Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix indefinite length asn1 parsing #61

Merged
merged 2 commits into from
Aug 26, 2021
Merged

Fix indefinite length asn1 parsing #61

merged 2 commits into from
Aug 26, 2021

Conversation

bernata
Copy link

@bernata bernata commented Aug 13, 2021

cherry pick d25ebd6 from fullsailor/pkcs7
added test to decode pkcs7 from a well known service.

@bernata
Copy link
Author

bernata commented Aug 13, 2021

@g-k created this new PR from PR 53.
FYI @manavk-p - thanks for getting this going.

@g-k g-k self-requested a review August 25, 2021 14:05
@bernata
Copy link
Author

bernata commented Aug 25, 2021

@g-k thanks for merging the other PR that fixes the test bug. I rebased into this PR and it seems to be passing. When you have a moment, please have a look.

@Kuenni
Copy link

Kuenni commented Aug 26, 2021

+1 for this fix!

@kuhlmannmarkus
Copy link

+1

g-k
g-k approved these changes Aug 26, 2021
View reviewed changes
Copy link

@g-k g-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

8d4fa5c from fullsailor#17 covers changes to ber.go

lgtm thank you!

ber_test.go
@@ -45,7 +47,8 @@ func TestBer2Der_Negatives(t *testing.T) {
{[]byte{0x30, 0x85}, "tag length too long"},
{[]byte{0x30, 0x84, 0x80, 0x0, 0x0, 0x0}, "length is negative"},
{[]byte{0x30, 0x82, 0x0, 0x1}, "length has leading zero"},
{[]byte{0x30, 0x80, 0x1, 0x2}, "Invalid BER format"},
{[]byte{0x30, 0x80, 0x1, 0x2, 0x1, 0x2}, "Invalid BER format"},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

matches https://github.com/fullsailor/pkcs7/pull/17/files#diff-97219d5255bb844be579a0870221234ac29caa22e1329fd79fa8161e244224d8L48-R48

ber_test.go
@@ -60,3 +63,124 @@ func TestBer2Der_Negatives(t *testing.T) {
}
}
}

func TestBer2Der_NestedMultipleIndefinite(t *testing.T) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 this test is also from the upstream commit

ber_test.go
iuZidpUfFhSk+Ls7TU/kB74ckfUGj5q/5HcKJgb/S+FYUV7eu0ewzTyW1uRl/d0U
Tb7e7EjgDGJsjOTMdTrMfv8ho8kAAAAAAAA=
-----END PKCS7-----
`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per openssl pkcs7 -print -inform pem -in this is an AWS PK7 doc:

PKCS7: 
  type: pkcs7-signedData (1.2.840.113549.1.7.2)
  d.sign: 
    version: 1
    md_algs:
        algorithm: sha256 (2.16.840.1.101.3.4.2.1)
        parameter: NULL
    contents: 
      type: pkcs7-data (1.2.840.113549.1.7.1)
      d.data: 
        0000 - 7b 22 41 67 65 6e 74 41-63 74 69 6f 6e 4f 76   {"AgentActionOv
        000f - 65 72 72 69 64 65 73 22-3a 7b 22 41 67 65 6e   errides":{"Agen
        001e - 74 4f 76 65 72 72 69 64-65 73 22 3a 7b 22 46   tOverrides":{"F
        002d - 69 6c 65 45 78 69 73 74-73 42 65 68 61 76 69   ileExistsBehavi
        003c - 6f 72 22 3a 22 4f 56 45-52 57 52 49 54 45 22   or":"OVERWRITE"
        004b - 7d 7d 2c 22 41 70 70 6c-69 63 61 74 69 6f 6e   }},"Application
        005a - 49 64 22 3a 22 65 30 34-34 32 33 65 34 2d 37   Id":"e04423e4-7
        0069 - 61 36 37 2d 34 66 39 63-2d 62 32 39 31 2d 39   a67-4f9c-b291-9
        0078 - 39 65 36 33 63 31 63 32-31 35 38 22 2c 22 41   9e63c1c2158","A
        0087 - 70 70 6c 69 63 61 74 69-6f 6e 4e 61 6d 65 22   pplicationName"
        0096 - 3a 22 6d 6b 61 6e 69 61-2d 78 72 64 5f 73 61   :"mkania-xrd_sa
        00a5 - 6d 2e 63 64 77 73 5f 65-63 68 6f 73 65 72 76   m.cdws_echoserv
        00b4 - 65 72 22 2c 22 44 65 70-6c 6f 79 6d 65 6e 74   er","Deployment
        00c3 - 43 72 65 61 74 6f 72 22-3a 22 75 73 65 72 22   Creator":"user"
        00d2 - 2c 22 44 65 70 6c 6f 79-6d 65 6e 74 47 72 6f   ,"DeploymentGro
        00e1 - 75 70 49 64 22 3a 22 66-61 62 39 32 31 30 66   upId":"fab9210f
        00f0 - 2d 66 36 63 37 2d 34 32-38 35 2d 61 61 32 64   -f6c7-4285-aa2d
        00ff - 2d 37 33 37 36 30 64 38-38 31 37 36 61 22 2c   -73760d88176a",
        010e - 22 44 65 70 6c 6f 79 6d-65 6e 74 47 72 6f 75   "DeploymentGrou
        011d - 70 4e 61 6d 65 22 3a 22-6d 6b 61 6e 69 61 2d   pName":"mkania-
        012c - 78 72 64 5f 73 61 6d 2e-63 64 77 73 5f 65 63   xrd_sam.cdws_ec
        013b - 68 6f 73 65 72 76 65 72-5f 64 67 22 2c 22 44   hoserver_dg","D
        014a - 65 70 6c 6f 79 6d 65 6e-74 49 64 22 3a 22 64   eploymentId":"d
        0159 - 2d 54 44 45 31 55 33 57-44 41 22 2c 22 44 65   -TDE1U3WDA","De
        0168 - 70 6c 6f 79 6d 65 6e 74-54 79 70 65 22 3a 22   ploymentType":"
        0177 - 49 4e 5f 50 4c 41 43 45-22 2c 22 47 69 74 48   IN_PLACE","GitH
        0186 - 75 62 41 63 63 65 73 73-54 6f 6b 65 6e 22 3a   ubAccessToken":
        0195 - 6e 75 6c 6c 2c 22 49 6e-73 74 61 6e 63 65 47   null,"InstanceG
        01a4 - 72 6f 75 70 49 64 22 3a-22 66 61 62 39 32 31   roupId":"fab921
        01b3 - 30 66 2d 66 36 63 37 2d-34 32 38 35 2d 61 61   0f-f6c7-4285-aa
        01c2 - 32 64 2d 37 33 37 36 30-64 38 38 31 37 36 61   2d-73760d88176a
        01d1 - 22 2c 22 52 65 76 69 73-69 6f 6e 22 3a 7b 22   ","Revision":{"
        01e0 - 41 70 70 53 70 65 63 43-6f 6e 74 65 6e 74 22   AppSpecContent"
        01ef - 3a 6e 75 6c 6c 2c 22 43-6f 64 65 43 6f 6d 6d   :null,"CodeComm
        01fe - 69 74 52 65 76 69 73 69-6f 6e 22 3a 6e 75 6c   itRevision":nul
        020d - 6c 2c 22 47 69 74 48 75-62 52 65 76 69 73 69   l,"GitHubRevisi
        021c - 6f 6e 22 3a 6e 75 6c 6c-2c 22 47 69 74 52 65   on":null,"GitRe
        022b - 76 69 73 69 6f 6e 22 3a-6e 75 6c 6c 2c 22 52   vision":null,"R
        023a - 65 76 69 73 69 6f 6e 54-79 70 65 22 3a 22 53   evisionType":"S
        0249 - 33 22 2c 22 53 33 52 65-76 69 73 69 6f 6e 22   3","S3Revision"
        0258 - 3a 7b 22 42 75 63 6b 65-74 22 3a 22 6d 6b 61   :{"Bucket":"mka
        0267 - 6e 69 61 2d 63 64 77 73-2d 64 65 70 6c 6f 79   nia-cdws-deploy
        0276 - 2d 62 75 63 6b 65 74 22-2c 22 42 75 6e 64 6c   -bucket","Bundl
        0285 - 65 54 79 70 65 22 3a 22-7a 69 70 22 2c 22 45   eType":"zip","E
        0294 - 54 61 67 22 3a 6e 75 6c-6c 2c 22 4b 65 79 22   Tag":null,"Key"
