cms: TagUnexpected error, but works fine in OpenSSL
#1452
Comments
dumpasn1 output |
|
Hmmm, it looks like it's wrapped in use std::fs::read;
use cms::{cert::x509::der::{Decode, Encode}, content_info::ContentInfo, signed_data::SignedData};
use const_oid::db::rfc6268::ID_SIGNED_DATA;
fn main() {
let cms_string = read("test.pem.txt").unwrap();
let (_, content_info_der) = pem_rfc7468::decode_vec(&cms_string).unwrap();
let content_info = ContentInfo::from_der(&content_info_der).unwrap();
assert_eq!(content_info.content_type, ID_SIGNED_DATA);
let signed_data: SignedData = SignedData::from_der(&content_info.content.to_der().unwrap()).unwrap();
}Results in this error: |
|
The problem emanates from parsing the certs fields of SignedData. CertificateSet is defined as follows: The third certificate in your set is encoded as [1], which is an AttributeCertificateV1. This type is obsolete per RFC 5652 (from September 2009). The CertificateChoices parser in the cms crate does not support that type (nor the not obsolete AttributeCertificateV2 at present). #[derive(Clone, Debug, Eq, PartialEq, Choice)]
#[allow(missing_docs)]
#[allow(clippy::large_enum_variant)]
pub enum CertificateChoices {
Certificate(Certificate),
#[asn1(context_specific = "3", tag_mode = "EXPLICIT", constructed = "true")]
Other(OtherCertificateFormat),
// TODO DEFER add more choices if desired (i.e., AttributeCertificateV2)
}I ran into this same case not too long ago and since I did not need the attribute cert nor have the time to contribute support for attribute certificates (mostly due to lack of artifacts to sustain testing), I worked around it as below (see https://github.com/carl-wallace/tpm_cab_verify/blob/main/src/asn1.rs#L23). #[derive(Clone, Debug, Eq, PartialEq, Sequence)]
#[allow(missing_docs)]
pub(crate) struct SignedData2 {
pub version: CmsVersion,
pub digest_algorithms: DigestAlgorithmIdentifiers,
pub encap_content_info: EncapsulatedContentInfo,
#[asn1(context_specific = "0", tag_mode = "IMPLICIT", optional = "true")]
pub certificates: Option<AnySet>,
#[asn1(context_specific = "1", tag_mode = "IMPLICIT", optional = "true")]
pub crls: Option<AnySet>,
pub signer_infos: SignerInfos,
}
/// Used in lieu of full support for all certificate and CRL types
#[derive(Clone, Eq, PartialEq, Debug)]
pub(crate) struct AnySet(pub SetOfVec<Any>);
impl_newtype!(AnySet, SetOfVec<Any>); |
|
Wow, thank you for your detailed response! |
|
Hmmm, I took a closer look at the standard, and the To my knowledge, [1] means v1, however the interger version 1 = V2, so this is actually Assuming I write a PR to add |
|
Good catch. I did not even review the contents of the attribute cert. It's not my call, but I don't think we'd want to bake in support for mis-encodings like this and would instead leave handling stuff like that to one-offs a la the example I gave. This may be an argument in favor of deferring certs field decoding. One approach would be to define something like AnySet in the cms crate, use it for the certs and crls fields and let decoding be handled separately. We should add support for v2 attribute certs to CertificateChoices in any case. Definitions from RFC5912 are below. The structures are very different. |
That sounds fine to me, and more flexible for handling cases like this. |
tarcieri
changed the title
TagUnexpected error, but works fine in OpenSSL
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I am trying to parse a CMS message (test.pem.txt, remove the .txt) - please bear with me as I'm not an expert on this.
I've written code as follows:
However, this results in the error:
Reading this file however, using
opensslCLI seems to work fine:Am I doing something wrong or is there something about the file that makes it not supported?
Thanks in advance.
openssl asn1parse output
The text was updated successfully, but these errors were encountered: