Closed rbroberts115 closed 2 years ago
panzi
commented
2 years ago Sorry, I don't know anything about these things (and neither use Windows nor the mentioned Python and library versions). Have you tried to ask on StackOverflow?
Since this has nothing to do with my script I close this issue.
rbroberts115
commented
2 years ago If you have not debugged anything, how do you know it has nothing to do with anything? Thanks for all the effort.
panzi
commented
2 years ago My end goal is to load this certificate containing a public key, then use that key to verify a signature attached to a binary file.
This has nothing to do with verify_ehc.py?
Your Python code uses nothing of my code. If you get an error and you're sure that your certificate is valid then you need to report a bug to the appropriate library.
Out of curiosity I did run the certificate through OpenSSL and that seems to be able to load it:
$ openssl x509 -in cert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1643644126 (0x61f804de)
Signature Algorithm: sha512WithRSAEncryption
Issuer: O = Hewlett Packard Enterprise, CN = HPE Allerta 4096-bit RSA 2021-1
Validity
Not Before: Dec 1 00:00:00 2021 GMT
Not After : Dec 2 00:00:00 2036 GMT
Subject: O = Hewlett Packard Enterprise, CN = HPE Allerta 4096-bit RSA 2021-1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:97:9b:43:2d:c8:7d:08:1c:7c:65:19:82:92:4f:
00:71:ab:be:c1:7e:1e:b7:7a:73:3a:35:d7:47:12:
40:32:7b:1a:90:73:60:b7:57:35:02:c3:fd:88:0c:
5f:d4:33:c3:0a:5b:cb:86:c3:89:e8:05:7b:e4:b6:
eb:cd:7d:3b:6e:93:5a:06:32:03:4d:cb:48:f7:a2:
2f:1d:ec:85:a2:db:8d:1a:dc:01:b1:02:6a:a7:56:
fd:85:b6:75:aa:6f:4e:c6:f6:3e:b8:44:22:dd:e4:
47:55:06:ee:93:9c:5e:de:6a:fb:ef:4e:8e:44:d0:
4d:90:c8:61:a2:f2:a4:7d:af:b6:1b:af:ec:97:d8:
19:f7:a3:c5:4e:65:f2:6d:80:65:fc:ee:4f:a8:ae:
b5:c7:3f:57:43:5d:6d:ee:9e:79:90:24:fc:0c:4a:
c8:2e:da:cb:2a:c6:17:44:a9:6f:bd:67:09:ea:86:
60:50:27:14:a6:e1:9e:0b:9a:62:95:f2:dd:5b:14:
38:55:f8:ba:55:eb:b5:de:93:96:d5:4a:ea:57:08:
a1:c1:3b:cd:f0:b2:ec:43:a9:9b:b5:1b:7d:fc:88:
a8:c1:ee:a6:5e:a5:e1:0b:2a:02:7d:08:70:f1:8f:
e7:51:b2:09:a2:5f:7a:f8:c6:5e:a4:41:fa:76:1a:
6e:d7:35:5f:2a:e3:62:bc:c9:d3:3c:b3:9a:9d:32:
bd:c4:58:2c:81:2c:44:11:1f:f8:13:46:55:f4:66:
96:ff:d8:dd:6b:a0:aa:26:97:4a:5d:8e:0a:54:92:
14:56:4d:fa:6f:97:fd:4a:2d:92:b0:e1:1f:3a:63:
3b:fe:1d:26:a5:15:76:bc:a0:89:d2:6b:d6:00:6a:
a2:1b:ba:49:58:1f:a5:32:af:82:af:c0:d9:0a:37:
34:b7:f7:85:f7:de:9a:e5:aa:8e:fc:37:2b:0f:a5:
9c:33:ff:92:49:a1:0d:79:6a:47:8e:1c:4d:77:7b:
2a:c0:0a:25:16:37:6d:14:85:56:2a:1a:38:a8:4e:
53:8d:7b:4a:10:c8:34:0f:71:a7:b4:42:a3:fa:de:
35:7c:7a:f8:70:ba:42:5d:0d:e1:39:57:e7:71:d4:
83:e2:70:0f:9e:8d:32:5d:4c:05:39:ea:65:7c:89:
cc:1a:05:fd:ce:f8:b3:46:85:32:91:b6:c2:5d:7c:
63:73:d5:da:78:a3:b9:75:89:8f:4c:6f:21:a0:9f:
71:f1:73:e7:69:51:28:79:69:a9:1b:46:2b:ee:5c:
ec:68:69:f7:d1:8b:28:aa:9a:73:d9:35:9b:01:32:
90:2c:0b:22:71:ab:e2:9e:a4:71:67:96:ec:52:5b:
07:ad:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
Code Signing
Signature Algorithm: sha512WithRSAEncryption
04:4c:78:59:74:bd:1c:63:24:34:31:e6:3b:a9:67:e2:3d:f9:
