cms: `TagUnexpected` error, but works fine in OpenSSL

xbjfk commented 4 months ago

Hello, I am trying to parse a CMS message (test.pem.txt, remove the .txt) - please bear with me as I'm not an expert on this. I've written code as follows:

use std::fs::read;
use cms::{cert::x509::der::Decode, signed_data::SignedData};

fn main() {
    let cms_string = read("test.pem").unwrap();
    let (_, cms_der) = pem_rfc7468::decode_vec(&cms_string).unwrap();
    let cms = SignedData::from_der(&cms_der).unwrap();
}

However, this results in the error:

called `Result::unwrap()` on an `Err` value: Error { kind: TagUnexpected { expected: Some(Tag(0x02: INTEGER)), actual: Tag(0x06: OBJECT IDENTIFIER) }, position: Some(Length(2)) }

Reading this file however, using openssl CLI seems to work fine:

user@pc ~ $ openssl cms -cmsout -inform PEM  -in test.pem -noout -print
CMS_ContentInfo: 
  contentType: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.signedData: 
    version: 3
...

Am I doing something wrong or is there something about the file that makes it not supported? Thanks in advance.

openssl asn1parse output

``` 0:d=0 hl=4 l=5911 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData 15:d=1 hl=4 l=5896 cons: cont [ 0 ] 19:d=2 hl=4 l=5892 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :03 26:d=3 hl=2 l= 15 cons: SET 28:d=4 hl=2 l= 13 cons: SEQUENCE 30:d=5 hl=2 l= 9 prim: OBJECT :sha256 41:d=5 hl=2 l= 0 prim: NULL 43:d=3 hl=4 l= 348 cons: SEQUENCE 47:d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo 60:d=4 hl=4 l= 331 cons: cont [ 0 ] 64:d=5 hl=4 l= 327 prim: OCTET STRING [HEX DUMP]:30820143020101060A2B0601040184590A03013031300D060960864801650304020105000420FB2271B999324EB63066CCFA9F729C571741AAED891CC7ECCD9E400E471F496C0206667308789CDB181332303234303632383031333735342E3032395A3004800201F40201DEA081D8A481D53081D2310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312D302B060355040B13244D6963726F736F6674204972656C616E64204F7065726174696F6E73204C696D6974656431263024060355040B131D5468616C6573205453532045534E3A464334312D344244342D44323230312530230603550403131C4D6963726F736F66742054696D652D5374616D702053657276696365 395:d=3 hl=4 l=4475 cons: cont [ 0 ] 399:d=4 hl=4 l=1831 cons: SEQUENCE 403:d=5 hl=4 l=1295 cons: SEQUENCE 407:d=6 hl=2 l= 3 cons: cont [ 0 ] 409:d=7 hl=2 l= 1 prim: INTEGER :02 412:d=6 hl=2 l= 19 prim: INTEGER :33000001E2999995F1DCE320EB0001000001E2 433:d=6 hl=2 l= 13 cons: SEQUENCE 435:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 446:d=7 hl=2 l= 0 prim: NULL 448:d=6 hl=2 l= 124 cons: SEQUENCE 450:d=7 hl=2 l= 11 cons: SET 452:d=8 hl=2 l= 9 cons: SEQUENCE 454:d=9 hl=2 l= 3 prim: OBJECT :countryName 459:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 463:d=7 hl=2 l= 19 cons: SET 465:d=8 hl=2 l= 17 cons: SEQUENCE 467:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 472:d=9 hl=2 l= 10 prim: PRINTABLESTRING :Washington 484:d=7 hl=2 l= 16 cons: SET 486:d=8 hl=2 l= 14 cons: SEQUENCE 488:d=9 hl=2 l= 3 prim: OBJECT :localityName 493:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 502:d=7 hl=2 l= 30 cons: SET 504:d=8 hl=2 l= 28 cons: SEQUENCE 506:d=9 hl=2 l= 3 prim: OBJECT :organizationName 511:d=9 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 534:d=7 hl=2 l= 38 cons: SET 536:d=8 hl=2 l= 36 cons: SEQUENCE 538:d=9 hl=2 l= 3 prim: OBJECT :commonName 543:d=9 hl=2 l= 29 prim: PRINTABLESTRING :Microsoft Time-Stamp PCA 2010 574:d=6 hl=2 l= 30 cons: SEQUENCE 576:d=7 hl=2 l= 13 prim: UTCTIME :231012190725Z 591:d=7 hl=2 l= 13 prim: UTCTIME :250110190725Z 606:d=6 hl=3 l= 210 cons: SEQUENCE 609:d=7 hl=2 l= 11 cons: SET 611:d=8 hl=2 l= 9 cons: SEQUENCE 613:d=9 hl=2 l= 3 prim: OBJECT :countryName 618:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 622:d=7 hl=2 l= 19 cons: SET 624:d=8 hl=2 l= 17 cons: SEQUENCE 626:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 631:d=9 hl=2 l= 10 prim: PRINTABLESTRING :Washington 643:d=7 hl=2 l= 16 cons: SET 645:d=8 hl=2 l= 14 cons: SEQUENCE 647:d=9 hl=2 l= 3 prim: OBJECT :localityName 652:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 661:d=7 hl=2 l= 30 cons: SET 663:d=8 hl=2 l= 28 cons: SEQUENCE 665:d=9 hl=2 l= 3 prim: OBJECT :organizationName 670:d=9 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 693:d=7 hl=2 l= 45 cons: SET 695:d=8 hl=2 l= 43 cons: SEQUENCE 697:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 702:d=9 hl=2 l= 36 prim: PRINTABLESTRING :Microsoft Ireland Operations Limited 740:d=7 hl=2 l= 38 cons: SET 742:d=8 hl=2 l= 36 cons: SEQUENCE 744:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName 749:d=9 hl=2 l= 29 prim: PRINTABLESTRING :Thales TSS ESN:FC41-4BD4-D220 780:d=7 hl=2 l= 37 cons: SET 782:d=8 hl=2 l= 35 cons: SEQUENCE 784:d=9 hl=2 l= 3 prim: OBJECT :commonName 789:d=9 hl=2 l= 28 prim: PRINTABLESTRING :Microsoft Time-Stamp Service 819:d=6 hl=4 l= 546 cons: SEQUENCE 823:d=7 hl=2 l= 13 cons: SEQUENCE 825:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption 836:d=8 hl=2 l= 0 prim: NULL 838:d=7 hl=4 l= 527 prim: BIT STRING 1369:d=6 hl=4 l= 329 cons: cont [ 3 ] 1373:d=7 hl=4 l= 325 cons: SEQUENCE 1377:d=8 hl=2 l= 29 cons: SEQUENCE 1379:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 1384:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:041444840E11DABEED076C969B4988244DA57809DA05 1408:d=8 hl=2 l= 31 cons: SEQUENCE 1410:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 1415:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:301680149FA7155D005E625D83F4E5D265A71B533519E972 1441:d=8 hl=2 l= 95 cons: SEQUENCE 1443:d=9 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points 1448:d=9 hl=2 l= 88 prim: OCTET STRING [HEX DUMP]:30563054A052A050864E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F63726C2F4D6963726F736F667425323054696D652D5374616D70253230504341253230323031302831292E63726C 1538:d=8 hl=2 l= 108 cons: SEQUENCE 1540:d=9 hl=2 l= 8 prim: OBJECT :Authority Information Access 1550:d=9 hl=2 l= 96 prim: OCTET STRING [HEX DUMP]:305E305C06082B060105050730028650687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F63657274732F4D6963726F736F667425323054696D652D5374616D70253230504341253230323031302831292E637274 1648:d=8 hl=2 l= 12 cons: SEQUENCE 1650:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 1655:d=9 hl=2 l= 1 prim: BOOLEAN :255 1658:d=9 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000 1662:d=8 hl=2 l= 22 cons: SEQUENCE 1664:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage 1669:d=9 hl=2 l= 1 prim: BOOLEAN :255 1672:d=9 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308 1686:d=8 hl=2 l= 14 cons: SEQUENCE 1688:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 1693:d=9 hl=2 l= 1 prim: BOOLEAN :255 1696:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020780 1702:d=5 hl=2 l= 13 cons: SEQUENCE 1704:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 1715:d=6 hl=2 l= 0 prim: NULL 1717:d=5 hl=4 l= 513 prim: BIT STRING 2234:d=4 hl=4 l=1905 cons: SEQUENCE 2238:d=5 hl=4 l=1369 cons: SEQUENCE 2242:d=6 hl=2 l= 3 cons: cont [ 0 ] 2244:d=7 hl=2 l= 1 prim: INTEGER :02 2247:d=6 hl=2 l= 19 prim: INTEGER :3300000015C5E76B9E029B4999000000000015 2268:d=6 hl=2 l= 13 cons: SEQUENCE 2270:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 2281:d=7 hl=2 l= 0 prim: NULL 2283:d=6 hl=3 l= 136 cons: SEQUENCE 2286:d=7 hl=2 l= 11 cons: SET 2288:d=8 hl=2 l= 9 cons: SEQUENCE 2290:d=9 hl=2 l= 3 prim: OBJECT :countryName 2295:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 2299:d=7 hl=2 l= 19 cons: SET 2301:d=8 hl=2 l= 17 cons: SEQUENCE 2303:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 2308:d=9 hl=2 l= 10 prim: PRINTABLESTRING :Washington 2320:d=7 hl=2 l= 16 cons: SET 2322:d=8 hl=2 l= 14 cons: SEQUENCE 2324:d=9 hl=2 l= 3 prim: OBJECT :localityName 2329:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 2338:d=7 hl=2 l= 30 cons: SET 2340:d=8 hl=2 l= 28 cons: SEQUENCE 2342:d=9 hl=2 l= 3 prim: OBJECT :organizationName 2347:d=9 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 2370:d=7 hl=2 l= 50 cons: SET 2372:d=8 hl=2 l= 48 cons: SEQUENCE 2374:d=9 hl=2 l= 3 prim: OBJECT :commonName 2379:d=9 hl=2 l= 41 prim: PRINTABLESTRING :Microsoft Root Certificate Authority 2010 2422:d=6 hl=2 l= 30 cons: SEQUENCE 2424:d=7 hl=2 l= 13 prim: UTCTIME :210930182225Z 2439:d=7 hl=2 l= 13 prim: UTCTIME :300930183225Z 2454:d=6 hl=2 l= 124 cons: SEQUENCE 2456:d=7 hl=2 l= 11 cons: SET 2458:d=8 hl=2 l= 9 cons: SEQUENCE 2460:d=9 hl=2 l= 3 prim: OBJECT :countryName 2465:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 2469:d=7 hl=2 l= 19 cons: SET 2471:d=8 hl=2 l= 17 cons: SEQUENCE 2473:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 2478:d=9 hl=2 l= 10 prim: PRINTABLESTRING :Washington 2490:d=7 hl=2 l= 16 cons: SET 2492:d=8 hl=2 l= 14 cons: SEQUENCE 2494:d=9 hl=2 l= 3 prim: OBJECT :localityName 2499:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 2508:d=7 hl=2 l= 30 cons: SET 2510:d=8 hl=2 l= 28 cons: SEQUENCE 2512:d=9 hl=2 l= 3 prim: OBJECT :organizationName 2517:d=9 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 2540:d=7 hl=2 l= 38 cons: SET 2542:d=8 hl=2 l= 36 cons: SEQUENCE 2544:d=9 hl=2 l= 3 prim: OBJECT :commonName 2549:d=9 hl=2 l= 29 prim: PRINTABLESTRING :Microsoft Time-Stamp PCA 2010 2580:d=6 hl=4 l= 546 cons: SEQUENCE 2584:d=7 hl=2 l= 13 cons: SEQUENCE 2586:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption 2597:d=8 hl=2 l= 0 prim: NULL 2599:d=7 hl=4 l= 527 prim: BIT STRING 3130:d=6 hl=4 l= 477 cons: cont [ 3 ] 3134:d=7 hl=4 l= 473 cons: SEQUENCE 3138:d=8 hl=2 l= 18 cons: SEQUENCE 3140:d=9 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.1 3151:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:0203010001 3158:d=8 hl=2 l= 35 cons: SEQUENCE 3160:d=9 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.21.2 3171:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04142AA752FE64C49ABE82913C463529CF10FF2F04EE 3195:d=8 hl=2 l= 29 cons: SEQUENCE 3197:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 3202:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04149FA7155D005E625D83F4E5D265A71B533519E972 3226:d=8 hl=2 l= 92 cons: SEQUENCE 3228:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies 3233:d=9 hl=2 l= 85 prim: OCTET STRING [HEX DUMP]:30533051060C2B0601040182374C837D01013041303F06082B060105050702011633687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B696F70732F446F63732F5265706F7369746F72792E68746D 3320:d=8 hl=2 l= 19 cons: SEQUENCE 3322:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage 3327:d=9 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308 3341:d=8 hl=2 l= 25 cons: SEQUENCE 3343:d=9 hl=2 l= 9 prim: OBJECT :1.3.6.1.4.1.311.20.2 3354:d=9 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:1E0A00530075006200430041 3368:d=8 hl=2 l= 11 cons: SEQUENCE 3370:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 3375:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020186 3381:d=8 hl=2 l= 15 cons: SEQUENCE 3383:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 3388:d=9 hl=2 l= 1 prim: BOOLEAN :255 3391:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 3398:d=8 hl=2 l= 31 cons: SEQUENCE 3400:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 3405:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014D5F656CB8FE8A25C6268D13D94905BD7CE9A18C4 3431:d=8 hl=2 l= 86 cons: SEQUENCE 3433:d=9 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points 3438:d=9 hl=2 l= 79 prim: OCTET STRING [HEX DUMP]:304D304BA049A0478645687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963526F6F4365724175745F323031302D30362D32332E63726C 3519:d=8 hl=2 l= 90 cons: SEQUENCE 3521:d=9 hl=2 l= 8 prim: OBJECT :Authority Information Access 3531:d=9 hl=2 l= 78 prim: OCTET STRING [HEX DUMP]:304C304A06082B06010505073002863E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963526F6F4365724175745F323031302D30362D32332E637274 3611:d=5 hl=2 l= 13 cons: SEQUENCE 3613:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 3624:d=6 hl=2 l= 0 prim: NULL 3626:d=5 hl=4 l= 513 prim: BIT STRING 4143:d=4 hl=4 l= 727 cons: cont [ 1 ] 4147:d=5 hl=4 l= 576 cons: SEQUENCE 4151:d=6 hl=2 l= 1 prim: INTEGER :01 4154:d=6 hl=4 l= 256 cons: SEQUENCE 4158:d=7 hl=3 l= 216 cons: cont [ 1 ] 4161:d=8 hl=3 l= 213 cons: cont [ 4 ] 4164:d=9 hl=3 l= 210 cons: SEQUENCE 4167:d=10 hl=2 l= 11 cons: SET 4169:d=11 hl=2 l= 9 cons: SEQUENCE 4171:d=12 hl=2 l= 3 prim: OBJECT :countryName 4176:d=12 hl=2 l= 2 prim: PRINTABLESTRING :US 4180:d=10 hl=2 l= 19 cons: SET 4182:d=11 hl=2 l= 17 cons: SEQUENCE 4184:d=12 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 4189:d=12 hl=2 l= 10 prim: PRINTABLESTRING :Washington 4201:d=10 hl=2 l= 16 cons: SET 4203:d=11 hl=2 l= 14 cons: SEQUENCE 4205:d=12 hl=2 l= 3 prim: OBJECT :localityName 4210:d=12 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 4219:d=10 hl=2 l= 30 cons: SET 4221:d=11 hl=2 l= 28 cons: SEQUENCE 4223:d=12 hl=2 l= 3 prim: OBJECT :organizationName 4228:d=12 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 4251:d=10 hl=2 l= 45 cons: SET 4253:d=11 hl=2 l= 43 cons: SEQUENCE 4255:d=12 hl=2 l= 3 prim: OBJECT :organizationalUnitName 4260:d=12 hl=2 l= 36 prim: PRINTABLESTRING :Microsoft Ireland Operations Limited 4298:d=10 hl=2 l= 38 cons: SET 4300:d=11 hl=2 l= 36 cons: SEQUENCE 4302:d=12 hl=2 l= 3 prim: OBJECT :organizationalUnitName 4307:d=12 hl=2 l= 29 prim: PRINTABLESTRING :Thales TSS ESN:FC41-4BD4-D220 4338:d=10 hl=2 l= 37 cons: SET 4340:d=11 hl=2 l= 35 cons: SEQUENCE 4342:d=12 hl=2 l= 3 prim: OBJECT :commonName 4347:d=12 hl=2 l= 28 prim: PRINTABLESTRING :Microsoft Time-Stamp Service 4377:d=7 hl=2 l= 35 cons: cont [ 2 ] 4379:d=8 hl=2 l= 1 prim: ENUMERATED :01 4382:d=8 hl=2 l= 7 cons: SEQUENCE 4384:d=9 hl=2 l= 5 prim: OBJECT :sha1 4391:d=8 hl=2 l= 21 prim: BIT STRING 4414:d=6 hl=3 l= 131 cons: cont [ 0 ] 4417:d=7 hl=3 l= 128 cons: SEQUENCE 4420:d=8 hl=2 l= 126 cons: cont [ 4 ] 4422:d=9 hl=2 l= 124 cons: SEQUENCE 4424:d=10 hl=2 l= 11 cons: SET 4426:d=11 hl=2 l= 9 cons: SEQUENCE 4428:d=12 hl=2 l= 3 prim: OBJECT :countryName 4433:d=12 hl=2 l= 2 prim: PRINTABLESTRING :US 4437:d=10 hl=2 l= 19 cons: SET 4439:d=11 hl=2 l= 17 cons: SEQUENCE 4441:d=12 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 4446:d=12 hl=2 l= 10 prim: PRINTABLESTRING :Washington 4458:d=10 hl=2 l= 16 cons: SET 4460:d=11 hl=2 l= 14 cons: SEQUENCE 4462:d=12 hl=2 l= 3 prim: OBJECT :localityName 4467:d=12 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 4476:d=10 hl=2 l= 30 cons: SET 4478:d=11 hl=2 l= 28 cons: SEQUENCE 4480:d=12 hl=2 l= 3 prim: OBJECT :organizationName 4485:d=12 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 4508:d=10 hl=2 l= 38 cons: SET 4510:d=11 hl=2 l= 36 cons: SEQUENCE 4512:d=12 hl=2 l= 3 prim: OBJECT :commonName 4517:d=12 hl=2 l= 29 prim: PRINTABLESTRING :Microsoft Time-Stamp PCA 2010 4548:d=6 hl=2 l= 13 cons: SEQUENCE 4550:d=7 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 4561:d=7 hl=2 l= 0 prim: NULL 4563:d=6 hl=2 l= 5 prim: INTEGER :EA281229 4570:d=6 hl=2 l= 34 cons: SEQUENCE 4572:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :20240628003033Z 4589:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :20240629003033Z 4606:d=6 hl=2 l= 119 cons: SEQUENCE 4608:d=7 hl=2 l= 61 cons: SEQUENCE 4610:d=8 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.601.10.4.1 4622:d=8 hl=2 l= 47 cons: SET 4624:d=9 hl=2 l= 45 cons: SEQUENCE 4626:d=10 hl=2 l= 10 cons: SEQUENCE 4628:d=11 hl=2 l= 5 prim: INTEGER :EA281229 4635:d=11 hl=2 l= 1 prim: INTEGER :00 4638:d=10 hl=2 l= 10 cons: SEQUENCE 4640:d=11 hl=2 l= 1 prim: INTEGER :00 4643:d=11 hl=2 l= 2 prim: INTEGER :03D6 4647:d=11 hl=2 l= 1 prim: INTEGER :-01 4650:d=10 hl=2 l= 7 cons: SEQUENCE 4652:d=11 hl=2 l= 1 prim: INTEGER :00 4655:d=11 hl=2 l= 2 prim: INTEGER :1236 4659:d=10 hl=2 l= 10 cons: SEQUENCE 4661:d=11 hl=2 l= 5 prim: INTEGER :EA2963A9 4668:d=11 hl=2 l= 1 prim: INTEGER :00 4671:d=7 hl=2 l= 54 cons: SEQUENCE 