fullsailor / pkcs7 Goto Github PK
View Code? Open in Web Editor NEWImplements a subset of PKCS#7/Crytpographic Message Syntax (rfc2315, rfc5652)
License: MIT License
pkcs7's People
Contributors
Stargazers
Watchers
Forkers
tempbottle davrux jig geoko86 meican-dev groob denisss025 hryx lstoll isnotnick gomaps mozilla-services hamano addie9000 fzxu andviro rafaeljusto micromdm lescpsn jackofmosttrades msvechla zhulingbiezhi dawud-tan sriv1211 woq-blended crazytan mpingram jefferai tomekjarosik pranavraja yangliucheng ktezlaf tehmoon smallersoup jessepeterson lusinking renatomacegossa innoq strazzere shestakovda gypsyfeng pravn1729 wiwii jmorenog fh-wedel-app trylife misberner cmars mgritter dsalcedo chrisccoulson tzoiker georgepoulios meronca deepak11627 nelsonghezzi addigy sliard kritsana-u savobit rookie-yxp aiguo186 wagoodman ozanbilici pylons-tech stackrox fuhongbo hirj ddelgado-jakincode lpetaylor emtammarupkcs7's Issues
can you release a version?
Hello~ community maintainer:
the community has not released a version for a long time, can you release a version?
Stable release
I want to use this package in my project. The plan is to integrate it with "dep" as vendor code .
Questions:
- Has the current program code the status "stable" or "ready for production"?
- If yes: Could you build a release version (eg. with semver notation) please?
Thanks.
pkcs7.Verify doesn't support signature algorithms other than RSA in golang v1.10
I'm pretty sure this is the culprit:
Line 257 in a009d8d
The issue is that golang, starting with 1.10, now enforces that the algorithm passed in to Certificate.CheckSignature matches the algorithm in the the public key (see golang/go@083ad28). This is causing hashicorp/vault#4014 as the PKCS7 identity document uses DSA signatures.
Streaming API
Hello! Recently I did some work on streamed pkcs7 parsing and generation, and now there's something resembling a working version. I intend to continue modifying your API to include processing of detached signatures, then perhaps encryption and decryption. Please feel free including my changes into upstream, there was no breakage of original functionality so far.
Error from PKIOperation for GET method
SCEP supports GET and POST requests.
https://tools.ietf.org/html/draft-gutmann-scep-14#section-4.3
POST /cgi-bin/pkiclient.exe?operation=PKIOperation HTTP/1.1
Content-Length: <length of data>
Content-Type: application/x-pki-message
<binary CMS data>
When implemented using HTTP GET this might look as follows:
GET /cgi-bin/pkiclient.exe?operation=PKIOperation& \
message=MIAGCSqGSIb3DQEHA6CAMIACAQAxgDCBzAIBADB2MG \
IxETAPBgNVBAcTCE......AAAAAA== HTTP/1.1
scepserver encodes an incoming message to Base64 and I've got ASN1 exception
asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} contentInfo @2
RSA-SHA-256 support in Encrypt() and Decrypt()
Hi,
I need to add support for the content encryption algorithm RSA 2048 and SHA 256 (sha256WithRSAEncryption). Could you please give me some tips on how to implement it so I can send a PR?
Many Thanks!
why verification error
package main
import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/fullsailor/pkcs7"
)
var (
// openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt
certificate = []byte(`-----BEGIN CERTIFICATE-----
MIICtDCCAZwCCQDCsrwD4cccFTANBgkqhkiG9w0BAQsFADAcMRowGAYJKoZIhvcN
AQkBFgtxd2VAcXdlLmNvbTAeFw0yMTA5MjgwNTM5NDdaFw0yMjA5MjgwNTM5NDda
MBwxGjAYBgkqhkiG9w0BCQEWC3F3ZUBxd2UuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwwwhow5LAYMUO4MUa7o67PDlTIwNZbvjP+ABoyoepKU7