56:34:8b:e8:ef:26:7f:e2:77:7e:ce:ab:21:19:c0:91:ff:a6:
ba:54:78:c7:e9:dd:e5:eb:6d:93:44:b0:42:b2:d9:46:8c:64:
23:f4:0b:0b:9c:47:ed:8b:9c:94:5c:4e:18:9b:d9:f1:63:fd:
41:38:bb:67:44:23:d4:c7:63:28:fc:19:a2:13:3d:f0:a5:43:
dd:4c:82:2d:4e:86:32:ef:39:0f:0a:1c:e5:06:79:95:4b:e6:
3b:2a:a3:da:9b:82:20:36:52:71:ca:46:ea:1f:a6:96:15:4d:
04:0f:77:bb:f4:6a:d4:3e:dd:f3:4b:a9:5c:90:52:e4:bf:4c:
a6:25:3d:d3:8e:eb:ea:1e:30:84:f8:70:e9:10:ad:06:27:a7:
36:96:0f:2b:7a:18:e2:8b:70:1a:e4:4d:1a:45:49:2f:90:03:
50:4e:c3:6c:71:d1:9e:e8:bd:b4:12:39:9d:fb:54:9e:fc:b4:
d4:aa:b1:f9:69:42:1b:d2:bd:c1:cb:8d:ae:53:13:93:31:b5:
72:9d:49:67:29:dc:9c:69:45:16:fb:c2:29:e2:a1:99:d5:64:
11:ec:1f:a7:61:54:ee:0b:a6:ae:f5:cd:6e:42:90:6e:b9:4a:
d3:fe:70:91:a7:47:9d:0a:67:36:e8:d0:ae:a7:94:cc:1e:d0:
05:5c:e7:3a:01:7d:91:29:d3:db:b1:d5:23:3c:eb:d2:18:d6:
c9:db:1e:42:a2:e0:50:44:eb:08:c6:e5:02:c3:00:2a:aa:3b:
31:2e:49:b3:29:2c:8d:04:a9:be:a2:c7:6f:c1:01:95:2d:20:
63:4c:41:12:6e:2e:df:ed:68:7d:a6:71:7d:1f:e1:04:7d:f1:
5a:36:93:1f:b7:e5:67:a7:93:70:2f:8b:e4:0b:e4:9d:db:f4:
ce:c4:5f:c1:24:48:3f:c5:82:3f:6d:75:76:b1:0d:ef:90:54:
27:95:dd:35:5d:29:02:a9:f6:2b:11:37:84:43:f0:4b:38:54:
b0:a9:7d:03:a0:a5:94:23:5f:1e:75:df:15:db:28:d8:b8:23:
b2:a4:eb:e5:70:a7:9f:6e:41:13:6b:b5:16:f3:d1:05:59:e8:
a0:77:44:98:88:76:6f:3d:c4:08:e9:53:92:eb:ff:55:ac:e8:
81:dd:f1:9a:35:b5:4c:1e:e4:b9:73:a8:76:ad:ca:4c:e4:de:
c9:5b:e5:08:ce:0d:98:4e:73:40:e8:52:09:9e:0c:98:ce:10:
d7:fc:fc:b7:93:51:01:ae:29:b8:8b:4f:57:b9:60:8b:d3:f8:
65:23:37:81:21:dd:7b:c3
-----BEGIN CERTIFICATE-----
MIIFVzCCAz+gAwIBAgIEYfgE3jANBgkqhkiG9w0BAQ0FADBPMSMwIQYDVQQKExpI
ZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZTEoMCYGA1UEAxMfSFBFIEFsbGVydGEg
NDA5Ni1iaXQgUlNBIDIwMjEtMTAeFw0yMTEyMDEwMDAwMDBaFw0zNjEyMDIwMDAw
MDBaME8xIzAhBgNVBAoTGkhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlMSgwJgYD
VQQDEx9IUEUgQWxsZXJ0YSA0MDk2LWJpdCBSU0EgMjAyMS0xMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEAl5tDLch9CBx8ZRmCkk8Acau+wX4et3pzOjXX
RxJAMnsakHNgt1c1AsP9iAxf1DPDClvLhsOJ6AV75LbrzX07bpNaBjIDTctI96Iv
HeyFotuNGtwBsQJqp1b9hbZ1qm9OxvY+uEQi3eRHVQbuk5xe3mr7706ORNBNkMhh
ovKkfa+2G6/sl9gZ96PFTmXybYBl/O5PqK61xz9XQ11t7p55kCT8DErILtrLKsYX
RKlvvWcJ6oZgUCcUpuGeC5pilfLdWxQ4Vfi6Veu13pOW1UrqVwihwTvN8LLsQ6mb
tRt9/Iiowe6mXqXhCyoCfQhw8Y/nUbIJol96+MZepEH6dhpu1zVfKuNivMnTPLOa
nTK9xFgsgSxEER/4E0ZV9GaW/9jda6CqJpdKXY4KVJIUVk36b5f9Si2SsOEfOmM7
/h0mpRV2vKCJ0mvWAGqiG7pJWB+lMq+Cr8DZCjc0t/eF996a5aqO/DcrD6WcM/+S
SaENeWpHjhxNd3sqwAolFjdtFIVWKho4qE5TjXtKEMg0D3GntEKj+t41fHr4cLpC
XQ3hOVfncdSD4nAPno0yXUwFOeplfInMGgX9zvizRoUykbbCXXxjc9XaeKO5dYmP
TG8hoJ9x8XPnaVEoeWmpG0Yr7lzsaGn30Ysoqppz2TWbATKQLAsicavinqRxZ5bs
UlsHrY8CAwEAAaM7MDkwDgYDVR0PAQH/BAQDAgeAMA8GA1UdEwEB/wQFMAMBAQAw
FgYDVR0lAQEABAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQENBQADggIBAARMeFl0
vRxjJDQx5jupZ+I9+VY0i+jvJn/id37OqyEZwJH/prpUeMfp3eXrbZNEsEKy2UaM
ZCP0CwucR+2LnJRcThib2fFj/UE4u2dEI9THYyj8GaITPfClQ91Mgi1OhjLvOQ8K
HOUGeZVL5jsqo9qbgiA2UnHKRuofppYVTQQPd7v0atQ+3fNLqVyQUuS/TKYlPdOO
6+oeMIT4cOkQrQYnpzaWDyt6GOKLcBrkTRpFSS+QA1BOw2xx0Z7ovbQSOZ37VJ78
tNSqsflpQhvSvcHLja5TE5MxtXKdSWcp3JxpRRb7winioZnVZBHsH6dhVO4Lpq71