4673:d=8 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.601.10.4.2 4685:d=8 hl=2 l= 40 cons: SET 4687:d=9 hl=2 l= 38 cons: SEQUENCE 4689:d=10 hl=2 l= 12 cons: SEQUENCE 4691:d=11 hl=2 l= 10 prim: OBJECT :1.3.6.1.4.1.601.10.3.2 4703:d=10 hl=2 l= 10 cons: cont [ 0 ] 4705:d=11 hl=2 l= 8 cons: SEQUENCE 4707:d=12 hl=2 l= 1 prim: INTEGER :00 4710:d=12 hl=2 l= 3 prim: INTEGER :07A120 4715:d=10 hl=2 l= 10 cons: cont [ 1 ] 4717:d=11 hl=2 l= 8 cons: SEQUENCE 4719:d=12 hl=2 l= 1 prim: INTEGER :00 4722:d=12 hl=2 l= 3 prim: INTEGER :0186A0 4727:d=5 hl=2 l= 13 cons: SEQUENCE 4729:d=6 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption 4740:d=6 hl=2 l= 0 prim: NULL 4742:d=5 hl=3 l= 129 prim: BIT STRING 4874:d=3 hl=4 l=1037 cons: SET 4878:d=4 hl=4 l=1033 cons: SEQUENCE 4882:d=5 hl=2 l= 1 prim: INTEGER :01 4885:d=5 hl=3 l= 147 cons: SEQUENCE 4888:d=6 hl=2 l= 124 cons: SEQUENCE 4890:d=7 hl=2 l= 11 cons: SET 4892:d=8 hl=2 l= 9 cons: SEQUENCE 4894:d=9 hl=2 l= 3 prim: OBJECT :countryName 4899:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US 4903:d=7 hl=2 l= 19 cons: SET 4905:d=8 hl=2 l= 17 cons: SEQUENCE 4907:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 4912:d=9 hl=2 l= 10 prim: PRINTABLESTRING :Washington 4924:d=7 hl=2 l= 16 cons: SET 4926:d=8 hl=2 l= 14 cons: SEQUENCE 4928:d=9 hl=2 l= 3 prim: OBJECT :localityName 4933:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 4942:d=7 hl=2 l= 30 cons: SET 4944:d=8 hl=2 l= 28 cons: SEQUENCE 4946:d=9 hl=2 l= 3 prim: OBJECT :organizationName 4951:d=9 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 4974:d=7 hl=2 l= 38 cons: SET 4976:d=8 hl=2 l= 36 cons: SEQUENCE 4978:d=9 hl=2 l= 3 prim: OBJECT :commonName 4983:d=9 hl=2 l= 29 prim: PRINTABLESTRING :Microsoft Time-Stamp PCA 2010 5014:d=6 hl=2 l= 19 prim: INTEGER :33000001E2999995F1DCE320EB0001000001E2 5035:d=5 hl=2 l= 13 cons: SEQUENCE 5037:d=6 hl=2 l= 9 prim: OBJECT :sha256 5048:d=6 hl=2 l= 0 prim: NULL 5050:d=5 hl=4 l= 330 cons: cont [ 0 ] 5054:d=6 hl=2 l= 26 cons: SEQUENCE 5056:d=7 hl=2 l= 9 prim: OBJECT :contentType 5067:d=7 hl=2 l= 13 cons: SET 5069:d=8 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo 5082:d=6 hl=2 l= 47 cons: SEQUENCE 5084:d=7 hl=2 l= 9 prim: OBJECT :messageDigest 5095:d=7 hl=2 l= 34 cons: SET 5097:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:D01422AAF3F350942A39A1926B993336E1E011641247E5241AEEA379372F22C2 5131:d=6 hl=3 l= 250 cons: SEQUENCE 5134:d=7 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificateV2 5147:d=7 hl=3 l= 234 cons: SET 5150:d=8 hl=3 l= 231 cons: SEQUENCE 5153:d=9 hl=3 l= 228 cons: SEQUENCE 5156:d=10 hl=3 l= 189 cons: SEQUENCE 5159:d=11 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:2B892A4A10FD26B8C6C15044CE0E82F87792D4E88FDB8EE708664389088F7FFF 5193:d=11 hl=3 l= 152 cons: SEQUENCE 5196:d=12 hl=3 l= 128 cons: SEQUENCE 5199:d=13 hl=2 l= 126 cons: cont [ 4 ] 5201:d=14 hl=2 l= 124 cons: SEQUENCE 5203:d=15 hl=2 l= 11 cons: SET 5205:d=16 hl=2 l= 9 cons: SEQUENCE 5207:d=17 hl=2 l= 3 prim: OBJECT :countryName 5212:d=17 hl=2 l= 2 prim: PRINTABLESTRING :US 5216:d=15 hl=2 l= 19 cons: SET 5218:d=16 hl=2 l= 17 cons: SEQUENCE 5220:d=17 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 5225:d=17 hl=2 l= 10 prim: PRINTABLESTRING :Washington 5237:d=15 hl=2 l= 16 cons: SET 5239:d=16 hl=2 l= 14 cons: SEQUENCE 5241:d=17 hl=2 l= 3 prim: OBJECT :localityName 5246:d=17 hl=2 l= 7 prim: PRINTABLESTRING :Redmond 5255:d=15 hl=2 l= 30 cons: SET 5257:d=16 hl=2 l= 28 cons: SEQUENCE 5259:d=17 hl=2 l= 3 prim: OBJECT :organizationName 5264:d=17 hl=2 l= 21 prim: PRINTABLESTRING :Microsoft Corporation 5287:d=15 hl=2 l= 38 cons: SET 5289:d=16 hl=2 l= 36 cons: SEQUENCE 5291:d=17 hl=2 l= 3 prim: OBJECT :commonName 5296:d=17 hl=2 l= 29 prim: PRINTABLESTRING :Microsoft Time-Stamp PCA 2010 5327:d=12 hl=2 l= 19 prim: INTEGER :33000001E2999995F1DCE320EB0001000001E2 5348:d=10 hl=2 l= 34 cons: SEQUENCE 5350:d=11 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:D80440ED3538FB7D0F1644C21114DF9EDD7E73D5F88ABD85844540BD8D3B45CE 5384:d=5 hl=2 l= 13 cons: SEQUENCE 5386:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption 5397:d=6 hl=2 l= 0 prim: NULL 5399:d=5 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:031C460C51DBC82C7B52EFC1FF45F56385FAD5D90FE3FEBB49C525750E0E323A1820DD197F9EACD337AFA39724CBA53567AD2D833014C7D2C8BD36DF60514E0090DBABA446FAF88D1E9A218BBAB5F58C4F1EB3A38582BE965ACC54240C10E2A2DF44FF14657BAE62BD2020B46DF12D5D5C61579B0097AED0AFFB97D27200C3E0C4D25D582D0B0F731610E4B28001BDAD4D9DB5A8233D0C67D84C57D72857C3745ECCAC976C5915CF6695742165D60A2ADC736948993BCB6B002B0B28D3F9D2CCD3C7FD1D4962B9994773EBF8AEBE3918E771F6F3AA6AFE729F710F2C8932682EBBBA8BE83571EBA8903330545BC161F9E126EAFF80B94D9AFAC0ADF33C7D97BF588D3ECBAA1ECB00ED36B9CF3C7C4D67505C626E0AA93591FD583EC8E33410ACE7D4797439AF48E213E99B2F6778E17604964E2236063E678314D6B38D9417F92A6F2F1796D01456DF1AB34761C58D3AB211C1934C8044B3116CD40092CFEF39B14D7D088438A458C9FB6801674468E5ED7CA32DC5874376BEF2B2CAB10C5EDC44F120EBC7E02DC6498784375C20809FE5DC30E9E1E75F6BE9D9FAF153F050FF8577DBE0F51630EBAF1E3EEECB4BAF74F6AA140C264F583D4C5CC5D2CDB3EFB7C1EDAD35F380B16BEF84655504A14460A826CC1152C923AB5C4442DE26587F22847C4A567996416812EED2CD8ADE851451A7E471AFD5957488BD541563A49256 ```

xbjfk commented 4 months ago

dumpasn1 output

``` 0 5911: SEQUENCE { 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 15 5896: [0] { 19 5892: SEQUENCE { 23 1: INTEGER 3 26 15: SET { 28 13: SEQUENCE { 30 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) 41 0: NULL : } : } 43 348: SEQUENCE { 47 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) 60 331: [0] { 64 327: OCTET STRING, encapsulates { 68 323: SEQUENCE { 72 1: INTEGER 1 75 10: OBJECT IDENTIFIER '1 3 6 1 4 1 601 10 3 1' 87 49: SEQUENCE { 89 13: SEQUENCE { 91 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) 102 0: NULL : } 104 32: OCTET STRING : FB 22 71 B9 99 32 4E B6 30 66 CC FA 9F 72 9C 57 : 17 41 AA ED 89 1C C7 EC CD 9E 40 0E 47 1F 49 6C : } 138 6: INTEGER 66 73 08 78 9C DB 146 19: GeneralizedTime '20240628013754.029Z' : Error: Time is encoded incorrectly. 167 4: SEQUENCE { 169 2: [0] 01 F4 : } 173 1: INTEGER 222 : Error: Integer is encoded as a negative value. 176 216: [0] { 179 213: [4] { 182 210: SEQUENCE { 185 11: SET { 187 9: SEQUENCE { 189 3: OBJECT IDENTIFIER countryName (2 5 4 6) 194 2: PrintableString 'US' : } : } 198 19: SET { 200 17: SEQUENCE { 202 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 207 10: PrintableString 'Washington' : } : } 219 16: SET { 221 14: SEQUENCE { 223 3: OBJECT IDENTIFIER localityName (2 5 4 7) 228 7: PrintableString 'Redmond' : } : } 237 30: SET { 239 28: SEQUENCE { 241 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 246 21: PrintableString 'Microsoft Corporation' : } : } 269 45: SET { 271 43: SEQUENCE { 273 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 278 36: PrintableString 'Microsoft Ireland Operations Limited' : } : } 316 38: SET { 318 36: SEQUENCE { 320 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 325 29: PrintableString 'Thales TSS ESN:FC41-4BD4-D220' : } : } 356 37: SET { 358 35: SEQUENCE { 360 3: OBJECT IDENTIFIER commonName (2 5 4 3) 365 28: PrintableString 'Microsoft Time-Stamp Service' : } : } : } : } : } : } : } : } : } 395 4475: [0] { 399 1831: SEQUENCE { 403 1295: SEQUENCE { 407 3: [0] { 409 1: INTEGER 2 : } 412 19: INTEGER : 33 00 00 01 E2 99 99 95 F1 DC E3 20 EB 00 01 00 : 00 01 E2 433 13: SEQUENCE { 435 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 446 0: NULL : } 448 124: SEQUENCE { 450 11: SET { 452 9: SEQUENCE { 454 3: OBJECT IDENTIFIER countryName (2 5 4 6) 459 2: PrintableString 'US' : } : } 463 19: SET { 465 17: SEQUENCE { 467 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 472 10: PrintableString 'Washington' : } : } 484 16: SET { 486 14: SEQUENCE { 488 3: OBJECT IDENTIFIER localityName (2 5 4 7) 493 7: PrintableString 'Redmond' : } : } 502 30: SET { 504 28: SEQUENCE { 506 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 511 21: PrintableString 'Microsoft Corporation' : } : } 534 38: SET { 536 36: SEQUENCE { 538 3: OBJECT IDENTIFIER commonName (2 5 4 3) 543 29: PrintableString 'Microsoft Time-Stamp PCA 2010' : } : } : } 574 30: SEQUENCE { 576 13: UTCTime 12/10/2023 19:07:25 GMT 591 13: UTCTime 10/01/2025 19:07:25 GMT : } 606 210: SEQUENCE { 609 11: SET { 611 9: SEQUENCE { 613 3: OBJECT IDENTIFIER countryName (2 5 4 6) 618 2: PrintableString 'US' : } : } 622 19: SET { 624 17: SEQUENCE { 626 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 631 10: PrintableString 'Washington' : } : } 643 16: SET { 645 14: SEQUENCE { 647 3: OBJECT IDENTIFIER localityName (2 5 4 7) 652 7: PrintableString 'Redmond' : } : } 661 30: SET { 663 28: SEQUENCE { 665 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 670 21: PrintableString 'Microsoft Corporation' : } : } 693 45: SET { 695 43: SEQUENCE { 697 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 702 36: PrintableString 'Microsoft Ireland Operations Limited' : } : } 740 38: SET { 742 36: SEQUENCE { 744 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 749 29: PrintableString 'Thales TSS ESN:FC41-4BD4-D220' : } : } 780 37: SET { 782 35: SEQUENCE { 784 3: OBJECT IDENTIFIER commonName (2 5 4 3) 789 28: PrintableString 'Microsoft Time-Stamp Service' : } : } : } 819 546: SEQUENCE { 823 13: SEQUENCE { 825 9: OBJECT IDENTIFIER : rsaEncryption (1 2 840 113549 1 1 1) 836 0: NULL : } 838 527: BIT STRING, encapsulates { 843 522: SEQUENCE { 847 513: INTEGER : 00 B5 63 B5 98 55 FA 41 66 6F C7 0A 42 98 36 9B : 38 AC 0E 54 48 F7 BF 06 6F 66 A6 1A F6 C0 98 27 : 74 E0 95 46 79 37 BF 40 6C CC F0 A6 D0 AC C0 E8 : 97 B0 C2 EE 34 B4 DC 99 1C AC FB 16 8B D5 A9 57 : 0B 08 72 44 50 F0 09 17 D6 27 41 1B D1 E1 C8 2B : 29 01 AB DF BA FC F9 E6 48 65 ED BA CF 43 1E C7 : F7 D5 09 6E C1 37 C0 C9 A9 98 96 AC 3D 6A 60 17 : 4E 73 66 5B E9 59 00 D4 2C 37 08 63 29 79 95 72 : [ Another 385 bytes skipped ] 1364 3: INTEGER 65537 : } : } : } 1369 329: [3] { 1373 325: SEQUENCE { 1377 29: SEQUENCE { 1379 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 1384 22: OCTET STRING, encapsulates { 1386 20: OCTET STRING : 44 84 0E 11 DA BE ED 07 6C 96 9B 49 88 24 4D A5 : 78 09 DA 05 : } : } 1408 31: SEQUENCE { 1410 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 1415 24: OCTET STRING, encapsulates { 1417 22: SEQUENCE { 1419 20: [0] : 9F A7 15 5D 00 5E 62 5D 83 F4 E5 D2 65 A7 1B 53 : 35 19 E9 72 : } : } : } 1441 95: SEQUENCE { 1443 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 1448 88: OCTET STRING, encapsulates { 1450 86: SEQUENCE { 1452 84: SEQUENCE { 1454 82: [0] { 1456 80: [0] { 1458 78: [6] : 'http://www.microsoft.com/pkiops/crl/Microsoft%20' : 'Time-Stamp%20PCA%202010(1).crl' : } : } : } : } : } : } 1538 108: SEQUENCE { 1540 8: OBJECT IDENTIFIER : authorityInfoAccess (1 3 6 1 5 5 7 1 1) 1550 96: OCTET STRING, encapsulates { 1552 94: SEQUENCE { 1554 92: SEQUENCE { 1556 8: OBJECT IDENTIFIER : caIssuers (1 3 6 1 5 5 7 48 2) 1566 80: [6] : 'http://www.microsoft.com/pkiops/certs/Microsoft%' : '20Time-Stamp%20PCA%202010(1).crt' : } : } : } : } 1648 12: SEQUENCE { 1650 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1655 1: BOOLEAN TRUE 1658 2: OCTET STRING, encapsulates { 1660 0: SEQUENCE {} : } : } 1662 22: SEQUENCE { 1664 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37) 1669 1: BOOLEAN TRUE 1672 12: OCTET STRING, encapsulates { 1674 10: SEQUENCE { 1676 8: OBJECT IDENTIFIER : timeStamping (1 3 6 1 5 5 7 3 8) : } : } : } 1686 14: SEQUENCE { 1688 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1693 1: BOOLEAN TRUE 1696 4: OCTET STRING, encapsulates { 1698 2: BIT STRING 7 unused bits : '1'B (bit 0) : } : } : } : } : } 1702 13: SEQUENCE { 1704 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 1715 0: NULL : } 1717 513: BIT STRING : E4 54 44 31 AB 55 14 DB 9E E9 5F B2 0D 9C 4E CC : B2 87 B6 17 BE 15 54 EC D6 4C 90 84 C0 41 8B 05 : 10 F5 60 BD 2B E2 0B 29 6B E5 AA 77 91 AE FA 63 : 3D 2D FF A9 71 B9 CC C8 EB 0E ED 5E AF 27 E1 6C : 54 52 07 23 E7 00 21 9C DA 2B 86 70 FC 96 36 2A : 6D C9 37 ED F8 20 60 AD FE C0 4C 0B 84 FD 4F 18 : 2E 6D BD 72 B4 C5 8A 26 53 59 D4 FA 55 CE CB D6 : 51 9D 28 48 FC 76 5D 16 BC 36 B2 B8 2D B1 B5 A8 : [ Another 384 bytes skipped ] : } 2234 1905: SEQUENCE { 2238 1369: SEQUENCE { 2242 3: [0] { 2244 1: INTEGER 2 : } 2247 19: INTEGER : 33 00 00 00 15 C5 E7 6B 9E 02 9B 49 99 00 00 00 : 00 00 15 2268 13: SEQUENCE { 2270 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 2281 0: NULL : } 2283 136: SEQUENCE { 2286 11: SET { 2288 9: SEQUENCE { 2290 3: OBJECT IDENTIFIER countryName (2 5 4 6) 2295 2: PrintableString 'US' : } : } 2299 19: SET { 2301 17: SEQUENCE { 2303 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 2308 10: PrintableString 'Washington' : } : } 2320 16: SET { 2322 14: SEQUENCE { 2324 3: OBJECT IDENTIFIER localityName (2 5 4 7) 2329 7: PrintableString 'Redmond' : } : } 2338 30: SET { 2340 28: SEQUENCE { 2342 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 2347 21: PrintableString 'Microsoft Corporation' : } : } 2370 50: SET { 2372 48: SEQUENCE { 2374 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2379 41: PrintableString : 'Microsoft Root Certificate Authority 2010' : } : } : } 2422 30: SEQUENCE { 2424 13: UTCTime 30/09/2021 18:22:25 GMT 2439 13: UTCTime 30/09/2030 18:32:25 GMT : } 2454 124: SEQUENCE { 2456 11: SET { 2458 9: SEQUENCE { 2460 3: OBJECT IDENTIFIER countryName (2 5 4 6) 2465 2: PrintableString 'US' : } : } 2469 19: SET { 2471 17: SEQUENCE { 2473 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 2478 10: PrintableString 'Washington' : } : } 2490 16: SET { 2492 14: SEQUENCE { 2494 3: OBJECT IDENTIFIER localityName (2 5 4 7) 2499 7: PrintableString 'Redmond' : } : } 2508 30: SET { 2510 28: SEQUENCE { 2512 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 2517 21: PrintableString 'Microsoft Corporation' : } : } 2540 38: SET { 2542 36: SEQUENCE { 2544 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2549 29: PrintableString 'Microsoft Time-Stamp PCA 2010' : } : } : } 2580 546: SEQUENCE { 2584 13: SEQUENCE { 2586 9: OBJECT IDENTIFIER : rsaEncryption (1 2 840 113549 1 1 1) 2597 0: NULL : } 2599 527: BIT STRING, encapsulates { 2604 522: SEQUENCE { 2608 513: INTEGER : 00 E4 E1 A6 4C E7 B4 72 21 0B 79 A2 CB D7 24 79 : BD 0E D5 82 D3 FD EE 9C 07 07 D2 A9 6C 4E 75 C8 : CA 35 57 F6 01 7F 6C 4A E0 E2 BD B9 3E 17 60 33 : FF 5C 4F C7 66 F7 95 53 71 5A E2 7E 4A 5A FE B8 : 36 67 85 46 23 0C B5 8D 13 CF 77 32 C0 10 18 E8 : 60 7D 6A 52 83 44 B7 A6 8E 46 6B 07 14 F3 C5 76 : F5 86 50 DC C1 44 C8 71 5C 51 31 37 A0 0A 38 6E : 8D ED D7 0F D8 26 53 7C 39 61 02 7A C4 AA FD 72 : [ Another 385 bytes skipped ] 3125 3: INTEGER 65537 : } : } : } 3130 477: [3] { 3134 473: SEQUENCE { 3138 18: SEQUENCE { 3140 9: OBJECT IDENTIFIER : cAKeyCertIndexPair (1 3 6 1 4 1 311 21 1) 3151 5: OCTET STRING, encapsulates { 3153 3: INTEGER 65537 : } : } 3158 35: SEQUENCE { 3160 9: OBJECT IDENTIFIER : certSrvPreviousCertHash (1 3 6 1 4 1 311 21 2) 3171 22: OCTET STRING, encapsulates { 3173 20: OCTET STRING : 2A A7 52 FE 64 C4 9A BE 82 91 3C 46 35 29 CF 10 : FF 2F 04 EE : } : } 3195 29: SEQUENCE { 3197 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 3202 22: OCTET STRING, encapsulates { 3204 20: OCTET STRING : 9F A7 15 5D 00 5E 62 5D 83 F4 E5 D2 65 A7 1B 53 : 35 19 E9 72 : } : } 3226 92: SEQUENCE { 3228 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 3233 85: OCTET STRING, encapsulates { 3235 83: SEQUENCE { 3237 81: SEQUENCE { 3239 12: OBJECT IDENTIFIER : microsoftCPS (1 3 6 1 4 1 311 76 509 1 1) 3253 65: SEQUENCE { 3255 63: SEQUENCE { 3257 8: OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1) 3267 51: IA5String : 'http://www.microsoft.com/pkiops/Docs/Repository.' : 'htm' : } : } : } : } : } : } 3320 19: SEQUENCE { 3322 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37) 3327 12: OCTET STRING, encapsulates { 3329 10: SEQUENCE { 3331 8: OBJECT IDENTIFIER : timeStamping (1 3 6 1 5 5 7 3 8) : } : } : } 3341 25: SEQUENCE { 3343 9: OBJECT IDENTIFIER : enrollCerttypeExtension (1 3 6 1 4 1 311 20 2) 3354 12: OCTET STRING, encapsulates { 3356 10: BMPString 'SubCA' : } : } 3368 11: SEQUENCE { 3370 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 3375 4: OCTET STRING, encapsulates { 3377 2: BIT STRING 1 unused bit : '1100001'B : } : } 3381 15: SEQUENCE { 3383 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 3388 1: BOOLEAN TRUE 3391 5: OCTET STRING, encapsulates { 3393 3: SEQUENCE { 3395 1: BOOLEAN TRUE : } : } : } 3398 31: SEQUENCE { 3400 3: OBJECT IDENTIFIER : authorityKeyIdentifier (2 5 29 35) 3405 24: OCTET STRING, encapsulates { 3407 22: SEQUENCE { 3409 20: [0] : D5 F6 56 CB 8F E8 A2 5C 62 68 D1 3D 94 90 5B D7 : CE 9A 18 C4 : } : } : } 3431 86: SEQUENCE { 3433 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 3438 79: OCTET STRING, encapsulates { 3440 77: SEQUENCE { 3442 75: SEQUENCE { 3444 73: [0] { 3446 71: [0] { 3448 69: [6] : 'http://crl.microsoft.com/pki/crl/products/MicRoo' : 'CerAut_2010-06-23.crl' : } : } : } : } : } : } 3519 90: SEQUENCE { 3521 8: OBJECT IDENTIFIER : authorityInfoAccess (1 3 6 1 5 5 7 1 1) 3531 78: OCTET STRING, encapsulates { 3533 76: SEQUENCE { 3535 74: SEQUENCE { 3537 8: OBJECT IDENTIFIER : caIssuers (1 3 6 1 5 5 7 48 2) 3547 62: [6] : 'http://www.microsoft.com/pki/certs/MicRooCerAut_' : '2010-06-23.crt' : } : } : } : } : } : } : } 3611 13: SEQUENCE { 3613 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 3624 0: NULL : } 3626 513: BIT STRING : 9D 55 7D FC 2A AD E1 2C 1F 67 01 31 24 5B E1 9E : 72 4B FC A9 6F EA 5C 14 B6 3E 4E 47 64 78 B1 06 : 93 97 3D 31 33 B5 39 D7 C2 71 36 3F DA 64 6C 7C : D0 75 39 6D BB 0F 31 E4 C2 8F FB 6C D1 A1 94 18 : 22 EE E9 66 67 3A 53 4D DD 98 BA B6 1E 78 D8 36 : 2E 9C A9 82 56 00 03 B0 05 BE 89 E8 69 E0 BA 09 : EE 7B DF 6A 6F BE 29 CB 6E D8 3F 48 75 01 D9 18 : DE 6D 82 0C F5 6D 23 54 E4 78 53 75 24 57 B9 DD : [ Another 384 bytes skipped ] : } 4143 727: [1] { 4147 576: SEQUENCE { 4151 1: INTEGER 1 4154 256: SEQUENCE { 4158 216: [1] { 4161 213: [4] { 4164 210: SEQUENCE { 4167 11: SET { 4169 9: SEQUENCE { 4171 3: OBJECT IDENTIFIER countryName (2 5 4 6) 4176 2: PrintableString 'US' : } : } 4180 19: SET { 4182 17: SEQUENCE { 4184 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 4189 10: PrintableString 'Washington' : } : } 4201 16: SET { 4203 14: SEQUENCE { 4205 3: OBJECT IDENTIFIER localityName (2 5 4 7) 4210 7: PrintableString 'Redmond' : } : } 