Closed ties closed 2 years ago
The case that applies is (from https://datatracker.ietf.org/doc/html/rfc5652)
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
...
SubjectKeyIdentifier ::= OCTET STRING
Implemented at https://github.com/PeculiarVentures/PKI.js/blob/master/src/SignerInfo.js#L185 . This is where my debugging ended.
Please attach reference objects to the bug. You may also want to look at https://www.npmjs.com/package/@peculiar/x509 for the decode case. I suspect it will work better.
I have attached the objects: rpki-manifests-and-certs.zip
In the end I wanted to parse a specific CMS profile's (https://datatracker.ietf.org/doc/html/rfc6488) eContent
to build a tiny debugging tool, so I would expect PKI.js or asn1.js is the suitable library for this. For the current use case I do not need to check the CMS signature, so I could use asn1.js, but ideally it should.
https://www.npmjs.com/package/@peculiar/x509 looks very usable for decoding the certificate. Edit: asn1-schema may also work very nicely for this use case
@ties Thank you for this issue
I reproduced this error using both pkijs
and @peculiar/asn1-cms
modules.
I fixed and published @peculiar/asn1-cms
please try version 2.0.37
. It parses CMS (from your ZIP file) without exception
import { AsnConvert, AsnParser } from "@peculiar/asn1-schema";
import { ContentInfo, SignedData } from "@peculiar/asn1-cms";
const rpkiMftB64 = "MIIHegYJKoZIhvcNAQcCoIIHazCCB2cCAQMxDzANBglghkgBZQMEAgEFADCB4gYLKoZIhvcNAQkQARqg" +
// ...
"TYbY3LQ33K7LWpVJwB9Oalvx6dvvU9zhwX+nE6oLPSkwbC5J9OIdIq8W62aEBsZ8qRJU79a/JM676Q==";
const rpkiMftBuffer = Buffer.from(rpkiMftB64, "base64");
const contentInfo = AsnConvert.parse(rpkiMftBuffer, ContentInfo);
const signedData = AsnConvert.parse(contentInfo.content, SignedData);
Working on pkijs
fix
pkijs
declares subjectKeyIdentifier
like EXPLICIT
but it must be IMPLICIT
DEFINITIONS IMPLICIT TAGS ::=
SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier }
Fix
return (
new asn1js.Sequence({
name: "SignerInfo",
value: [
new asn1js.Integer({ name: (names.version || "SignerInfo.version") }),
new asn1js.Choice({
value: [
IssuerAndSerialNumber.schema(names.sid || {
names: {
blockName: "SignerInfo.sid"
}
}),
- new asn1js.Constructed({
+ new asn1js.Primitive({
optional: true,
name: (names.sid || "SignerInfo.sid"),
idBlock: {
tagClass: 3, // CONTEXT-SPECIFIC
tagNumber: 0 // [0]
},
value: [new asn1js.OctetString()]
}),
]
}),
@ties I published pkijs@2.1.96
Please try it
@microshine sorry for the delay. I can confirm that pkijs
as well as asn1-js
can parse the CMS and that I succeeded with parsing the content with the latter.
I am trying to parse an Resource Public Key Infrastructure (RPKI) manifest (RFC6486) which are ASN.1 structures in CMS.
When I do so, I get the exception above with a root cause of
Wrong values for Choice type
(likely because ofSignerInfo.sid
- but debugging this is non-trivial).Since openssl accepts the CMS (as seen below) and BouncyCastle also accepts them I think they are valid. Could you take a look?
openssl example