KKg6WPG5hv9Z1JvvMEOdV8Oiqg9Xi8JD0RG7N3NgYhLDP1J4AXykFuSOcUTz8bXH
GGvkSWqPXgbqxFC3XPRME8r4x4/wsL9evKKvDPFJnHauub1THKSDPJ16WPXuEHlC
7YqpU0B/9I6fAx4pyCIKgS5E7/QC1+rPMr5yfkO1wIKGeAzZRu4s0a5fngmgc9g7
VxlVWUVmxaDaNY7/i/k0Vel+QhVMuoiaisr/3r4YDJR7TCyTyT/qixXKK9j8YjgQ
vm9+kN+x4J7JDvebaoNsZfos84xoadZWbU5zj+AlaQIDAQABMA0GCSqGSIb3DQEB
CwUAA4IBAQCCT4eXPZE1OUduZnlNkcv8WVU7wa7MNUqVGH+UNA83EAjkthRLsWKt
LE6Y3jC/LL72517XzOjf7RjOQHIyj8ae44UIjirbxl3vJGfMvx9I6fy02oVonITS
3wZafsq7PmnHWtTDvrT00k0xcJeM3QXC1NMdqtdb+/HxnmPLAL2rDmzBJuGCjXSZ
+2+GevvBDytVG5LfCmYAtN31wuqqIKKIZzPHwunmSM6iro0UW/bXI9NyrSe91yQB
nCf+Ift4j+1MDzC4XkeW3WVEKGNZVVq+0aAOmv3txaCzcNMTtLkAC+UwR90mGnEV
spSDvtgkcTIq7JDuXBA+JgZrg1eT3MUi
-----END CERTIFICATE-----
`)
// openssl genrsa -out rsa_private.key 2048
privateKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAw/17bqFOSGISoY8GQ94dndbJeABbrsS5Sk9E70HAj74MBc/5
Ry5bFa0r80HMieLZl5TW3H/9DWKBwN/r6Bp2DAn4tL+AwAtWlBBacja1kF3xIKw6
MDRN6xLNsNzvZ19NT8HwVGivC++ZATf9cS6UUqd4XqTrmP+u781S8w0eQW/qs7Lb
dBfr2cZONMItNkODNmR/T+H5fSNE0jXisfaZ4Tjkm3oDGH9wdEbstblGOSISvUSh
AUk3gpCtNedltTm1p9wY37M68ZfcoBwZ4FYfFtHXW0jGuGZzA023l3/feVc5YRSf
am3Iu5Ym6uGEkPoMlasJOxt2VhU54W6g+lLHgQIDAQABAoIBAQCjFqCKy7G/q9SD
GegFu6P7fwsBT5L7WHozaskbKyTYuDV69LgjUmC7JfInpz5UEzAr4c/1ho+Ffs4o
OG0vJC3NENMjXSP/KrAt33nUBtCJRJLtNEPrburTzT7aiM6yv2wvDVw2cTIQhZ1V
lUjR0Qfdy7vvTd863rCsnbgDxovBuLHHo70mbKLvokIx1jtlA1QX4LHWJtAYcYBE
s2hMTB91jHC+k6TLs+DmAfCk1ndBAiV3NHb77mXW31rMFmjaZs/9Bk/JmSzKXxsH
vjh//E6Nm05/E1U1G3k5N+Q4SNbkiXhpx2Nat2CGlaul9wSoXhwytMIf1aaoStC6
0/utC9DNAoGBAOOvVGwvi8Gd25ZGlVYYh41FsDBFBy/SGsWhL5em9yr4OMLRc8m5
jQqUY+JAIft5noMq/VBSa41KwYUAXl6nyIy1EtfdwNSIUIdRgYdt6n8+XySSBQ33
ou6inl4tmm/D9idXVKUZcj6rriSaB3fsv4X16Uv5Xwwp/0vq6z9DSnozAoGBANxd
GzIH3b1a0DrPUWXcp5i8O7JMSNVhBps+SFmzIkP+CS0olBPPiiGq+puH7Re+N2dw
UiE6KlsNndTkz/BciWdh6BiOzV2LxIWXtx3WJ61zJauUKNO88bKJmqLh3J107Pfd
10seIGNNUeyG433C5t4G3tqM+x0BBL+gujoMbqt7AoGAcKxjauZckwQ7lrJ3VJPv
AMpr1ndShyfCd+q8UqAd0PXloQNl+X4JfiLRCzYRmxEkkGTF1unyr4k/G0KDcPQ3
GurA2HK06nhK4axEHXEXisCi9MYOGktiJhXzqUeIFac0OWPOT6W4E6uCEjrnV0Gh
xflb6m0NzEc8P6WRpUz3nmECgYEAlIum03j9/rEDAUHTqwitaYYp760Aw+Yd3/SC
LQVWKeNLKEfcWeZjRQLO4J0mNAUjr/TFSGS/PJXXOTXs/ihC74/ONw+8XDzlgvCc
nd5I7OFcGWdMhj8t5p5fwUDjyLiTLRs8EAUE7Cuo9/qNy67glfanr0et1wViwBKG
tq6+w5UCgYAgzxxwBUqPdo0XwTKAuZvASk8Vkp1Y63oIVRiU3AC2DIU0i808VIzs
2ytWYqy61eLRw7ZqQv5QCmEezkxuGZ7F8KUM1DJ0dCmmsR4rLoip/IZ+jvoIeY4M
cBYbJXK056Q0M/eilntDxYRyC6tYYTQGWXSwDeMcuvZ/wXndPRVVJw==
-----END RSA PRIVATE KEY-----
`)
)
func main() {
sign, err := pkcs7.NewSignedData([]byte("lee"))
if err != nil {
fmt.Printf("new sign error: %s \n", err.Error())
return
}
defer sign.Detach()
pKey, err := decodePk()
if err != nil {
fmt.Printf("decodePk error:%s \n", err.Error())
return
}
cert, err := decodeCert()
if err != nil {
fmt.Printf("decodeCert error:%s \n", err.Error())
return
}
if err := sign.AddSigner(cert, pKey, pkcs7.SignerInfoConfig{}); err != nil {
fmt.Printf("add signer error:%s \n", err.Error())
return
}
signValue, err := sign.Finish()
if err != nil {
fmt.Printf("sign error:%s \n", err.Error())
return
}
p, err := pkcs7.Parse(signValue)
if err != nil {
fmt.Printf("pkcs7 parse error: %s \n", err.Error())
return
}
if err := p.Verify(); err != nil {
fmt.Printf("verify error: %s\n", err.Error())
return
}
}
func decodePk() (*rsa.PrivateKey, error) {
block, _ := pem.Decode(privateKey)
return x509.ParsePKCS1PrivateKey(block.Bytes)
}
func decodeCert() (*x509.Certificate, error) {
block, _ := pem.Decode(certificate)
return x509.ParseCertificate(block.Bytes)
}Verify iTunes Receipt failed.
