-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs7+der: mixed BER/DER encoding with undefined length #779
Comments
We've talked about introducing a lax mode to the |
I gave it a shot with my limited experience with Rust and also this codebase. It is meant as a starting point. I used it successfully with changes to |
@smndtrl rather than trying to change how the existing parsing works in the |
@tarcieri Wouldn't that require me changing how For making indefinite length work a solution for I'm fine with carrying this patch on my own as it works well for my use case. I might revisit the suggested approach later on. |
@smndtrl you'll need to write all the impls by hand if you go that route, and you will have to avoid impl'ing one of If you can't figure it out I can take a look at some point based on your |
We've found a real-world use case:
|
BER was an issue working on PKCS #12 as well. Exports from Firefox are BER. In a cert collection I use for testing, there are several several AIAs hosting P7s that are BER encoded. |
We're aware this is a real issue. It's something I've been meaning to address. |
I think we can probably use an approach like #810 but we need some way to control the granularity so enabling it doesn't cause |
FYI, I have implemented a simple parser/converter ( ...
let der = Berder::ber_to_der(ber.as_slice())?; // Indefinite -> definite lengths
let ci = ContentInfo::from_der(der.as_slice())?;
let pki_message = SignedData::from_der(ci.content.to_der()?; This could be implemented as |
I think we can probably implement |
@tarcieri I have started doing that based on #810. I think I got pretty far with this implementation, but there are one or two issues left (correct handling of the end-of-content markers). The main idea was, to modify the
This implementation is not complete, but I think it is already more complete, than the current #810. |
@bkstein I'd like to avoid making changes to the existing APIs like that. The idea would be to use However, I'd definitely like to also preserve the way the existing implementation works so indefinite lengths are rejected when parsing DER. |
Yes, the |
I was thinking an enum like |
Adds an enum with `Ber` and `Der` (default) variants which can be used to selectively allow a limited number of BER productions when decoding certain BER-based security-oriented formats, e.g. CMS, PKCS#8. Currently this doesn't actually do anything, however the goal is to address #779, where we can't decode CMS generated by Apple tooling. PR #810 is an example of how the rules could be relaxed to support `IndefiniteLength`s.
I've bumped I opened #1321 which adds an |
Adds an enum with `Ber` and `Der` (default) variants which can be used to selectively allow a limited number of BER productions when decoding certain BER-based security-oriented formats, e.g. CMS, PKCS#8. Currently this doesn't actually do anything, however the goal is to address #779, where we can't decode CMS generated by Apple tooling. PR #810 is an example of how the rules could be relaxed to support `IndefiniteLength`s.
@tarcieri For reference, we were interested in the BER capability as we want to unify our LDAP and Kerberos parsers on one trusted encoding/decoding stack. Currently we have a "ber only" parser, but we would like to move to this crate. I'll do some testing soon to see what we need for extending this to support BER in our cases. |
Hi,
while looking into the
pkcs7
crate for a CMS usecase around the Apple world I discovered that their detached signatures use the BER indefinite length encoding for some of theSEQUENCE
which of course is not supported by theder
crate.Has there been any thoughts/discussions around if that's something the formats repo should address or if that is out of scope (for now) and left to other crates.
I started with adding the signed-data content to
pkcs7
validating against a DER encoded signature and discovered the problem afterwards with the ones Apple generates :( Link to exampleSimon
The text was updated successfully, but these errors were encountered: