search

etingof / pyasn1-modules

ASN.1 modules for pyasn1 library
http://snmplabs.com/pyasn1/
BSD 2-Clause "Simplified" License
41 stars 45 forks source link

rfc4210 cmp implicit confirm #84

Open ghost opened 4 years ago

ghost commented 4 years ago

Hi everyone, I'm using pyasn1-modules to build a small cmp client (subset of rfc4210). I think there is a mistake in the rfc4210 module in the PKIHeader class. The last entry should be

namedtype.OptionalNamedType(
            'generalInfo', univ.SequenceOf(
                componentType=rfc4210.InfoTypeAndValue().subtype(
                    sizeSpec=constraint.ValueSizeConstraint(1, MAX))
            ).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))
        )

instead of

namedtype.OptionalNamedType(
            'generalInfo', univ.SequenceOf(
                componentType=InfoTypeAndValue().subtype(
                      sizeSpec=constraint.ValueSizeConstraint(1, MAX),
                      explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8)
              )
)

Stumbled over this when I tried to use cmp implicit confirm. The top code shows how I was able to get it running with a CA-Software.

Thanks, Alex

etingof commented 4 years ago

Thanks for reporting this! Looks like a typo to me. Cc: @russhousley

russhousley commented 4 years ago

Ilya fixed this in master.

etingof commented 4 years ago

Perhaps the question to @Alex8472 is - which pyasn1-modules version are you using? If you could try master and it works, I'd be happy to cut a release.

ghost commented 4 years ago

Hi, sorry for the late response. I am using the latest release, that is 0.2.7.

Sadly I'm still running into the same problem with the master branch. Everything works until I'm adding implicit confirm to the message. I'm getting a pyasn1.error.PyAsn1Error, while trying to decode it, using asn1spec='rfc4210.PKIMessage()'

If you look at the above code again, consider/compare the last lines. I added the subtype() to it, as I had the Problem that the tag was at the wrong position. I think this is the 0xa8 tag, if I remember correctly. So the top code with the subtype() added works for me, both for decoding and encoding.

I could provide you with two example DER files, containing two simple cmp messages. One without implicit confirm and one with implicit confirm (constructed with openssl cmp in this case (-implicitconfirm option)). If you like those, let me know if I should post the hex values in here or send you the files via E-Mail.

Thanks, Alex

etingof commented 4 years ago

Sorry for delayed response! Commit b61bbfac575cfaa2a58812f66670fd0c04063e7c should have fixed that. If you could share a DER blob that verifies this piece, I'd add it to unit tests.

Thanks!

ghost commented 4 years ago

No problem, here is a little example as hex string. The attached file contains the binary version. (With implicit confirm)

308203e83082015f020102a41530133111300f06035504030c084e65775573657231a481a93081a6310b30090603550406130244453110300e06035504080c0744656661756c743116301406035504070c0d54657374204c6f63616c697479311a3018060355040a0c1154657374204f7267616e697a6174696f6e31173015060355040b0c0e5465737420556e6974204e616d653119301706035504030c105465737420436f6d6d6f6e204e616d65311d301b06092a864886f70d010901160e7465737440746573742e74657374a011180f32303139313131333133303535305aa13e303c06092a864886f67d07420d302f041052ba61899b2c0359ea77ecedfe94a203300b0609608648016503040201020201f4300a06082b06010505080102a20a04084e65775573657231a4120410080366dd6a108cc77f39ec983f6fb779a5120410bf422b5e571f6d646d3f643e12d4fa6ca810300e300c06082b0601050507040d0500a08202683082026430820260308201440201003082013da51530133111300f06035504030c084e65775573657231a6820122300d06092a864886f70d01010105000382010f003082010a0282010100df4e6515454e0e7eeb0363bf3d3ffbd9ba0248a29286387ac8d108b8e24886d7619c51a50bf8d02f44771bbd53548baa4ba4bfce39a58a320bc1f7717be850ce077024016a40d5ff58c2d0afe68007652471349d2d8fc8e11b85ba1061bdfa3db6054ee4fd9e04f570f84d03f8037fc18be35a9c12662e3b2ee13235bfcdff97bca3aa45c77a1e53a8ab2fb0e09a3f72acd816f6d5abe3f2e9f763d1e6af06a9a8d0bdedaacec87983058dc7958fbd28727326205d02980f88779d5a1456416d6a50c2188c42d11280d6705dd2e8e198398f554236721eef1dfd90d9558d9be071b86313635b2be838df03d6dc14a7b7f2f9bf52c02f9c7bd3942e087ca5ceab0203010001a1820114300d06092a864886f70d01010b0500038201010069cbe4152fc018c3488c9a75bb63967529564972725328565c3abd006b49664d0710e32f4817cd2e24249036e218209c64b087a84c9d5740da54226637c8fa15f426e234c760b09fb32d92b34e656a56cfe4722e3ce5c1340280964ed47a588fb153e0bbe866f129d0a167d777ef2062d245c21f32ef846e681f0bfefa90ae0d51df0f4d9bb097f16e8f80e9c142295810b4373a5eabe7f94fe429ce0f97c86b91c470b300f31270efe7c578eeb372f03131007f36a278898e8f55e80c339110137f25930f0d7c3a9101f349fc0d20862bf14e18f8d319e0f8d26fb68d30b4c1549eb46488821a4c3c575c47021bfa8d6c87482e7a9f4957bac6eca72f30869aa017031500b25a0acf0cfa91fa1bea5618fc5a2ec4e6be3243

cmp.tar.gz

russhousley commented 3 years ago

It seem that this repository is not being maintained any more. I have made recent additions to https://github.com/inexio/pyasn1-modules. I will make this change in that repository in the next couple of days.

russhousley commented 3 years ago

When I looked more carefully, it seems that Ilya did make this change, and it is also in https://github.com/inexio/pyasn1-modules. So, the change must have been made before the repository was cloned.