow data types which the
+	 *	encoder/decoder don't handle.  Except for data types
+	 *	in structs, because the struct encoder/decoder takes
+	 *	care of those.
+	 */
+	if (fr_type_is_integer_except_bool(da->type) && (da->type != FR_TYPE_INT64) &&
+	    (da->type != FR_TYPE_DATE) && (da->type != FR_TYPE_TIME_DELTA) &&
+	    (da->parent->type != FR_TYPE_STRUCT)) {
+		fr_strerror_printf("Only 'int64' is supported by DER");
+		return false;
+	}
+
 	return true;
 }