        02a3 - 3a 22 78 72 64 3a 3a 73-61 6d 2e 63 64 77 73   :"xrd::sam.cdws
        02b2 - 3a 3a 65 63 68 6f 73 65-72 76 65 72 3a 3a 31   ::echoserver::1
        02c1 - 3a 3a 2e 7a 69 70 22 2c-22 56 65 72 73 69 6f   ::.zip","Versio
        02d0 - 6e 22 3a 6e 75 6c 6c 7d-7d 2c 22 53 33 52 65   n":null}},"S3Re
        02df - 76 69 73 69 6f 6e 22 3a-7b 22 42 75 63 6b 65   vision":{"Bucke
        02ee - 74 22 3a 22 6d 6b 61 6e-69 61 2d 63 64 77 73   t":"mkania-cdws
        02fd - 2d 64 65 70 6c 6f 79 2d-62 75 63 6b 65 74 22   -deploy-bucket"
        030c - 2c 22 42 75 6e 64 6c 65-54 79 70 65 22 3a 22   ,"BundleType":"
        031b - 7a 69 70 22 2c 22 45 54-61 67 22 3a 6e 75 6c   zip","ETag":nul
        032a - 6c 2c 22 4b 65 79 22 3a-22 78 72 64 3a 3a 73   l,"Key":"xrd::s
        0339 - 61 6d 2e 63 64 77 73 3a-3a 65 63 68 6f 73 65   am.cdws::echose
        0348 - 72 76 65 72 3a 3a 31 3a-3a 2e 7a 69 70 22 2c   rver::1::.zip",
        0357 - 22 56 65 72 73 69 6f 6e-22 3a 6e 75 6c 6c 7d   "Version":null}
        0366 - 2c 22 54 61 72 67 65 74-52 65 76 69 73 69 6f   ,"TargetRevisio
        0375 - 6e 22 3a 6e 75 6c 6c 7d-                       n":null}
    cert:
        cert_info: 
          version: 2
          serialNumber: 8879827500985526912734396169086843076
          signature: 
            algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
            parameter: NULL
          issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
          validity: 
            notBefore: Nov 12 00:00:00 2020 GMT
            notAfter: Oct 15 23:59:59 2021 GMT
          subject: CN=codedeploy-signer-us-east-2.amazonaws.com
          key: 
            algor: 
              algorithm: rsaEncryption (1.2.840.113549.1.1.1)
              parameter: NULL
            public_key:  (0 unused bits)
              0000 - 30 82 01 0a 02 82 01 01-00 e2 b7 87 fe 23   0............#
              000e - 80 52 bf 8a c1 57 ff 1b-27 e7 f8 2a a0 70   .R...W..'..*.p
              001c - 4c 2b 7d 88 97 9a bb fa-fd 96 24 1f 32 08   L+}.......$.2.
              002a - ff 0b 53 36 13 e6 9a fb-eb bc 06 d6 3f 2d   ..S6........?-
              0038 - 0b 2d 07 8e 2f bf a2 aa-71 a8 8e c9 6a 64   .-../...q...jd
              0046 - 0f d3 ac 52 dc bd a9 be-1e 35 33 c5 d9 8e   ...R.....53...
              0054 - 23 a4 db 22 fc 77 f0 d2-98 6c 77 d8 0b ba   #..".w...lw...
              0062 - 7d 9f a2 9a 48 2e 62 f8-95 92 06 94 18 53   }...H.b......S
              0070 - 78 4c 2f ea a5 78 29 bc-97 38 6f 5a 6c 73   xL/..x)..8oZls
              007e - 97 df 6f a3 54 5b 4c d6-b6 f3 1c d1 6f cf   ..o.T[L.....o.
              008c - dd 32 b1 f6 69 d7 a4 c1-02 2e c8 44 a1 19   .2..i......D..
              009a - 79 7b dd 32 f9 49 24 c0-09 b4 0a 1b 97 18   y{.2.I$.......
              00a8 - 83 21 2d c0 d5 cb 18 d4-6e 17 1d 81 13 f3   .!-.....n.....
              00b6 - 12 28 0a 8a 77 9a a1 19-12 d0 31 51 43 f6   .(..w.....1QC.
              00c4 - 7a 97 57 5d d8 43 d9 4d-06 ed a9 52 45 2e   z.W].C.M...RE.
              00d2 - 78 a3 dd 50 5b 50 e9 dc-0d 77 96 ed 40 d6   x..P[P...w..@.
              00e0 - 77 6c f4 29 16 94 f9 03-4e 92 92 50 6f ea   wl.)....N..Po.
              00ee - 37 9c b9 fb a7 42 08 66-b2 76 02 f9 92 b3   7....B.f.v....
              00fc - 2c 47 bf 5b 0a b4 75 b0-42 a6 e6 18 b5 02   ,G.[..u.B.....
              010a - 03 01 00 01                                 ....
          issuerUID: <ABSENT>
          subjectUID: <ABSENT>
          extensions:
              object: X509v3 Authority Key Identifier (2.5.29.35)
              critical: BOOL ABSENT
              value: 
                0000 - 30 16 80 14 59 a4 66 06-52 a0 7b 95 92   0...Y.f.R.{..
                000d - 3c a3 94 07 27 96 74 5b-f9 3d d0         <...'.t[.=.

              object: X509v3 Subject Key Identifier (2.5.29.14)
              critical: BOOL ABSENT
              value: 
                0000 - 04 14 3c 5e 6a 4d b9 d3-0d 88 66 a7 bb   ..<^jM....f..
                000d - 46 9a 62 ff 8d 39 8b a0-73               F.b..9..s

              object: X509v3 Subject Alternative Name (2.5.29.17)
              critical: BOOL ABSENT
              value: 
                0000 - 30 2b 82 29 63 6f 64 65-64 65 70 6c 6f   0+.)codedeplo
                000d - 79 2d 73 69 67 6e 65 72-2d 75 73 2d 65   y-signer-us-e
                001a - 61 73 74 2d 32 2e 61 6d-61 7a 6f 6e 61   ast-2.amazona
                0027 - 77 73 2e 63 6f 6d                        ws.com

              object: X509v3 Key Usage (2.5.29.15)
              critical: TRUE
              value: 
                0000 - 03 02 05 a0                              ....

              object: X509v3 Extended Key Usage (2.5.29.37)
              critical: BOOL ABSENT
              value: 
                0000 - 30 14 06 08 2b 06 01 05-05 07 03 01 06   0...+........
                000d - 08 2b 06 01 05 05 07 03-02               .+.......

              object: X509v3 CRL Distribution Points (2.5.29.31)
              critical: BOOL ABSENT
              value: 
                0000 - 30 32 30 30 a0 2e a0 2c-86 2a 68 74 74   0200...,.*htt
                000d - 70 3a 2f 2f 63 72 6c 2e-73 63 61 31 62   p://crl.sca1b
                001a - 2e 61 6d 61 7a 6f 6e 74-72 75 73 74 2e   .amazontrust.
                0027 - 63 6f 6d 2f 73 63 61 31-62 2e 63 72 6c   com/sca1b.crl

              object: X509v3 Certificate Policies (2.5.29.32)
              critical: BOOL ABSENT
              value: 
                0000 - 30 17 30 0b 06 09 60 86-48 01 86 fd 6c   0.0...`.H...l
                000d - 01 02 30 08 06 06 67 81-0c 01 02 01      ..0...g.....

              object: Authority Information Access (1.3.6.1.5.5.7.1.1)
              critical: BOOL ABSENT
              value: 
                0000 - 30 67 30 2d 06 08 2b 06-01 05 05 07 30   0g0-..+.....0
                000d - 01 86 21 68 74 74 70 3a-2f 2f 6f 63 73   ..!http://ocs
                001a - 70 2e 73 63 61 31 62 2e-61 6d 61 7a 6f   p.sca1b.amazo
                0027 - 6e 74 72 75 73 74 2e 63-6f 6d 30 36 06   ntrust.com06.
                0034 - 08 2b 06 01 05 05 07 30-02 86 2a 68 74   .+.....0..*ht
                0041 - 74 70 3a 2f 2f 63 72 74-2e 73 63 61 31   tp://crt.sca1
                004e - 62 2e 61 6d 61 7a 6f 6e-74 72 75 73 74   b.amazontrust
                005b - 2e 63 6f 6d 2f 73 63 61-31 62 2e 63 72   .com/sca1b.cr
                0068 - 74                                       t

              object: X509v3 Basic Constraints (2.5.29.19)
              critical: TRUE
              value: 
                0000 - 30                                       0
                0002 - <SPACES/NULS>

              object: undefined (1.3.6.1.4.1.11129.2.4.2)
              critical: BOOL ABSENT
              value: 
                0000 - 04 81 f2 00 f0 00 76 00-f6 5c 94 2f d1   ......v..\./.
                000d - 77 30 22 14 54 18 08 30-94 56 8e e3 4d   w0".T..0.V..M
                001a - 13 19 33 bf df 0c 2f 20-0b cc 4e f1 64   ..3.../ ..N.d
                0027 - e3 00 00 01 75 ba 1e 8c-87 00 00 04 03   ....u........
                0034 - 00 47 30 45 02 20 7a aa-0a 5d b4 93 d7   .G0E. z..]...
                0041 - b4 c2 13 33 35 04 c5 b1-fe 38 f2 55 05   ...35....8.U.
                004e - 41 20 dd cb 1b 5e d4 e0-e6 95 df ae 02   A ...^.......
                005b - 21 00 cf 51 22 59 84 99-bb ba a1 9e 6b   !..Q"Y......k
                0068 - af 95 c2 a7 83 7b fb c6-b8 64 ae 27 39   .....{...d.'9
                0075 - 03 c1 32 0e 78 85 cf 68-00 76 00 5c dc   ..2.x..h.v.\.
                0082 - 43 92 fe e6 ab 45 44 b1-5e 9a d4 56 e6   C....ED.^..V.
                008f - 10 37 fb d5 fa 47 dc a1-73 94 b2 5e e6   .7...G..s..^.
                009c - f6 c7 0e ca 00 00 01 75-ba 1e 8c d4 00   .......u.....
                00a9 - 00 04 03 00 47 30 45 02-20 10 a2 00 c3   ....G0E. ....
                00b6 - 08 63 51 ca b6 8b 0c c1-01 a8 1d cb e7   .cQ..........
                00c3 - d3 88 a9 c1 63 56 23 7f-ac 0e 79 1a 70   ....cV#...y.p
                00d0 - 5d f3 02 21 00 bc c0 cd-e7 c6 25 ab 1a   ]..!......%..
                00dd - 02 29 77 3c e0 0e f1 61-65 94 d5 dc df   .)w<...ae....
                00ea - 35 25 67 18 02 ef ac ac-85 4e 85         5%g......N.
        sig_alg: 
          algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
          parameter: NULL
        signature:  (0 unused bits)
          0000 - 7a bf 64 9a 5e 77 5c 5c-b8 65 25 73 09 b7 6c   z.d.^w\\.e%s..l
          000f - 20 56 0f 3a 1b bb 2c 37-f9 89 f7 c7 05 56 45    V.:..,7.....VE
          001e - 9c 63 84 54 e9 a2 3d 86-24 37 08 bd 47 a1 07   .c.T..=.$7..G..
          002d - 21 86 80 b3 b1 bb 18 62-c2 a7 fe ad 75 cf 86   !......b....u..
          003c - e1 e1 75 8f ac 01 22 49-97 65 cc 4c 4f 19 3f   ..u..."I.e.LO.?
          004b - f3 b4 7e 4b ed fa c8 32-e0 d4 60 59 be ab 6d   ..~K...2..`Y..m
          005a - 2d f7 b1 8f 44 d1 54 07-d5 2c 97 3b 16 32 d7   -...D.T..,.;.2.
          0069 - 01 6d be c2 2e d8 c8 d7-bc 5f 5e e5 58 1c 07   .m......._^.X..
          0078 - c5 ad 6b e4 a8 30 78 9b-21 1b 36 15 52 c8 0c   ..k..0x.!.6.R..
          0087 - 4d 2c 74 68 9f bd dd 99-ea a6 50 69 f7 1f bd   M,th......Pi...
          0096 - 0d 24 0d aa a3 65 06 0c-45 00 dc 6c bb 1f 9d   .$...e..E..l...
          00a5 - 7e 97 6e c8 b7 7c 54 ba-ad 94 40 86 0b 4e ed   ~.n..|[email protected].
          00b4 - 60 4e 26 05 a0 23 32 23-63 09 94 56 32 9f 32   `N&..#2#c..V2.2
          00c3 - 6b f6 7a 27 f6 c9 67 6e-c8 0c 60 38 75 7c e6   k.z'..gn..`8u|.
          00d2 - 97 d3 4d 9e 56 ee 50 30-1e 9c 00 72 52 a1 3e   ..M.V.P0...rR.>
          00e1 - d1 be fc 27 a1 26 99 d0-15 7f e3 7c b2 2a e2   ...'.&.....|.*.
          00f0 - 32 0d 36 15 d3 f7 94 05-c9 2c 4f 2d 0d e6 69   2.6......,O-..i
          00ff - f0                                             .
    crl:
      <EMPTY>
    signer_info:
        version: 1
        issuer_and_serial: 
          issuer: C=US, O=Amazon, OU=Server CA 1B, CN=Amazon
          serial: 8879827500985526912734396169086843076
        digest_alg: 
          algorithm: sha256 (2.16.840.1.101.3.4.2.1)
          parameter: NULL
        auth_attr:
            object: contentType (1.2.840.113549.1.9.3)
            value.set:
              OBJECT:pkcs7-data (1.2.840.113549.1.7.1)