For background, iTunes Receipt is purchased receipt in iTunes(macOS/iOS). It's a binary file which encoded with pkcs#7.
I try to use this package to parse iTunes Receipt like:
b, err := ioutil.ReadFile("./test_receipt")
d, err := base64.StdEncoding.DecodeString(string(b))
pkcs, err := pkcs7.Parse(d)
pkcs.Verify()And it always return crypto/rsa: verification error when verify. Even I can parse data with pkcs.Content through asn1.
I can verify the file with openssl OK.
Is there anything I'm wrong or missing when verifying?
Attached test file: test_receipt.zip
Tests fail because SHA1 is no longer supported in Go 1.18
Per the Go 1.18 release notes: "crypto/x509 will now reject certificates signed with the SHA-1 hash function. This doesn't apply to self-signed root certificates. Practical attacks against SHA-1 have been demonstrated since 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015."
This is causing quite a few of the test cases to fail with Go 1.18.
How to use Parse?
I'm using the pkcs7.Parse command on a string that looks like this:
MIME-Version: 1.0
Content-Disposition: attachment; filename="Certificates.p7m"
Content-Type: application/x-pkcs7-mime; name="Certificates.p7m"
Content-Transfer-Encoding: base64
MIIECwYJKoZIhvcNAQcDoIID/DCCA/gCAQIxggEwMIIBLAIBAoAUstqxrRETilMO
BIPgv08fb1hpMZ4wDQYJKoZIhvcNAQEBBQAEggEAUDgsDxe+hsxlhlEMx8yXWk9+
6Nb8z65OcAjxRhfZAm8qSDtp/O9vRljuHqnPcafGroYwtm92rZur/FGrPFC5hVRQ
ftgxNl2Gv9Cmo54VHKBIZp5yOExgDvITq6om3TWFNx+F2UH81+Ykfc0HaFymEWbh
kB2HVX1zAc8G3WNopVQI7Pw918+oXTiEIVbupBZ9VI1wIEV3cSnGpXjC6d4ZR3QB
m+NH+vizuyo/U4FRaEvlbvwpcwfe1UVb5SjUI9WBTboZlXNYNpmvIfp/ba3wi69Y
wXw4pAdJusCHoS+krECuB5+Ya78zDnI/X9xOYX4DBq+hLDn9cicNIna2ji+7uzCC
Ar0GCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIeXKzfc7TnZCAggKYtg5gGYgFM4t6
JG8G+zEwuxa+M/+P0AJ1K2wOtVmtjh5YGtdDaR/JZHvxGZdTpPpyoR/iVU/JCV0e
s1SRiW8XfCV3TLmUPAXtauLTedueJq9YXyc7Vym7O6o1wj1N/wWY/40PyPXHNWwP
+SIlIXBHUOul7ZwIQohq9uKgEwsvfgaEgFui1JdI7ClZPrGpEPA8DrOlPhwQO1Qk
p3mihRUQ0twtbisSVj4AiKoI5lUZwqKSpgRZGzygqpp2nSUAb0R1JXPRL1BBrvcN
x+QkIV37kn3cnn4NdAzyZdck2m9PO94wO/3vKfalIW+7jJ1AVtIgwy50cdJaN+0L
cMOCAkx2wcOapd/9nFzGHEEnC0cExMgMnPEwpFsCo4uaxGyyoSQQI0V9mAjAlvv8
/fNM8Lq/JHwwoA+c58/v3XnPgPVdJ9YF29vPz3yfhbC2VuZoqGLb2i5CdgEYZFgS
Nh5FuqNO+3jrnsxerP2Z8AdNczFz5bK6VpiQcHr74c8WwfT7kactKths2SivYgii
YLNI73BUTVEATKHK56QeJBDmwK7bazMGLeaFkb7tXH7TwH534NvX2nYfdrAp5rnJ
tFo6QFTAodatqKWLqst0sbzDbICzVTuPZDL6Alstvo8MhTiN40J+dLcdsQONUtgh
17o9tjNSvbslmOSUOGUuzSQyUGPULrao0brHGds/E3I6EZlQIlnlb7zvv7HJHF8A
QPl7BDbLpANhs5iCnUnuRp6LlY6lBqSUzeVMqxwOXbsMbQz4bVjkjZOhxiKPbu93
r6t/GajVm3k3UGI/KX9aYDen32ZzfvGKY6SdR5Nz0RoP52qyC2QxGbA4KiboVc5Z
/NYobYra5amgD4h9CtODbpuTLsQXoWnEQhU9UE+mnA==
the openssl cms -decrypt -in file.txt -inkey priv.pem -recip cert.pem can decode this format however if I pass this as is to Parse method, I get error:
asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} contentInfo @2
Any ideas what I'm doing wrong?
Support ECDSA Private Keys for signatures
I currently have a use case for needing to sign payloads with an ECDSA private key, and when I try to use it, I get ErrUnsupportedAlgorithm :(.
Golang 1.16: TestVerifyEC2 fails with Verify failed with error: x509: cannot verify signature: algorithm unimplemented
On Fedora Rawhide with Golang 1.16 beta 1, TestVerifyEC2 fails with:
Testing in: /builddir/build/BUILD/pkcs7-d7302db945fa6ea264fb79d8e13e931ea514a602/_build/src
PATH: /builddir/build/BUILD/pkcs7-d7302db945fa6ea264fb79d8e13e931ea514a602/_build/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin
GOPATH: /builddir/build/BUILD/pkcs7-d7302db945fa6ea264fb79d8e13e931ea514a602/_build:/usr/share/gocode
GO111MODULE: off
command: go test -buildmode pie -compiler gc -ldflags " -X github.com/fullsailor/pkcs7/version.commit=d7302db945fa6ea264fb79d8e13e931ea514a602 -X github.com/fullsailor/pkcs7/version=0 -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld '"
testing: github.com/fullsailor/pkcs7
github.com/fullsailor/pkcs7
--- FAIL: TestVerifyEC2 (0.00s)
pkcs7_test.go:47: Verify failed with error: x509: cannot verify signature: algorithm unimplemented
Created root cert
…
Is this project still under maintenance? Any other project replace this ?
Is this project still under maintenance? Any other project replace this ?
Problems parsing some BER encoding
Thanks so much for this package, it's honestly saved me a lot of headache!
However - I've come across some BER encodings that it's having problems with, notably those with indefinite length encodings. The bottom-up search for the EOC blocks seems to fail, I think.
I've attached a sample - it's a SCEP request. (Generated, I think, by the JSCEP library - I've been toying with building a SCEP server for some time, and most other clients like iOS, SSCEP and so on don't seem to do the encoding quite like this does. The request is actually from a major MDM solution, but given the errors I've seen, I'm confident it's using JSCEP).
ber2der conversion
Hello,
I am investigating an issue with ber2der conversion which seems to be related to #11.
I have also reported this here, but as far as I can see, they use pkcs7 for parsing the file.
The referenced issue also has a test file which I extracted from a tcp dump while executing an enrol operation.
I am trying to put a test case together to analyse the behavior a bit further, but GO is not my main language.
Question about sorting
Looking at the code I notice when you prepare the attribute set for marshalling the attributes themselves get sorted based on the marshalled value of the attribute itself:
func (attrs *attributes) ForMarshaling() ([]attribute, error) {
sortables := make(attributeSet, len(attrs.types))
for i := range sortables {
attrType := attrs.types[i]
attrValue := attrs.values[i]
asn1Value, err := asn1.Marshal(attrValue)
if err != nil {
return nil, err
}
attr := attribute{
Type: attrType,
Value: asn1.RawValue{Tag: 17, IsCompound: true, Bytes: asn1Value}, // 17 == SET tag
}
encoded, err := asn1.Marshal(attr)
if err != nil {
return nil, err
}
sortables[i] = sortableAttribute{
SortKey: encoded,
Attribute: attr,
}
}
sort.Sort(sortables)
return sortables.Attributes(), nil
}
From reading the CMS RFC I can't see why the attributes need to be sorted, and when changing the code to not have them sorted, validation begins to fail. Wondering if you can provide some insight into why the sorting needs to occur.
Problems with validating Apple's App Store Receipt (which is in PKCS7 format)
I'm trying to use this golang package "pkcs7" to locally validate the Mac App Store receipt on my server written in golang, following the guidelines of https://developer.apple.com/library/archive/releasenotes/General/ValidateAppStoreReceipt/Chapters/ValidateLocally.html.
Obviously, the receipt is a valid PKCS7 container, however, the function pkcs7.ParsePKCS7() returns errors. At first, it returns a syntax error:
{"code":1003,"message":"asn1: syntax error: sequence truncated"}
During debugging I found that it happens because the field signedData.SignerInfos doesn't have the "optional" tag. I added the tag, but now I'm getting another error:
{"code":1003,"message":"asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} TBSCertificateList @2"}
You can reproduce this issue by using the MAS receipt of any Mac app you install from the Mac App Store. Despite obviously being a totally valid PKCS7 container, the golang pkcs7 package fails to parse it.
Could you help please?
Issue parsing documents containing marker in signature
I noticed parsing/validation was failing for a small number of AWS Identity Documents. I dug in a bit, and it looks like there's an issue in the parser. It seems like if the signature (or other data later in the doc) has the marker, it will skip ahead and not read the document correctly.
Unfortunately I can't share the raw data, but here's some debug info I captured.
Here's a good document, from asn1parse:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
13:d=1 hl=2 l=inf cons: cont [ 0 ]
15:d=2 hl=2 l=inf cons: SEQUENCE
17:d=3 hl=2 l= 1 prim: INTEGER :01
20:d=3 hl=2 l= 11 cons: SET
22:d=4 hl=2 l= 9 cons: SEQUENCE
24:d=5 hl=2 l= 5 prim: OBJECT :sha1
31:d=5 hl=2 l= 0 prim: NULL
33:d=3 hl=2 l=inf cons: SEQUENCE
35:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
46:d=4 hl=2 l=inf cons: cont [ 0 ]
48:d=5 hl=2 l=inf cons: OCTET STRING
50:d=6 hl=4 l= 432 prim: OCTET STRING :{
<snip>
}
486:d=6 hl=2 l= 0 prim: EOC
488:d=5 hl=2 l= 0 prim: EOC
490:d=4 hl=2 l= 0 prim: EOC
492:d=3 hl=4 l= 280 cons: SET
496:d=4 hl=4 l= 276 cons: SEQUENCE
500:d=5 hl=2 l= 1 prim: INTEGER :01
503:d=5 hl=2 l= 105 cons: SEQUENCE
505:d=6 hl=2 l= 92 cons: SEQUENCE
507:d=7 hl=2 l= 11 cons: SET
509:d=8 hl=2 l= 9 cons: SEQUENCE
511:d=9 hl=2 l= 3 prim: OBJECT :countryName
516:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US
520:d=7 hl=2 l= 25 cons: SET
522:d=8 hl=2 l= 23 cons: SEQUENCE
524:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
529:d=9 hl=2 l= 16 prim: PRINTABLESTRING :Washington State
547:d=7 hl=2 l= 16 cons: SET
549:d=8 hl=2 l= 14 cons: SEQUENCE
551:d=9 hl=2 l= 3 prim: OBJECT :localityName
556:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Seattle
565:d=7 hl=2 l= 32 cons: SET
567:d=8 hl=2 l= 30 cons: SEQUENCE
569:d=9 hl=2 l= 3 prim: OBJECT :organizationName
574:d=9 hl=2 l= 23 prim: PRINTABLESTRING :Amazon Web Services LLC
599:d=6 hl=2 l= 9 prim: INTEGER :96BA48D9E55E1A67
610:d=5 hl=2 l= 9 cons: SEQUENCE
612:d=6 hl=2 l= 5 prim: OBJECT :sha1
619:d=6 hl=2 l= 0 prim: NULL
621:d=5 hl=2 l= 93 cons: cont [ 0 ]
623:d=6 hl=2 l= 24 cons: SEQUENCE
625:d=7 hl=2 l= 9 prim: OBJECT :contentType
636:d=7 hl=2 l= 11 cons: SET
638:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
649:d=6 hl=2 l= 28 cons: SEQUENCE
651:d=7 hl=2 l= 9 prim: OBJECT :signingTime
662:d=7 hl=2 l= 15 cons: SET
664:d=8 hl=2 l= 13 prim: UTCTIME :160609022532Z
679:d=6 hl=2 l= 35 cons: SEQUENCE
681:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
692:d=7 hl=2 l= 22 cons: SET
694:d=8 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:6108B512F7688CAAF55246D66FC7B73D17D379F1
716:d=5 hl=2 l= 9 cons: SEQUENCE
718:d=6 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
727:d=5 hl=2 l= 47 prim: OCTET STRING [HEX DUMP]:302D0214652FCCEC81B461A56B8D25AD10FCE3BDDC0BDE3B021500B090CAF10CDF226BA859D2297CAB5AB5C60A5F69
776:d=3 hl=2 l= 0 prim: EOC
778:d=2 hl=2 l= 0 prim: EOC
780:d=1 hl=2 l= 0 prim: EOC
This parses fine
--> (compute length) marker found at offset: 780
--> length : 778
--> length : 9
--> (compute length) marker found at offset: 778
--> length : 763
--> (compute length) marker found at offset: 776
--> length : 759
--> length : 1
--> length : 11
--> length : 9
--> length : 5
--> length : 0
--> (compute length) marker found at offset: 490
--> length : 455
--> length : 9
--> (compute length) marker found at offset: 488
--> length : 440
--> (compute length) marker found at offset: 486
--> length : 436
--> (compute length) indicator byte: 82
--> (compute length) length bytes: 01 B0
--> length : 432
--> (compute length) indicator byte: 82
--> (compute length) length bytes: 01 18
--> length : 280
--> (compute length) indicator byte: 82
--> (compute length) length bytes: 01 14
--> length : 276
--> length : 1
--> length : 105
--> length : 92
--> length : 11
--> length : 9
--> length : 3
--> length : 2
--> length : 25
--> length : 23
--> length : 3
--> length : 16
--> length : 16
--> length : 14
--> length : 3
--> length : 7
