Comments (2)
Using your reproduce case, I imported the generated X.509 certificates into a test case, which should show up in the issue timeline. The test passes, which means the low-level cryptography is working correctly.
I suspect the problem here has to do with the way the test is constructed and how this crate handles ASN.1 encoding. RFC 5652 says CMS uses BER. Most everything else in the cryptography world uses DER, including OpenSSL when you ask it to generate a certificate.
If you feed DER into a BER decoder, it will parse fine. Here's what I think is happening:
- CMS encodes/decodes the X.509 certificate in BER mode.
- Your demonstration code loads the root X.509 certificate in DER mode (as it should).
- When we go to verify the signature, we serialize the CMS certificate into BER (since that was the source encoding) in order to verify the signature.
- Signature verification fails because the BER encoding of the certificate isn't the DER encoding.
Unfortunately, I'm not sure we can trivially re-encode the BER decoded certificate to DER because of limitations in the bcder crate.
This issue brings up an old issue which is I'm not convinced the world actually follows RFC 5652 and uses BER encoding. I was attempting to be truthful to the spec when I wrote the crate. It is possible that CMS implementations like OpenSSL always use DER: I'm not actually sure! It is also possible everybody always DER encodes the X.509 certificates within CMS and leaves the outer CMS structures as DER.
Anyway, thanks for the bug report. I'll have to do some research.
from cryptography-rs.
Actually, I may have mixed up the sequence based on what the code is doing. But same principle applies.
Another theory is we're not reading the signature algorithm correctly from the CMS SignedData structure. I'll likely have to step through the code with a debugger to get at the heart of this. Won't do that tonight.
from cryptography-rs.
Related Issues (10)
- Please turn off default features for chrono dependency HOT 2
- Bug in Attribute Set Sorting
- Unable to mock a TimeStampReponse HOT 2
- Unable to verify signature using verify_signed_data_with_algorithm HOT 2
- Public data is NULL in CSR HOT 3
- Update BCDER crate dependency to 0.7.3 HOT 1
- Cleartext support is now available in rpgp
- Deveopment help, Add CSR Attribute HOT 1
- Break out the ASN1 primitives into their own crate or feature? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cryptography-rs.