The TCG EK cert profile says that the context tags in the
TPMSecurityAssertions type are IMPLICIT. The sample EK cert we have
has them as EXPLICIT.
What to do?
The value we initialize a CHOICE's `element` enum field to, prior to
decoding the CHOICE value, needs be one that does not cause
`asn1_free()` to do anything since we've not done anything yet either.
Should always run AFL before pushing changes to the ASN.1 compiler or
template interpreter!
Still fuzzing. There are crashers in the _asn1_print() path, though
right now they cannot affect anything else in Heimdal other than
asn1_print, since that's the only thing calling it yet.
For now we just add new types that can auto-decode through open types
in CSRs, but we leave the originals as they were to avoid having to
update lib/hx509/req.c for now.
Our asn1_print, like OpenSSL's, just knows how to parse and dump DER.
Ours can attempt to decode OCTET STRING and IMPLICIT-tagged constructed
values as DER, which is very useful.
But _now_ it's even better. Now it knows about all types exported from
all ASN.1 modules in `lib/asn1/` in Heimdal, and if told to print as
some type, it will use the new printing interface to print JSON-like
representations of values:
```
$ ./asn1_print /tmp/t490/ek2.crt Certificate |
jq '.tbsCertificate.extensions[3]._extnValue[]._values'
[
{
"_type": "TPMSpecification",
"family": "2.0",
"level": "0",
"revision": "138"
}
]
[
{
"_type": "TPMSecurityAssertions",
"version": "0",
"fieldUpgradable": true,
"ekGenerationType": "655617",
"ekGenerationLocation": "655616",
"ekCertificateGenerationLocation": "655616",
"ccInfo": {
"_type": "CommonCriteriaMeasures",
"version": "3.1",
"assurancelevel": "4",
"evaluationStatus": "2",
"plus": true,
"strengthOfFunction": null,
"profileOid": null,
"profileUri": null,
"targetOid": null,
"targetUri": null
},
"fipsLevel": {
"_type": "FIPSLevel",
"version": "140-2",
"level": "2",
"plus": false
},
"iso9000Certified": false,
"iso9000Uri": null
}
]
```
