Certificate extension not parsed #6475

jensguballa · 2021-10-25T19:01:59Z

I get an exception when accessing the extensions of a parsed certificate (probably due to "Certificate Policies").

Here is what I am using:

Python 3.9.5


cffi          1.15.0
cryptography  36.0.0.dev1
pip           21.3.1
pkg_resources 0.0.0
pycparser     2.20
setuptools    44.1.1

Certificate to parse: Subject: CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
The certificate is present in the truststore on an Ubuntu system (/etc/ssl/certs/ACCVRAIZ1.pem)

After parsing the certificate an exception is raised when accessing the extensions:

>>> with open("/etc/ssl/certs/ACCVRAIZ1.pem", "rb") as fd:
...     pem = fd.read()
... 
>>> from cryptography.x509 import load_pem_x509_certificate
>>> cert = load_pem_x509_certificate(pem)
>>> cert.extensions
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error parsing asn1 value: ParseError { kind: ExtraData, location: ["0", "PolicyInformation::policy_qualifiers", "0", "PolicyQualifierInfo::qualifier", "Qualifier::UserNotice"] }

The problem does not occur using cryptography 3.4.8. Here the extension looks like follows:

<Extension(oid=<ObjectIdentifier(oid=2.5.29.32, name=certificatePolicies)>, critical=False,
value=<CertificatePolicies([<PolicyInformation(policy_identifier=<ObjectIdentifier(oid=2.5.29.32.0, name=Unknown OID)>,
policy_qualifiers=[
    <UserNotice(
        notice_reference=None,
        explicit_text='Autoridad de Certificación Raíz de la ACCV (Agencia de Tecnología y Certificación Electrónica, CIF Q4601156E). CPS en http://www.accv.es'
    )>,
    'http://www.accv.es/legislacion_c.htm'
])>])>)>,

Openssl decodes the certificate, but leaves the explicit text blank.

            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy
                  User Notice:
                    Explicit Text: 
                  CPS: http://www.accv.es/legislacion_c.htm

The text was updated successfully, but these errors were encountered:

alex · 2021-10-25T21:53:41Z

Ok the actual problem here is that the DisplayText value is a BMPString, which we currently do not support.

dainnilsson · 2021-10-28T07:57:03Z

Hi! I ran into the what looks like the same issue when parsing a certificate used for TPM attestation for WebAuthn authentication using the Windows platform authenticator. This is a problem for https://github.com/Yubico/python-fido2

Error when accessing certificate.extensions:

ValueError: error parsing asn1 value: ParseError { kind: ExtraData, location: ["0", "PolicyInformation::policy_qualifiers", "0", "PolicyQualifierInfo::qualifier", "Qualifier::UserNotice"] }

Here's the certificate for reference:

reaperhulk · 2021-10-28T08:19:15Z

Thanks for the report. I’ll take a look at this when I’m back at a computer but hopefully it’s another case where we just need to implement the missing DisplayText types!

reaperhulk · 2021-10-28T11:10:20Z

Yeah this is also a BMPString in certificate policies (with value BMPString { u"TCPA Trusted Platform Identity" })

alex added the x509 label Oct 25, 2021

reaperhulk added this to the Thirty Sixth Release milestone Oct 28, 2021

reaperhulk mentioned this issue Nov 2, 2021

support BMPString in explicitText parsing for legacy certificates #6516

Merged

alex closed this as completed in #6516 Nov 2, 2021

dainnilsson added a commit to Yubico/python-fido2 that referenced this issue Nov 8, 2021

Exclude cryptography 35 (see pyca/cryptography#6475).

0ca5ca1

github-actions bot locked as resolved and limited conversation to collaborators Feb 1, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Certificate extension not parsed #6475

Certificate extension not parsed #6475

jensguballa commented Oct 25, 2021

alex commented Oct 25, 2021

dainnilsson commented Oct 28, 2021

reaperhulk commented Oct 28, 2021

reaperhulk commented Oct 28, 2021

Certificate extension not parsed #6475

Certificate extension not parsed #6475

Comments

jensguballa commented Oct 25, 2021

alex commented Oct 25, 2021

dainnilsson commented Oct 28, 2021

reaperhulk commented Oct 28, 2021

reaperhulk commented Oct 28, 2021