Closed GoogleCodeExporter closed 9 years ago
This actually seems fairly common. I'm in the midst of parsing 1,800,000
SSL/TLS chains (so x2 x3 that many certificates).
I have a patch (it's pretty small too), but I'll see the % of certs with this
issue first.
Original comment by nickgsup...@gmail.com
on 1 Oct 2013 at 2:33
Yikes. (But a very helpful report, thanks a lot!)
My longer-term plan is to replace pyasn1 with a custom decoder (mostly for
performance reasons).
Using pyasn1.codec.ber instead of pyasn1.codec.der should be an OK short-term
fix (since the only DER rule that pyasn1 appears to enforce in the "DER"
decoder is the Boolean rule anyway). I'll commit the fix once I've confirmed
that this doesn't break more than it fixes.
Original comment by ekasper@google.com
on 1 Oct 2013 at 3:32
My scan is still running but the short answer is there appears to be some
certs issued by http://www.matrixssl.org for embedded systems that have this
formatting bug. This explains why some are very old -- they are embedded
systems and are never getting upgraded.
Approximately 0.75% (thats < 1% not 75%) of all IPs that use SSL have this
cert. IMHO that's big enough to want to be able to parse these correctly OR
just hardwire this cert's info in.
cert.py
+from ct.crypto.asn1 import derdecoder as der_decoder
+#from pyasn1.codec.der import decoder as der_decoder
new file:
"""
A DER decoder with various "adjustments" to parse wild certificates
"""
from pyasn1.type import univ
from pyasn1.codec.cer import decoder
from pyasn1.codec.ber.decoder import BooleanDecoder
tagMap = decoder.tagMap.copy()
tagMap.update({
univ.Boolean.tagSet: BooleanDecoder()
})
typeMap = decoder.typeMap
Decoder = decoder.Decoder
decode = Decoder(tagMap, typeMap)
I'll make real patch.
nickg
Original comment by nickgsup...@gmail.com
on 1 Oct 2013 at 3:33
ahh we crossed paths...
good idea on using custom ASN1.
using the patch above seems to work, but your trick of
from pyasn1.codec.BER import decoder as der_decoder
is more clever!
Original comment by nickgsup...@gmail.com
on 1 Oct 2013 at 3:36
over-night, I parsed 966026 live certs.
Of those 6313 has 'Invalid DER encoding: Boolean CER violation' problem
Of those 18 are some other cert, and the remaining is the default MatrixSSL
cert.
>>> (6313 / 966026.0) * 100.0
0.6535020796541708 %
These appears to be home WiMAX routers. nice.
Original comment by nickgsup...@gmail.com
on 1 Oct 2013 at 11:34
https://codereview.appspot.com/14270043
1 line change + tests + sample cert
Original comment by nickgsup...@gmail.com
on 2 Oct 2013 at 9:44
Temporary fix committed in
https://code.google.com/p/certificate-transparency/source/detail?r=1945a4e4e00d
Original comment by ekasper@google.com
on 2 Oct 2013 at 1:15
Original issue reported on code.google.com by
nickgsup...@gmail.com
on 1 Oct 2013 at 12:18