zW5CkG65StP+cJGnR50KZzbo0K6nlMwe0AVc5zoBfZEp09ux1SM869IY1snbHkKi
4FBE6wjG5QLDACqqOzEuSbMpLI0Eqb6ix2/BAZUtIGNMQRJuLt/taH2mcX0f4QR9
8Vo2kx+35Wenk3Avi+QL5J3b9M7EX8EkSD/Fgj9tdXaxDe+QVCeV3TVdKQKp9isR
N4RD8Es4VLCpfQOgpZQjXx513xXbKNi4I7Kk6+Vwp59uQRNrtRbz0QVZ6KB3RJiI
dm89xAjpU5Lr/1Ws6IHd8Zo1tUwe5LlzqHatykzk3slb5QjODZhOc0DoUgmeDJjO
ENf8/LeTUQGuKbiLT1e5YIvT+GUjN4Eh3XvD
-----END CERTIFICATE-----But yeah, the Python cryptography module somehow fails loading it. Report a bug there!
Also, what is #6386 referring to? The maximum issue number in this repository is #34 as of writing.
rbroberts115
commented
2 years ago Yes, I caught after I posted that this was targeted at verify-ehc, which was not what I initially intended. Sorry for the confusion. Just signed up today, so still learning to navigate the interface and missed some clues that would have told most folks they were in the wrong place. I did find the other issue under pyca/cryptography, which has issue #6386, which was where I intended to post this. So that fault is mine, that I tried to post to 'A' and posted to 'B'.
Yes, openssl will decode the certificate fine, but python cryptography code does not where it use to be able to do that. This is the root of what I was trying to ask. I have now posted to stackoverflow too, and will wait to see if I get an answer, and if not then maybe try to repost to pycs/cryptography.
I am seeing a new error (to me) loading a X509 certificate after updating my Python version and the cryptography library. Searching I ran across #6386 that seems similar. I was hoping that someone familiar with the ASN.1 might be causing this, and if that is the case, provide some advice on what version of what library I need to load to correct this issue.
The full exception I am seeing is: ValueError: error parsing asn1 value: ParseError { kind: EncodedDefault, location: ["RawCertificate::tbs_cert", "TbsCertificate::extensions", "2", "Extension::critical"] }
My end goal is to load this certificate containing a public key, then use that key to verify a signature attached to a binary file. Because this is a public key only I will release (attach) an example script I have put together that shows this issue I am seeing. The full 'verify' script was working previously under Python 3.8.1 (I believe) and an earlier cryptography library, version unrecorded/unknown. That earlier configuration was able to load signatures created using both SHA256 and SHA512 hashes using the appropriate certificates that went with those signatures. The current configuration works for the SHA256 signature but fails loading the certificated associated with the SHA512 hash. The example contains the public part of the failing certificate.
I am running on Windows 10 Enterprise, V21H2 with Python 3.10.6, but have regressed and see the same failure with both 3.9.13 and 3.8.10. All of these versions are using the crypto library version 37.0.4.
C:>python --version Python 3.10.6 C:>pip list Package Version
cffi 1.15.1 cryptography 37.0.4 Pillow 9.2.0 pip 22.2.2 pycparser 2.21 setuptools 65.0.1 six 1.16.0
CrypoError.zip