-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cms: TagUnexpected
error, but works fine in OpenSSL
#1452
Comments
dumpasn1 output
|
Hmmm, it looks like it's wrapped in use std::fs::read;
use cms::{cert::x509::der::{Decode, Encode}, content_info::ContentInfo, signed_data::SignedData};
use const_oid::db::rfc6268::ID_SIGNED_DATA;
fn main() {
let cms_string = read("test.pem.txt").unwrap();
let (_, content_info_der) = pem_rfc7468::decode_vec(&cms_string).unwrap();
let content_info = ContentInfo::from_der(&content_info_der).unwrap();
assert_eq!(content_info.content_type, ID_SIGNED_DATA);
let signed_data: SignedData = SignedData::from_der(&content_info.content.to_der().unwrap()).unwrap();
} Results in this error:
|
The problem emanates from parsing the certs fields of SignedData. CertificateSet is defined as follows:
The third certificate in your set is encoded as [1], which is an AttributeCertificateV1.
This type is obsolete per RFC 5652 (from September 2009). The CertificateChoices parser in the cms crate does not support that type (nor the not obsolete AttributeCertificateV2 at present). #[derive(Clone, Debug, Eq, PartialEq, Choice)]
#[allow(missing_docs)]
#[allow(clippy::large_enum_variant)]
pub enum CertificateChoices {
Certificate(Certificate),
#[asn1(context_specific = "3", tag_mode = "EXPLICIT", constructed = "true")]
Other(OtherCertificateFormat),
// TODO DEFER add more choices if desired (i.e., AttributeCertificateV2)
} I ran into this same case not too long ago and since I did not need the attribute cert nor have the time to contribute support for attribute certificates (mostly due to lack of artifacts to sustain testing), I worked around it as below (see https://github.com/carl-wallace/tpm_cab_verify/blob/main/src/asn1.rs#L23). #[derive(Clone, Debug, Eq, PartialEq, Sequence)]
#[allow(missing_docs)]
pub(crate) struct SignedData2 {
pub version: CmsVersion,
pub digest_algorithms: DigestAlgorithmIdentifiers,
pub encap_content_info: EncapsulatedContentInfo,
#[asn1(context_specific = "0", tag_mode = "IMPLICIT", optional = "true")]
pub certificates: Option<AnySet>,
#[asn1(context_specific = "1", tag_mode = "IMPLICIT", optional = "true")]
pub crls: Option<AnySet>,
pub signer_infos: SignerInfos,
}
/// Used in lieu of full support for all certificate and CRL types
#[derive(Clone, Eq, PartialEq, Debug)]
pub(crate) struct AnySet(pub SetOfVec<Any>);
impl_newtype!(AnySet, SetOfVec<Any>); |
Wow, thank you for your detailed response! |
Hmmm, I took a closer look at the standard, and the
To my knowledge, [1] means v1, however the interger version 1 = V2, so this is actually Assuming I write a PR to add |
Good catch. I did not even review the contents of the attribute cert. It's not my call, but I don't think we'd want to bake in support for mis-encodings like this and would instead leave handling stuff like that to one-offs a la the example I gave. This may be an argument in favor of deferring certs field decoding. One approach would be to define something like AnySet in the cms crate, use it for the certs and crls fields and let decoding be handled separately. We should add support for v2 attribute certs to CertificateChoices in any case. Definitions from RFC5912 are below. The structures are very different.
|
That sounds fine to me, and more flexible for handling cases like this. |
TagUnexpected
error, but works fine in OpenSSL
Hello, I am trying to parse a CMS message (test.pem.txt, remove the .txt) - please bear with me as I'm not an expert on this.
I've written code as follows:
However, this results in the error:
Reading this file however, using
openssl
CLI seems to work fine:Am I doing something wrong or is there something about the file that makes it not supported?
Thanks in advance.
openssl asn1parse output
The text was updated successfully, but these errors were encountered: