Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More incorrect cRLDistributionPoints encodings #33

Closed
joernheissler opened this issue Feb 26, 2017 · 3 comments
Closed

More incorrect cRLDistributionPoints encodings #33

joernheissler opened this issue Feb 26, 2017 · 3 comments

Comments

@joernheissler
Copy link
Collaborator

I'm really sorry, but I found more (possible) issues :-)
I took a list of 157 (trusted) root certs, decoded + reencoded them with asn1crypto.

5 / 157 certs failed.

3 of them had issues with incorrect cRLDistributionPoints encoding (Similar but probably not same as #32)

#!/usr/bin/env python3

import traceback
import requests
from asn1crypto import pem, x509

certs = requests.get('https://mkcert.org/generate/').content
failed = 0

for i, (type_name, headers, der_bytes) in enumerate(pem.unarmor(certs, multiple=True)):
    if type_name != 'CERTIFICATE':
        print('Skipping ' + type_name)
    cert = x509.Certificate.load(der_bytes)
    try:
        dumped = cert.dump(force=True)
        if cert.dump(force=True) != der_bytes:
            with open('%03d.dump' % i, 'wb') as fp:
                fp.write(dumped)
            raise Exception('Input does not match output')
    except Exception as e:
        failed += 1
        with open('%03d.orig' % i, 'wb') as fp:
            fp.write(der_bytes)
        with open('%03d.exc' % i, 'wt') as fp:
            traceback.print_exc(file=fp)

print('%d / %d certs failed' % (failed, i + 1))

And just the broken cRLDistributionPoints:

#!/usr/bin/env python3

from asn1crypto.x509 import CRLDistributionPoints
from base64 import b64decode

crldp = [
'''
MIG9MIG6oIG3oIG0hiFodHRwOi8vd3d3LmUtc3ppZ25vLmh1L1Jvb3RDQS5jcmyGgY5sZGFwOi8v
bGRhcC5lLXN6aWduby5odS9DTj1NaWNyb3NlYyUyMGUtU3ppZ25vJTIwUm9vdCUyMENBLE9VPWUt
U3ppZ25vJTIwQ0EsTz1NaWNyb3NlYyUyMEx0ZC4sTD1CdWRhcGVzdCxDPUhVP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q7YmluYXJ5
''', '''
MIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9v
dCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRp
ZmljYXRlcmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2Qt
dHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmw=
''', '''
MIHSMIGHoIGEoIGBhn9sZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBS
b290JTIwQ2xhc3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0
L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDkuY3Js
''',
]

for i, dp in enumerate(crldp):
    der = b64decode(dp)

    p = CRLDistributionPoints.load(der)
    with open('dp-%d-orig.der' % i, 'wb') as fp:
        fp.write(der)
    with open('dp-%d-dump.der' % i, 'wb') as fp:
        fp.write(p.dump(force=True))
This was referenced Feb 26, 2017
Closed
Closed
@wbond
Copy link
Owner

wbond commented Feb 27, 2017

Adding calls to .debug() helps identify the issue here, although I am just working on it now:

#!/usr/bin/env python3

from asn1crypto.x509 import CRLDistributionPoints
from base64 import b64decode

crldp = [
'''
MIG9MIG6oIG3oIG0hiFodHRwOi8vd3d3LmUtc3ppZ25vLmh1L1Jvb3RDQS5jcmyGgY5sZGFwOi8v
bGRhcC5lLXN6aWduby5odS9DTj1NaWNyb3NlYyUyMGUtU3ppZ25vJTIwUm9vdCUyMENBLE9VPWUt
U3ppZ25vJTIwQ0EsTz1NaWNyb3NlYyUyMEx0ZC4sTD1CdWRhcGVzdCxDPUhVP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q7YmluYXJ5
''', '''
MIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9v
dCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRp
ZmljYXRlcmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2Qt
dHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmw=
''', '''
MIHSMIGHoIGEoIGBhn9sZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBS
b290JTIwQ2xhc3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0
L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDkuY3Js
''',
]

for i, dp in enumerate(crldp):
    der = b64decode(dp)

    p = CRLDistributionPoints.load(der)
    with open('dp-%d-orig.der' % i, 'wb') as fp:
        fp.write(der)
        p.debug()
    with open('dp-%d-dump.der' % i, 'wb') as fp:
        fp.write(p.dump(force=True))
        p.debug()

It seems the issue is with the asn1crypto.x509.URI class.

