verifying signature-test: no content type

mdigger / pkcs7sign

PKCS #7 SignedData Generator for Apple Passbook

MIT License

8 stars 3 forks source link

verifying signature-test: no content type #4

Open nathany opened 8 years ago

nathany commented 8 years ago

Though the code is working for Safari push and Passbook passes, if I asn1.Unmarshal the result in a test, I get an error:

asn1: syntax error: sequence truncated

var container container
_, err = asn1.Unmarshal(data, &container)

if err != nil {
    t.Fatal(err)
}

CFSSL's ParsePKCS7 gives the same error.

If I import "github.com/cloudflare/cfssl/crypto/pkcs7"

_, err := pkcs7.ParsePKCS7(data)
if err != nil {
    t.Fatal(err)
}

I'm not sure if I'm doing this right, but calling openssl to verify the output gives this error:

> /usr/local/opt/openssl/bin/openssl smime -verify -in signature-test
Error reading S/MIME message
140735153643600:error:0D0D40D1:asn1 encoding routines:SMIME_read_ASN1:no content type:asn_mime.c:440:

nathany commented 8 years ago

This isn't a surprise, but using signpass executable has no problems at all. It comes with the PassKit support materials in the Wallet Developer Guide.

❯ signpass -v Event.pkpass 
Signature valid.
Certificates: (
    0: Pass Type ID: pass.com.github.RobotsAndPencils.buford
    1: Apple Worldwide Developer Relations Certification Authority
)
Trust chain is valid.

*** SUCCEEDED ***

Still, it would be nice to write more tests for this library, and unmarshalling the asn1 seems like the first step. By the way, I am using Go 1.6 rc1 right now, but the same error occurs on Go 1.5 and Go 1.4.

nathany commented 8 years ago

For a different approach, I tried unmarshalling (in Go) a signature from one of Apple's sample passes. That didn't work either, but with a different error:

asn1: syntax error: indefinite length found (not DER)

Apple is using (CMS) based on RFC 3852 which uses BER. There is a newer RFC 5652 as well.

Go's asn1 package only supports the DER subset. https://github.com/golang/go/issues/12267

So while it's possible to encode something Apple will accept, it's not possible to build a full CMS implementation without also reimplementing asn1 to support BER. Not that we necessarily need full CMS. This issue is just about trying to find a way to test this code.

nathany commented 8 years ago

I am able to unmarshal when using https://github.com/st3fan/gocrypto