4219 30: SET { 4221 28: SEQUENCE { 4223 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 4228 21: PrintableString 'Microsoft Corporation' : } : } 4251 45: SET { 4253 43: SEQUENCE { 4255 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 4260 36: PrintableString 'Microsoft Ireland Operations Limited' : } : } 4298 38: SET { 4300 36: SEQUENCE { 4302 3: OBJECT IDENTIFIER : organizationalUnitName (2 5 4 11) 4307 29: PrintableString 'Thales TSS ESN:FC41-4BD4-D220' : } : } 4338 37: SET { 4340 35: SEQUENCE { 4342 3: OBJECT IDENTIFIER commonName (2 5 4 3) 4347 28: PrintableString 'Microsoft Time-Stamp Service' : } : } : } : } : } 4377 35: [2] { 4379 1: ENUMERATED 1 4382 7: SEQUENCE { 4384 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) : } 4391 21: BIT STRING : 16 9B 99 69 FA 74 6E 7A 49 74 88 5F 88 1D 5D F2 : 94 E8 86 6F : } : } 4414 131: [0] { 4417 128: SEQUENCE { 4420 126: [4] { 4422 124: SEQUENCE { 4424 11: SET { 4426 9: SEQUENCE { 4428 3: OBJECT IDENTIFIER countryName (2 5 4 6) 4433 2: PrintableString 'US' : } : } 4437 19: SET { 4439 17: SEQUENCE { 4441 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 4446 10: PrintableString 'Washington' : } : } 4458 16: SET { 4460 14: SEQUENCE { 4462 3: OBJECT IDENTIFIER localityName (2 5 4 7) 4467 7: PrintableString 'Redmond' : } : } 4476 30: SET { 4478 28: SEQUENCE { 4480 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 4485 21: PrintableString 'Microsoft Corporation' : } : } 4508 38: SET { 4510 36: SEQUENCE { 4512 3: OBJECT IDENTIFIER commonName (2 5 4 3) 4517 29: PrintableString 'Microsoft Time-Stamp PCA 2010' : } : } : } : } : } : } 4548 13: SEQUENCE { 4550 9: OBJECT IDENTIFIER : sha1WithRSAEncryption (1 2 840 113549 1 1 5) 4561 0: NULL : } 4563 5: INTEGER 00 EA 28 12 29 4570 34: SEQUENCE { 4572 15: GeneralizedTime 28/06/2024 00:30:33 GMT 4589 15: GeneralizedTime 29/06/2024 00:30:33 GMT : } 4606 119: SEQUENCE { 4608 61: SEQUENCE { 4610 10: OBJECT IDENTIFIER '1 3 6 1 4 1 601 10 4 1' 4622 47: SET { 4624 45: SEQUENCE { 4626 10: SEQUENCE { 4628 5: INTEGER 00 EA 28 12 29 4635 1: INTEGER 0 : } 4638 10: SEQUENCE { 4640 1: INTEGER 0 4643 2: INTEGER 982 4647 1: INTEGER 255 : Error: Integer is encoded as a negative value. : } 4650 7: SEQUENCE { 4652 1: INTEGER 0 4655 2: INTEGER 4662 : } 4659 10: SEQUENCE { 4661 5: INTEGER 00 EA 29 63 A9 4668 1: INTEGER 0 : } : } : } : } 4671 54: SEQUENCE { 4673 10: OBJECT IDENTIFIER '1 3 6 1 4 1 601 10 4 2' 4685 40: SET { 4687 38: SEQUENCE { 4689 12: SEQUENCE { 4691 10: OBJECT IDENTIFIER '1 3 6 1 4 1 601 10 3 2' : } 4703 10: [0] { 4705 8: SEQUENCE { 4707 1: INTEGER 0 4710 3: INTEGER 500000 : } : } 4715 10: [1] { 4717 8: SEQUENCE { 4719 1: INTEGER 0 4722 3: INTEGER 100000 : } : } : } : } : } : } : } 4727 13: SEQUENCE { 4729 9: OBJECT IDENTIFIER : sha1WithRSAEncryption (1 2 840 113549 1 1 5) 4740 0: NULL : } 4742 129: BIT STRING : AD 97 42 71 6B 6C DD 75 FE C4 A4 9E 28 86 1F CA : 56 CF 3C DF D4 0B 68 95 33 B2 E7 90 17 0A 46 68 : C7 DA 18 52 BD 18 6D 82 56 5D AE F8 CE 9D AA 82 : D5 B1 BD EB EF D1 EB B2 D4 DD EB A0 A2 EA 8A 5C : 8B 20 52 74 12 57 5A 14 E7 48 B5 5D 2F 43 BC 53 : 6A 4D 46 DD AE 4F 0B B3 A9 BF D9 F3 B9 DF 06 C8 : C9 47 45 B5 68 DA 8C 0D 5A 37 B7 BF 40 B6 65 3F : 01 AD 78 39 0C 1F F6 8E 2D 46 68 59 9C E6 12 C4 : } : } 4874 1037: SET { 4878 1033: SEQUENCE { 4882 1: INTEGER 1 4885 147: SEQUENCE { 4888 124: SEQUENCE { 4890 11: SET { 4892 9: SEQUENCE { 4894 3: OBJECT IDENTIFIER countryName (2 5 4 6) 4899 2: PrintableString 'US' : } : } 4903 19: SET { 4905 17: SEQUENCE { 4907 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8) 4912 10: PrintableString 'Washington' : } : } 4924 16: SET { 4926 14: SEQUENCE { 4928 3: OBJECT IDENTIFIER localityName (2 5 4 7) 4933 7: PrintableString 'Redmond' : } : } 4942 30: SET { 4944 28: SEQUENCE { 4946 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 4951 21: PrintableString 'Microsoft Corporation' : } : } 4974 38: SET { 4976 36: SEQUENCE { 4978 3: OBJECT IDENTIFIER commonName (2 5 4 3) 4983 29: PrintableString 'Microsoft Time-Stamp PCA 2010' : } : } : } 5014 19: INTEGER : 33 00 00 01 E2 99 99 95 F1 DC E3 20 EB 00 01 00 : 00 01 E2 : } 5035 13: SEQUENCE { 5037 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) 5048 0: NULL : } 5050 330: [0] { 5054 26: SEQUENCE { 5056 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3) 5067 13: SET { 5069 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) : } : } 5082 47: SEQUENCE { 5084 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4) 5095 34: SET { 5097 32: OCTET STRING : D0 14 22 AA F3 F3 50 94 2A 39 A1 92 6B 99 33 36 : E1 E0 11 64 12 47 E5 24 1A EE A3 79 37 2F 22 C2 : } : } 5131 250: SEQUENCE { 5134 11: OBJECT IDENTIFIER : signingCertificateV2 (1 2 840 113549 1 9 16 2 47) 5147 234: SET { 5150 231: SEQUENCE { 5153 228: SEQUENCE { 5156 189: SEQUENCE { 5159 32: OCTET STRING : 2B 89 2A 4A 10 FD 26 B8 C6 C1 50 44 CE 0E 82 F8 : 77 92 D4 E8 8F DB 8E E7 08 66 43 89 08 8F 7F FF 5193 152: SEQUENCE { 5196 128: SEQUENCE { 5199 126: [4] { 5201 124: SEQUENCE { 5203 11: SET { 5205 9: SEQUENCE { 5207 3: OBJECT IDENTIFIER : countryName (2 5 4 6) 5212 2: PrintableString 'US' : } : } 5216 19: SET { 5218 17: SEQUENCE { 5220 3: OBJECT IDENTIFIER : stateOrProvinceName (2 5 4 8) 5225 10: PrintableString 'Washington' : } : } 5237 16: SET { 5239 14: SEQUENCE { 5241 3: OBJECT IDENTIFIER : localityName (2 5 4 7) 5246 7: PrintableString 'Redmond' : } : } 5255 30: SET { 5257 28: SEQUENCE { 5259 3: OBJECT IDENTIFIER : organizationName (2 5 4 10) 5264 21: PrintableString 'Microsoft Corporation' : } : } 5287 38: SET { 5289 36: SEQUENCE { 5291 3: OBJECT IDENTIFIER : commonName (2 5 4 3) 5296 29: PrintableString 'Microsoft Time-Stamp PCA 2010' : } : } : } : } : } 5327 19: INTEGER : 33 00 00 01 E2 99 99 95 F1 DC E3 20 EB 00 01 00 : 00 01 E2 : } : } 5348 34: SEQUENCE { 5350 32: OCTET STRING : D8 04 40 ED 35 38 FB 7D 0F 16 44 C2 11 14 DF 9E : DD 7E 73 D5 F8 8A BD 85 84 45 40 BD 8D 3B 45 CE : } : } : } : } : } : } 5384 13: SEQUENCE { 5386 9: OBJECT IDENTIFIER : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 5397 0: NULL : } 5399 512: OCTET STRING : 03 1C 46 0C 51 DB C8 2C 7B 52 EF C1 FF 45 F5 63 : 85 FA D5 D9 0F E3 FE BB 49 C5 25 75 0E 0E 32 3A : 18 20 DD 19 7F 9E AC D3 37 AF A3 97 24 CB A5 35 : 67 AD 2D 83 30 14 C7 D2 C8 BD 36 DF 60 51 4E 00 : 90 DB AB A4 46 FA F8 8D 1E 9A 21 8B BA B5 F5 8C : 4F 1E B3 A3 85 82 BE 96 5A CC 54 24 0C 10 E2 A2 : DF 44 FF 14 65 7B AE 62 BD 20 20 B4 6D F1 2D 5D : 5C 61 57 9B 00 97 AE D0 AF FB 97 D2 72 00 C3 E0 : [ Another 384 bytes skipped ] : } : } : } : } : } 0 warnings, 3 errors. ```