            object: signingTime (1.2.840.113549.1.9.5)
            value.set:
              UTCTIME:Jun 24 19:55:31 2021 GMT

            object: undefined (1.2.840.113549.1.9.52)
            value.set:
              SEQUENCE:
    0:d=0  hl=2 l=  30 cons: SEQUENCE          
    2:d=1  hl=2 l=  13 cons:  SEQUENCE          
    4:d=2  hl=2 l=   9 prim:   OBJECT            :sha256
   15:d=2  hl=2 l=   0 prim:   NULL              
   17:d=1  hl=2 l=  13 cons:  cont [ 1 ]        
   19:d=2  hl=2 l=   9 prim:   OBJECT            :sha256WithRSAEncryption
   30:d=2  hl=2 l=   0 prim:   NULL              

            object: messageDigest (1.2.840.113549.1.9.4)
            value.set:
              OCTET STRING:
                0000 - fe e0 32 e4 f6 1f 4f c0-86 03 e0 8f 71   ..2...O.....q
                000d - 28 d0 d5 82 21 d4 0e 06-32 4e d7 c7 28   (...!...2N..(
                001a - 34 a2 1a 3a 72 58                        4..:rX
        digest_enc_alg: 
          algorithm: sha256WithRSAEncryption (1.2.840.113549.1.1.11)
          parameter: NULL
        enc_digest: 
          0000 - 95 fe 7b ce ea d1 8b d1-a2 7f 7f 10 d4 ef 13   ..{............
          000f - 41 68 60 cc d8 6e 52 03-d9 17 9e 93 a2 f6 d7   Ah`..nR........
          001e - b6 65 67 aa 54 b9 1b 1c-e2 08 61 27 96 21 59   .eg.T.....a'.!Y
          002d - 97 8e 09 a2 f0 8b 89 ab-9d 0e 7f f8 31 8a 90   ............1..
          003c - 9e 1a ff 0e 6c a8 54 f0-b4 92 06 20 80 2e 0c   ....l.T.... ...
          004b - 29 ff b8 39 bc 90 80 d4-56 46 de ce 74 8e 2e   )..9....VF..t..
          005a - 83 c0 eb b7 31 8a a8 08-76 a6 79 a6 a5 28 89   ....1...v.y..(.
          0069 - dd 98 b0 38 f6 d2 8c 2b-18 31 b8 c1 41 7a 66   ...8...+.1..Azf
          0078 - f8 4c f6 0f f9 bd ad c2-02 1c 6a bd 31 36 1f   .L........j.16.
          0087 - 08 e1 1d 37 f3 0a 09 7c-36 5b da 97 3e d8 c5   ...7...|6[..>..
          0096 - 71 1f d9 c9 45 12 21 15-6b 57 d5 68 63 25 f6   q...E.!.kW.hc%.
          00a5 - 90 b2 79 d0 26 4d f7 7a-86 88 af 72 90 2c a2   ..y.&M.z...r.,.
          00b4 - 9b d7 7d 56 9a 69 1d b2-8a e6 62 76 95 1f 16   ..}V.i....bv...
          00c3 - 14 a4 f8 bb 3b 4d 4f e4-07 be 1c 91 f5 06 8f   ....;MO........
          00d2 - 9a bf e4 77 0a 26 06 ff-4b e1 58 51 5e de bb   ...w.&..K.XQ^..
          00e1 - 47 b0 cd 3c 96 d6 e4 65-fd dd 14 4d be de ec   G..<...e...M...
          00f0 - 48 e0 0c 62 6c 8c e4 cc-75 3a cc 7e ff 21 a3   H..bl...u:.~.!.
          00ff - c9                                             .
        unauth_attr:
          <EMPTY>

@g-k g-k merged commit 33d0574 into mozilla-services:master Aug 26, 2021
This was referenced Aug 26, 2021
Closed
Closed
@Kuenni
Copy link

Kuenni commented Aug 30, 2021
edited
Loading

Hi everyone,

I tried to use the latest code but still hit a wall.
I have some pki Message that I try to decode. The asn representation part that contains the OCTET STRINGS looks like this:

0:d=0  hl=2 l=inf  cons: SEQUENCE
    2:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData
   13:d=1  hl=2 l=inf  cons: cont [ 0 ]
   15:d=2  hl=2 l=inf  cons: SEQUENCE
   17:d=3  hl=2 l=   1 prim: INTEGER           :01
   20:d=3  hl=2 l=  15 cons: SET
   22:d=4  hl=2 l=  13 cons: SEQUENCE
   24:d=5  hl=2 l=   9 prim: OBJECT            :sha256
   35:d=5  hl=2 l=   0 prim: NULL
   37:d=3  hl=2 l=inf  cons: SEQUENCE
   39:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data
   50:d=4  hl=2 l=inf  cons: cont [ 0 ]
   52:d=5  hl=2 l=inf  cons: OCTET STRING
   54:d=6  hl=4 l=1000 prim: OCTET STRING      [HEX DUMP]:308006092A864886F70D010703A08030800201003182013B30820137020100301F30133111300F06035504031308546573747573657202084FE9832020A2BF97300D06092A864886F70D0101010500048201004C2D9EFFF602E82608069469018F06CF89FC881F3A938CE72E51D47A7A231A049C4C1B24EDCC1F5F4E4D3267493BC9D4C06315E2A188A4E98FA8C932D4E489081D44F53329EB4FCFF1500406256B37DCEEF14D73D62EE50EF4FA5577C8EAADBC1E6E8ABDA8B875BE55E287D3C7DDDAE097E3A3A07A967110F68CDF67A22CB6E00E666C2606435C69D02AD38E17150AB30050EEA80F146F8AF89AEDD6B51EE007DDB193FFB46A613351B1B40DAA72DF6A826BB0B00810B1EA475FEB71BFD3C15D9BA62C149547D6AFE93D826CC364678C069777C3858936D4A4BB75A05D6CAFDECC960531F41A1C6C0FA4261D62206111681A329EC56071FA99F6D5BA447E7E68308006092A864886F70D010701301106052B0E03020704087D0452F821C72949A080048203E8F22CD99F07A1D27BFC04DBE41F9857CFE388B9B04039C5D51F0D6B39B9EF509230757999AB49EE663DCE091E9C867BB9CD06DEAB955ABA92DA2C8909BAB44AA3D0FA92400128B53AF42E39E2A332A642E68E78556E2A7EA3A26EA04022DF62E3079BC9076674F4BA1A4496157A9B7E064BCE4506CFF0F6B63EA87157444CDFD65E6D0845BBEABC10F7302776C61C12F8FF14441E7398FB3BB22F77B5C7D9A87EF044B6089D25A6A1555AA8CCAB0C721717C585DABBACB4D12162AC6754F371C3E6014073026DAC1B6E2F7C2D8BD291E3F62D739DF2C60A09F876B4099978D3D6C50039C92FB6A3B95F9CCDFD41C7F401958D2C3EB6FDDD68309EF63255484C8C892CEAF682F7196A91232E714762B689008AA0A40DE7EF105B3822219788441A00DFF97E43657635178128973A283A984EB82B32E414855D172668E9AFB28BC08BA7AF231B28C1587D7B70BD581462AD8C45EFC87AF1EDACB15AC20F477AA01D4780770B51CAE66CC687EDC9932A7128C5D0A95A59E074C8114F743ABA41DB3BE43C2300E4EDA9BE6E0FCDA3C8195CFC7BE661D41FB835B47651FFBC2D26BF1E086C7B59AC28B25FA0F55E76A8CD9A13BECD9D05E6A0EB5050C2EAD6BCA97D5E413DA71242EE8D83ADAA637E70A3F1DC8F1145A1C93F655BCFF625C9E1E3D3F7ED8AD79F951AD1DAD04359F7F9EEFF0835FC7A9143DCB316AE2C352B37D37FA70D995C8F5A268E682EBD0951F16170B8C46B5D337A0E2052F4F0D51D3521315DEC196227E332A68E84224EB02DBF1E48CF212EC75FA34E575CF8A077F38659A199E002163B8E52CA822CF1D8F93DB128B2405436BBCEED341D5DA692EB03225DB47E10CC3BEC275E0C423F959BD045
 1058:d=6  hl=4 l=1000 prim: OCTET STRING      [HEX DUMP]:64BAC661E37501CCA57FFA79D3A81F48BCDA285F47C6FCD4A2353BC5D36BAF6A61EFEC7E13F2DD4888F0ABE01388ECAF19516D6F906F1B0E57CDB783EBC8727814B9BBB024D7F0A86B559998759429A94ED8334EFFBDA1A1879CA78A24A4FBC49BE5A339530E9E796B326F60B53E3625C16D7D2A4912E4095CD4A6FD4BBA1BE9559C9ACABBD0D911CC3758DF4FF06E23224AE45199420D1373816B07827162EC1FBE19034D03A0B432E02FD5B1AC5A7F7D8B300507C4D35DFD26916F0205C90B71401B99B2B1C43439BAE208B881DBA603C5796AD7B4F56B9919C9F6928C8299FA1A303F90C63EB50A793D8EEFAC3E8037BAEED1A6C15A897C15A21087EE3A8B1691252A4942E4659C3DEF59B4B5AF41B817F6A7234F775D41C57D867ADBC77C36A78BFE7113305588C7F0C7124C4D09B4AF2DB5CD3CF98FC34CE800165A889DD08D5C5F451B2547FC80114339DFF4B35375C6732026355BADC5E026A8236BD992F3A7C01C67B19175F9340735E7999DF9E655439ED4083F28048203E8C2EB77C9683BD5355396EA4611B87F3D8D7C193E15C8C31816345703C08472C5E249911D2929B51FFD2365C87FB80D76A304EB2AB11715832C9FABA79B5DD3F1C0AAAE063ABDC57A3CCE3778908C4E391789D767362970DAEC9CB0DDA2A7210E1B2677FF9BC01E3683DBAB6A2147545949E1AD7EDBD011E11A6F98DCCA671062CFCDF1795086DBB52A85D1625F66217EB2812A7DABC545D54D43F8C0FB6B8169379F1ABBB21210DAA2C96FB3C4AD75CA3FC610C2947B46E53D75E2E5EF154B114B8799C64E11AE7096167E7C52CB506875038484A9AA78D49B8EA4AAE681EAC4B104D8ECFFE3277E445938EBF1EA57EC927DF128A3E79F7FC1E97FC57A984A7B77DA5DEEE037354150D54C944FF0B89B86B822E439EC9BD6C30AFE2BA1DEAE2294A9ACB203343ABB41C317207494605227A7F1F8C7A842DDFF698060B3DBAEBC169DCCC69C902E94ADF957DD72A2788E239EAD64F18370916CB1EE275F923DC00F8ACE1E08BD81CE15F0CCFAA6F84C1B88E116DBEE89CDC775AF7F08F985C47133CB6543F06CE75AFAEB3C64648AE2584FEFB9EEB31005476BB6422FF8322E019C8C4BC23960C6F3467D8C9AB5FF7AC7F20B181B430AA4A2BBAA1735C6869CBF5F57DF3AD4A7B0833755786FB189537068E998941AE21F202EF5E62EAE605CD0D894E3E5279306D858CADB3C2F66D2CAF56240C17AA0C26D36BEB1CC58423A6E63CE7E16D38A2CD5019EB9D2FC3CDE2A4B749FBD67400976A41A40F7C88868464111ED8D83F694BCE808B0F5A5153589791DFB529B90EE00EE8461DDC66DC919107D87609D80E52F103930B71FB3DAD1FEEDC3F7F0F99B2AE4BED484B8B1C97BFB15B9EBF5CE28B54F1371
 2062:d=6  hl=4 l=1000 prim: OCTET STRING      [HEX DUMP]:7CF9000E36F742FF98A2665DB92840E1AB52AE679D4F927FF2A67096F557C51DD4F75047CF1BB562CFBE22F29E2D4AD0512FB4314D7F1B3B0D2BAC833779DBABBA4DB8FE37FD3F7BA22759D321A997B147D8FA40AC0BE89A7A0F1CEA7F6A185A21DA93A12786C920B1CB608843C6D69D6FAD815009D6132D296DE1DC5CA77CBDD9AA5A7063BD767A8463BC5E3DF62ACACC66C8BADC84B3F3208E2362F6C539FA19A04D2637EC24F45F80AD365963A8FC9A2E708F2C4943BD919D474FD86BC15B08B832372EC3A773400535F22FEFCAEAF473538D5C4F01C96E6022B69FC32A7DC2EC50F310033D4662E5401912C02731E952ED6E922B96259CFAED1B95F939FCBF9BEC087ACDFB1D04C19F54CDBB42CB3576D119D025CEC7FE54FEA6B6724F061269E3FC07BF7E8485D22DA046274B49370D4C7C5FA0D09D16931316DAB205933EC12A17C6536BA3EDC8900764C240CF19D25D6DFB872EB6E905DAC632D1CB62F7CAE737A11F29629C98FAF7E1AD3AD9DC654AD7BDD989BCDFBB8E0BD6048202E029358B88E198D8A48404112CAF26E98A31526A552B99904BDC727870A466CF868E1C4D5FAB53B04B4011C88DBFD28432781A2A7EF13F315FA227DEFC128461EC51459ED6C7C26EEBB07410F9AEC5B5C0661C1D6FE7544F4F1F35005CA5319A59BE6CAB81C5DFFF6C040BB43531B5D0326919D125E87DDEC0E5574CA9503F255E2F7C0A58E4E946A7D545D97D5CFFFDF1A57BFD346BCD59BB1E9C15A6154D4470B86EF354E7C2B50EB7293133139185825E1C245390E00FABEEF06AFB71515C13CEAFEF07B26C22A9BA0DBEEFF6B45615AB263D3A81400DA4545BEE6965E6832A287196F16F973699B42CE4259DF6C67ED857FD6070FCF5EA3BA7E30C66B9CB81965A36FEE1561378AA91E10ADF176C04CA369D4393517FE780827C43BEC9F119870DDB9D810163641F77A698ED920B3F9C11C78AB2587364C73E5926B08A2D3667CD533701283A4A5FF962DBECB02FFF25317ADB0EAA4D8931442811DA02086DC35FE3A5FFC123F3EA1568B1D1E9274BE7D79E685D5B8A80336EFADACC8569EDAC9DC40AA74CFCA46289323E377CF38F12F6A21876CCEBC9F3B62A51CFFCF6E29A9976E18EADF80E129F0B4544B31F50BC9921153CB159F126179F0417D6A9FF99ED6346C69DA9B581FBE79179AF627730243606ADD3F8C13D5828C62E5F5660C3010C68D686516BECCC0BFD051343EA310030AE64A0EA58D2FFB8DAE0DB41056689DA36E044F1500BABB2AF865882CBFB43D1F348D969CF4C4343AEAAEAF16F53F0AC66B5CF6646EEFEBA9028A9B11CEE2E1FAB171073E2243E3B7694268BF4935C1D49C9F7D6DFABD6A1252030E88CDFDE1AC08D7CCAEEBEDE060C997DD44022A7F7B669FDD3
 3066:d=6  hl=3 l= 131 prim: OCTET STRING      [HEX DUMP]:5026831A8322DADC7AE5048124A948A3B18A03BADD011BC8E1B9F9F4946C501DB236E242E5AA5F16E6393AB65ED619CDD2F3CE7EE7FE7126B0CDBD93460F8CF442761C5EAC7FCD6FF20C42F9641B6802509DE48E3835ED4BB4F69A4189FAC1A25874BEB474A2D4786F5C5F920850B5D84D3FFB73889899325500000000000000000000
 3200:d=6  hl=2 l=   0 prim: EOC
 3202:d=5  hl=2 l=   0 prim: EOC
 3204:d=4  hl=2 l=   0 prim: EOC
 3206:d=3  hl=4 l=1007 cons: SET
...