--> length : 32
--> length : 30
--> length : 3
--> length : 23
--> length : 9
--> length : 9
--> length : 5
--> length : 0
--> length : 93
--> length : 24
--> length : 9
--> length : 11
--> length : 9
--> length : 28
--> length : 9
--> length : 15
--> length : 13
--> length : 35
--> length : 9
--> length : 22
--> length : 20
--> length : 9
--> length : 7
--> length : 47
and here's a copy of a doc that was failing:
0:d=0 hl=2 l=inf cons: SEQUENCE
2:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
13:d=1 hl=2 l=inf cons: cont [ 0 ]
15:d=2 hl=2 l=inf cons: SEQUENCE
17:d=3 hl=2 l= 1 prim: INTEGER :01
20:d=3 hl=2 l= 11 cons: SET
22:d=4 hl=2 l= 9 cons: SEQUENCE
24:d=5 hl=2 l= 5 prim: OBJECT :sha1
31:d=5 hl=2 l= 0 prim: NULL
33:d=3 hl=2 l=inf cons: SEQUENCE
35:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
46:d=4 hl=2 l=inf cons: cont [ 0 ]
48:d=5 hl=2 l=inf cons: OCTET STRING
50:d=6 hl=4 l= 419 prim: OCTET STRING :{
<snip>
}
473:d=6 hl=2 l= 0 prim: EOC
475:d=5 hl=2 l= 0 prim: EOC
477:d=4 hl=2 l= 0 prim: EOC
479:d=3 hl=4 l= 279 cons: SET
483:d=4 hl=4 l= 275 cons: SEQUENCE
487:d=5 hl=2 l= 1 prim: INTEGER :01
490:d=5 hl=2 l= 105 cons: SEQUENCE
492:d=6 hl=2 l= 92 cons: SEQUENCE
494:d=7 hl=2 l= 11 cons: SET
496:d=8 hl=2 l= 9 cons: SEQUENCE
498:d=9 hl=2 l= 3 prim: OBJECT :countryName
503:d=9 hl=2 l= 2 prim: PRINTABLESTRING :US
507:d=7 hl=2 l= 25 cons: SET
509:d=8 hl=2 l= 23 cons: SEQUENCE
511:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
516:d=9 hl=2 l= 16 prim: PRINTABLESTRING :Washington State
534:d=7 hl=2 l= 16 cons: SET
536:d=8 hl=2 l= 14 cons: SEQUENCE
538:d=9 hl=2 l= 3 prim: OBJECT :localityName
543:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Seattle
552:d=7 hl=2 l= 32 cons: SET
554:d=8 hl=2 l= 30 cons: SEQUENCE
556:d=9 hl=2 l= 3 prim: OBJECT :organizationName
561:d=9 hl=2 l= 23 prim: PRINTABLESTRING :Amazon Web Services LLC
586:d=6 hl=2 l= 9 prim: INTEGER :96BA48D9E55E1A67
597:d=5 hl=2 l= 9 cons: SEQUENCE
599:d=6 hl=2 l= 5 prim: OBJECT :sha1
606:d=6 hl=2 l= 0 prim: NULL
608:d=5 hl=2 l= 93 cons: cont [ 0 ]
610:d=6 hl=2 l= 24 cons: SEQUENCE
612:d=7 hl=2 l= 9 prim: OBJECT :contentType
623:d=7 hl=2 l= 11 cons: SET
625:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
636:d=6 hl=2 l= 28 cons: SEQUENCE
638:d=7 hl=2 l= 9 prim: OBJECT :signingTime
649:d=7 hl=2 l= 15 cons: SET
651:d=8 hl=2 l= 13 prim: UTCTIME :160817213415Z
666:d=6 hl=2 l= 35 cons: SEQUENCE
668:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
679:d=7 hl=2 l= 22 cons: SET
681:d=8 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:E89C4873A60EECD94FCE9054D51C479912051810
703:d=5 hl=2 l= 9 cons: SEQUENCE
705:d=6 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
714:d=5 hl=2 l= 46 prim: OCTET STRING [HEX DUMP]:302C02140488BD1B4F10EC11CF4A4628D7C7C10000B4C1AF02145498779E1F609A00CC1F817445218B778C802025
762:d=3 hl=2 l= 0 prim: EOC
764:d=2 hl=2 l= 0 prim: EOC
766:d=1 hl=2 l= 0 prim: EOC
and the debug output:
--> (compute length) marker found at offset: 766
--> length : 764
--> length : 9
--> (compute length) marker found at offset: 764
--> length : 749
--> (compute length) marker found at offset: 762
--> length : 745
--> length : 1
--> length : 11
--> length : 9
--> length : 5
--> length : 0
--> (compute length) marker found at offset: 735
--> length : 700
--> length : 9
--> (compute length) marker found at offset: 477
--> length : 429
--> (compute length) marker found at offset: 475
--> length : 425
--> (compute length) indicator byte: 82
--> (compute length) length bytes: 01 A3
--> length : 419
--> length : 0
--> (compute length) indicator byte: 82
--> (compute length) length bytes: 01 17
--> length : 279
p7bad Failed at pkcs7.Parse(sigDecode.Bytes): ber2der: BER tag length is more than available data
You can see in this latter one it's skipping the marker in the middle of the document, in favor of the one at 735. This is bang in the middle of the signature, where you can find 0000 - so I think this is triggering as a marker here and breaking the parsing.
Unable to parse Code Signing Certificate for Microsoft
Hi!
First off, many thanks for taking the time to do this useful lib!!
For a side project, I was trying to parse certificates inside exe files -- PE format -- to get the expiration date.
I'll skip the details on how to do it, but it turns out it's using PKCS7 format to store the certificate chain, hence the use of this lib.
When I call Parse() with the payload in DER this is what I get:
structure error: tags don't match (4 vs {class:0 tag:16 length:23 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} unsignedData @2
I had to patch the library and can make a PR if that's necessary: tehmoon@8f12946
As you can see, I de-serialize using RawValue and passing the underlying bytes. I didn't dig much further so I have no idea what's wrong.
I've attached the pkcs7 data in hex string format: data.hex.txt
Even though the patch works well for me, I thought about opening an issue to contribute a little bit.
it happened something wrong when i build it.
GOROOT=C:\Go #gosetup
GOPATH=D:\Code\ProjectDir\Go #gosetup
C:\Go\bin\go.exe test -c -o C:\Users\admin\AppData\Local\Temp___TestBer2Der_in_ber_test_go.exe D:/Code/ProjectDir/Go/pkcs7-master/ber_test.go #gosetup
command-line-arguments [command-line-arguments.test]
.\ber_test.go:14:14: undefined: ber2der
.\ber_test.go:22:18: undefined: ber2der
.\ber_test.go:53:13: undefined: ber2der
.\ber_test.go:68:14: undefined: ber2der
.\ber_test.go:76:18: undefined: ber2der
parseEnvelopeData does not set EncryptedContent correctly on go 1.10
Hi,
I've noticed that encrypted data created by hiera-eyaml does not parse correctly with this package with Go 1.10, possibly related to the changes in the struct tags (see https://golang.org/doc/go1.10)
Unmarshal now respects struct field tags using the explicit and tag directives.
I'm not too sure of the inner details of the asn1 format, but I've noticed that removing the struct tag altogether fixes the issue (see pranavraja@c9366af), and the package tests still pass.
Here is the format of the envelope i'm trying to parse (the output of openssl asn1parse -in encrypteddata -inform DER) in case it helps
0:d=0 hl=4 l= 393 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData
15:d=1 hl=4 l= 378 cons: cont [ 0 ]
19:d=2 hl=4 l= 374 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :00
26:d=3 hl=4 l= 289 cons: SET
30:d=4 hl=4 l= 285 cons: SEQUENCE
34:d=5 hl=2 l= 1 prim: INTEGER :00
37:d=5 hl=2 l= 5 cons: SEQUENCE
39:d=6 hl=2 l= 0 cons: SEQUENCE
41:d=6 hl=2 l= 1 prim: INTEGER :01
44:d=5 hl=2 l= 13 cons: SEQUENCE
46:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
57:d=6 hl=2 l= 0 prim: NULL
59:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:...
319:d=3 hl=2 l= 76 cons: SEQUENCE
321:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
332:d=4 hl=2 l= 29 cons: SEQUENCE
334:d=5 hl=2 l= 9 prim: OBJECT :aes-256-cbc
345:d=5 hl=2 l= 16 prim: OCTET STRING [HEX DUMP]:...
363:d=4 hl=2 l= 32 prim: cont [ 0 ]
Detached signature content-type oid does not match actual content-type
// Detach removes content from the signed data struct to make it a detached signature.
// This must be called right before Finish()
func (sd *SignedData) Detach() {
sd.sd.ContentInfo = contentInfo{ContentType: oidSignedData}
}Is pkcs7.go's Detach function, do cause mismatch Content-Type according to RFC 3852 Section 11.1?
following is my code line hello.go line 108, it will send a response to my android app that use bouncycastle lib, the lib throws following error new CMSException("content-type attribute value does not match eContentType");, it check this if (!signedContentType.equals(contentType))
the Content-Type of the following openssl smime v3.1 detached signature command line tool:
openssl cms -sign -md sha1 -noattr -signer public.crt -inkey public.key -in PO.edifact -out signedPO.edifact, is 1.2.840.113549.1.7.1, while your detached function is 1.2.840.113549.1.7.2
following is the sample of the above hello.go's http response
------=_Part_zBgVxyST
Content-Type: multipart/report; report-type=disposition-notification;
boundary="----=_Part_NXmQfJcR"
------=_Part_NXmQfJcR
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
The AS2 message has been received.