xbjfk commented 4 months ago

Hmmm, it looks like it's wrapped in ContentInfo, but I get a new error:

use std::fs::read;
use cms::{cert::x509::der::{Decode, Encode}, content_info::ContentInfo, signed_data::SignedData};
use const_oid::db::rfc6268::ID_SIGNED_DATA;

fn main() {
    let cms_string = read("test.pem.txt").unwrap();
    let (_, content_info_der) = pem_rfc7468::decode_vec(&cms_string).unwrap();

    let content_info = ContentInfo::from_der(&content_info_der).unwrap();    
    assert_eq!(content_info.content_type, ID_SIGNED_DATA);
    let signed_data: SignedData = SignedData::from_der(&content_info.content.to_der().unwrap()).unwrap();
}

Results in this error:

called `Result::unwrap()` on an `Err` value: Error { kind: TagUnexpected { expected: None, actual: Tag(0xa1: CONTEXT-SPECIFIC [1] (constructed)) }, position: None }

carl-wallace commented 4 months ago

The problem emanates from parsing the certs fields of SignedData. CertificateSet is defined as follows:

CertificateSet ::= SET OF CertificateChoices
CertificateChoices ::= CHOICE {
    certificate Certificate,
    extendedCertificate [0] IMPLICIT ExtendedCertificate, -- Obsolete
    v1AttrCert [1] IMPLICIT AttributeCertificateV1,       -- Obsolete
    v2AttrCert [2] IMPLICIT AttributeCertificateV2,
    other [3] IMPLICIT OtherCertificateFormat 
}

The third certificate in your set is encoded as [1], which is an AttributeCertificateV1.

4143  727:         [1] {
4147  576:           SEQUENCE {
4151    1:             INTEGER 1
4154  256:             SEQUENCE {

This type is obsolete per RFC 5652 (from September 2009). The CertificateChoices parser in the cms crate does not support that type (nor the not obsolete AttributeCertificateV2 at present).

#[derive(Clone, Debug, Eq, PartialEq, Choice)]
#[allow(missing_docs)]
#[allow(clippy::large_enum_variant)]
pub enum CertificateChoices {
    Certificate(Certificate),
    #[asn1(context_specific = "3", tag_mode = "EXPLICIT", constructed = "true")]
    Other(OtherCertificateFormat),
    // TODO DEFER add more choices if desired (i.e., AttributeCertificateV2)
}

I ran into this same case not too long ago and since I did not need the attribute cert nor have the time to contribute support for attribute certificates (mostly due to lack of artifacts to sustain testing), I worked around it as below (see https://github.com/carl-wallace/tpm_cab_verify/blob/main/src/asn1.rs#L23).

#[derive(Clone, Debug, Eq, PartialEq, Sequence)]
#[allow(missing_docs)]
pub(crate) struct SignedData2 {
    pub version: CmsVersion,
    pub digest_algorithms: DigestAlgorithmIdentifiers,
    pub encap_content_info: EncapsulatedContentInfo,
    #[asn1(context_specific = "0", tag_mode = "IMPLICIT", optional = "true")]
    pub certificates: Option<AnySet>,
    #[asn1(context_specific = "1", tag_mode = "IMPLICIT", optional = "true")]
    pub crls: Option<AnySet>,
    pub signer_infos: SignerInfos,
}

/// Used in lieu of full support for all certificate and CRL types
#[derive(Clone, Eq, PartialEq, Debug)]
pub(crate) struct AnySet(pub SetOfVec<Any>);
impl_newtype!(AnySet, SetOfVec<Any>);

xbjfk commented 4 months ago

Wow, thank you for your detailed response! It would be nice for me to use the certificate, so I will take a closer look at attempting to parse it. You can count on only Microsoft to use something deprecated in 2009 today ;)

xbjfk commented 4 months ago

Hmmm, I took a closer look at the standard, and the dumpasn1 and this caught my eye:

...
4143  727:         [1] {
4147  576:           SEQUENCE {
4151    1:             INTEGER 1
...

To my knowledge, [1] means v1, however the interger version 1 = V2, so this is actually AttributeCertificateV2!

Assuming I write a PR to add AttributeCertificateV2, is there a way to override the behavior easily in my case?

carl-wallace commented 4 months ago

Good catch. I did not even review the contents of the attribute cert. It's not my call, but I don't think we'd want to bake in support for mis-encodings like this and would instead leave handling stuff like that to one-offs a la the example I gave. This may be an argument in favor of deferring certs field decoding. One approach would be to define something like AnySet in the cms crate, use it for the certs and crls fields and let decoding be handled separately. We should add support for v2 attribute certs to CertificateChoices in any case.

Definitions from RFC5912 are below. The structures are very different.

  AttributeCertificateInfoV1 ::= SEQUENCE {
     version AttCertVersionV1 DEFAULT v1,
     subject CHOICE {
        baseCertificateID [0] IssuerSerial,
        -- associated with a Public Key Certificate
        subjectName [1] GeneralNames },
     -- associated with a name
     issuer GeneralNames,
     signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}},
     serialNumber CertificateSerialNumber,
     attCertValidityPeriod AttCertValidityPeriod,
     attributes SEQUENCE OF AttributeSet{{AttrList}},
     issuerUniqueID UniqueIdentifier OPTIONAL,
     extensions Extensions{{AttributeCertExtensionsV1}} OPTIONAL }

   AttributeCertificateInfo ::= SEQUENCE {
       version        AttCertVersion,  -- version is v2
       holder         Holder,
       issuer         AttCertIssuer,
       signature      AlgorithmIdentifier{SIGNATURE-ALGORITHM,
                          {SignatureAlgorithms}},
       serialNumber   CertificateSerialNumber,
       attrCertValidityPeriod   AttCertValidityPeriod,
       attributes     SEQUENCE OF
                          AttributeSet{{AttributesDefined}},
       issuerUniqueID UniqueIdentifier OPTIONAL,
       extensions     Extensions{{AttributeCertExtensions}} OPTIONAL
   }

tarcieri commented 4 months ago

This may be an argument in favor of deferring certs field decoding. One approach would be to define something like AnySet in the cms crate, use it for the certs and crls fields and let decoding be handled separately.

That sounds fine to me, and more flexible for handling cases like this.

RustCrypto / formats

cms: `TagUnexpected` error, but works fine in OpenSSL #1452