What I see is that when I parse the message, I still only get the first 1000 bytes of the data, which I guess has to do witht he use of asn1.Unmarshal, as mentioned in a comment in fullsailor#11. I thought that this would be solved now but maybe that's a misunderstanding. I would very much appreciate your support in understanding what is going wrong. Please, let me know if you need more information, e,g, the entire PKI response message.
Thank you in advance!

@g-k @bernata do you maybe have an idea?

This was referenced Sep 8, 2021
Merged
Closed
jasonodonnell pushed a commit to hashicorp/vault that referenced this pull request Sep 10, 2021
@maths22
Fix pkcs7 parsing in some cases (#12519)
4469b56 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
@daemonsy daemonsy mentioned this pull request Sep 18, 2021
Merged
jasonodonnell pushed a commit to hashicorp/vault that referenced this pull request Jan 31, 2022
@maths22 @jasonodonnell
Fix pkcs7 parsing in some cases (#12519)
756c0c3 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
@jasonodonnell jasonodonnell mentioned this pull request Jan 31, 2022
Merged
jasonodonnell added a commit to hashicorp/vault that referenced this pull request Feb 11, 2022
@jasonodonnell @maths22
Fix pkcs7 parsing in some cases (#12519) (#13851)
80244bc 
* Fix pkcs7 parsing in some cases

brings in mozilla-services/pkcs7#61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line

Co-authored-by: Jacob Burroughs <[email protected]>
@petitout
Copy link

this change breaks parsing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@g-k g-k g-k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bernata @Kuenni @kuhlmannmarkus @petitout @g-k @addie9000