search

wbond / asn1crypto

Python ASN.1 library with a focus on performance and a pythonic API
MIT License
335 stars 140 forks source link

Correct tagging in cms.AttCertIssuer #220

Closed MatthiasValvekens closed 2 years ago

MatthiasValvekens commented 2 years ago

Another tagging issue with X.509 attribute certificates (compare #218 and #219). This one is a bit more fundamental, since it affects all V2 attribute certificates.

While doing some interoperability testing with other tooling that handles X.509 attribute certificates (BouncyCastle, as it happens), I discovered that neither library was able to parse the other's ACs.

After doing some digging, I found that the definition of AttCertIssuer in asn1crypto has a typo: since the ASN.1 module uses implicit tags (see e.g. RFC 5755), the v2_form alternative needs to be tagged implicitly, not explicitly.

Side note: the rule mandating that all choice types be tagged explicitly only applies to the case where the tag's "argument" is a choice type, not to tagging within a choice type.

I've fixed the issue and added a regression test (using a pathological AC without any attributes).

MatthiasValvekens commented 2 years ago

The test failure (and ensuing cancellation) are due to a network timeout in the certvalidator cross-module test, apparently. I'd rerun the CI, but it looks like I don't have access to the "Rerun all jobs" button in GH actions on this repository.