------=_Part_NXmQfJcR
Content-Type: message/disposition-notification
Content-Transfer-Encoding: 7bit
Reporting-UA: php AS2 Server
Original-Recipient: rfc822; mendelsontestAS2
Final-Recipient: rfc822; mendelsontestAS2
Original-Message-ID: <github-dawud-tan-RetrofitSmime-30122017110750+0700--380012012302437852@mycompanyAS2_mendelsontestAS2>
Disposition: automatic-action/MDN-sent-automatically; processed
Received-Content-MIC: PAitTZmshnYdaYVQ5aYyf/cEJiE=, sha1
------=_Part_NXmQfJcR--
------=_Part_zBgVxyST
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIExwYJKoZIhvcNAQcCoIIEuDCCBLQCAQExCTAHBgUrDgMCGjALBgkqhkiG9w0B
BwKgggLUMIIC0DCCAjkCBEOO/fMwDQYJKoZIhvcNAQEFBQAwga4xJjAkBgkqhkiG
9w0BCQEWF3Jvc2V0dGFuZXRAbWVuZGVsc29uLmRlMQswCQYDVQQGEwJERTEPMA0G
A1UECBMGQmVybGluMQ8wDQYDVQQHEwZCZXJsaW4xIjAgBgNVBAoTGW1lbmRlbHNv
bi1lLWNvbW1lcmNlIEdtYkgxIjAgBgNVBAsTGW1lbmRlbHNvbi1lLWNvbW1lcmNl
IEdtYkgxDTALBgNVBAMTBG1lbmQwHhcNMDUxMjAxMTM0MzE1WhcNMTkwODEwMTM0
MzE1WjCBrjEmMCQGCSqGSIb3DQEJARYXcm9zZXR0YW5ldEBtZW5kZWxzb24uZGUx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCZXJsaW4xDzANBgNVBAcTBkJlcmxpbjEi
MCAGA1UEChMZbWVuZGVsc29uLWUtY29tbWVyY2UgR21iSDEiMCAGA1UECxMZbWVu
ZGVsc29uLWUtY29tbWVyY2UgR21iSDENMAsGA1UEAxMEbWVuZDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEA1QYrk0Zb4MsdAbkzFfLp2mZOg6H1ZpWRpyeMm+1o
zNiqA/zeDPnzgoAEjmDYhpR3BID1XsvOA+pzixH5YbOQFZ0Z+SNVTMxQ0tDLQYsy
lKBneynDr11iOCBxu2wdkFhEZ0NJJRdY3sS95iHOKFqvdlPeyblrMnrBYZW9vcN8
fUECAwEAATANBgkqhkiG9w0BAQUFAAOBgQCucT5rhqerUTOPyUHf1ia8gCknTM1Q
yKUAReS3nmIiYuTsBqxvLQ72jEFCgOTGPyUq/IlnB91mrNcXuo11V6eMFNQ5+RDy
z600XM8R4MXhnp4jtDQeMrQFk/bbbrt/lUeG/rA/eUgn82iATpALtcwzb1EQNxf+
+hbo6AqCZrXBVjGCAb0wggG5AgEBMIG3MIGuMSYwJAYJKoZIhvcNAQkBFhdyb3Nl
dHRhbmV0QG1lbmRlbHNvbi5kZTELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxp
bjEPMA0GA1UEBxMGQmVybGluMSIwIAYDVQQKExltZW5kZWxzb24tZS1jb21tZXJj
ZSBHbWJIMSIwIAYDVQQLExltZW5kZWxzb24tZS1jb21tZXJjZSBHbWJIMQ0wCwYD
VQQDEwRtZW5kAgRDjv3zMAcGBSsOAwIaoGEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAgBgkqhkiG9w0BCQUxExcRMTcxMjMwMTEwNzUyKzA3MDAwIwYJKoZIhvcN
AQkEMRYEFEJE7uZ+32tvKMiJuDT4uaOVYO+tMAsGCSqGSIb3DQEBAQSBgFJA0aXE
LIwP4aslsRk3OjWD6Rrw1oSK4YcxlcVEAal/29TVWAwEKVdlkPOxOhUUipYN7VD1
9aIhZQMXVEd6ar+E8CcTEWnZztPbTlM/rlciqzB88/ZkTgpRqxUeCsnloPhOe3Vo
1rNzqHeHpmsCcyTNq1TvaQGkchjJ3N22UTZB
------=_Part_zBgVxyST--
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.