@wbond
Copy link
Owner

wbond commented Feb 27, 2017

So the issue seems to be with LDAP URLs. Here is the debug code:

#!/usr/bin/env python3

from asn1crypto.x509 import GeneralName, CRLDistributionPoints
from base64 import b64decode

crldp = [
'''
MIG9MIG6oIG3oIG0hiFodHRwOi8vd3d3LmUtc3ppZ25vLmh1L1Jvb3RDQS5jcmyGgY5sZGFwOi8v
bGRhcC5lLXN6aWduby5odS9DTj1NaWNyb3NlYyUyMGUtU3ppZ25vJTIwUm9vdCUyMENBLE9VPWUt
U3ppZ25vJTIwQ0EsTz1NaWNyb3NlYyUyMEx0ZC4sTD1CdWRhcGVzdCxDPUhVP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q7YmluYXJ5
''', '''
MIHIMIGAoH6gfIZ6bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwUm9v
dCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRp
ZmljYXRlcmV2b2NhdGlvbmxpc3QwQ6BBoD+GPWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2Qt
dHJ1c3Rfcm9vdF9jbGFzc18zX2NhXzJfMjAwOS5jcmw=
''', '''
MIHSMIGHoIGEoIGBhn9sZGFwOi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBS
b290JTIwQ2xhc3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQtdHJ1c3QubmV0
L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDkuY3Js
''',
]

for i, dp in enumerate(crldp):
    der = b64decode(dp)

    orig_names = []
    p = CRLDistributionPoints.load(der)
    with open('dp-%d-orig.der' % i, 'wb') as fp:
        fp.write(der)
        names = p[0]['distribution_point'].chosen
        for name in names:
            orig_names.append(name.dump())
    with open('dp-%d-dump.der' % i, 'wb') as fp:
        fp.write(p.dump(force=True))
        names = p[0]['distribution_point'].chosen
        for j, name in enumerate(names):
            if orig_names[j] == name.dump():
                continue
            GeneralName.load(orig_names[j]).debug()
            name.debug()

And the output

  asn1crypto.x509.GeneralName Object #4461714640
    Data: 0x86818e6c6461703a2f2f6c6461702e652d737a69676e6f2e68752f434e3d4d6963726f736563253230652d537a69676e6f253230526f6f7425323043412c4f553d652d537a69676e6f25323043412c4f3d4d6963726f7365632532304c74642e2c4c3d42756461706573742c433d48553f63657274696669636174655265766f636174696f6e4c6973743b62696e617279
      asn1crypto.x509.URI Object #4461896848
        Header: 0x86818e
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6c6461702e652d737a69676e6f2e68752f434e3d4d6963726f736563253230652d537a69676e6f253230526f6f7425323043412c4f553d652d537a69676e6f25323043412c4f3d4d6963726f7365632532304c74642e2c4c3d42756461706573742c433d48553f63657274696669636174655265766f636174696f6e4c6973743b62696e617279
          Native: ldap://ldap.e-szigno.hu/CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU?certificateRevocationList;binary
  asn1crypto.x509.GeneralName Object #4461903504
    Data: 0x8681a26c6461703a2f2f6c6461702e652d737a69676e6f2e68752f434e2533444d6963726f736563253230652d537a69676e6f253230526f6f7425323043412532434f55253344652d537a69676e6f25323043412532434f2533444d6963726f7365632532304c74642e2532434c25334442756461706573742532434325334448553f63657274696669636174655265766f636174696f6e4c69737425334262696e617279
      asn1crypto.x509.URI Object #4461869072
        Header: 0x8681a2
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6c6461702e652d737a69676e6f2e68752f434e2533444d6963726f736563253230652d537a69676e6f253230526f6f7425323043412532434f55253344652d537a69676e6f25323043412532434f2533444d6963726f7365632532304c74642e2532434c25334442756461706573742532434325334448553f63657274696669636174655265766f636174696f6e4c69737425334262696e617279
          Native: ldap://ldap.e-szigno.hu/CN=Microsec e-Szigno Root CA,OU=e-Szigno CA,O=Microsec Ltd.,L=Budapest,C=HU?certificateRevocationList;binary
  asn1crypto.x509.GeneralName Object #4461869072
    Data: 0x867a6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c61737325323033253230434125323032253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c697374
      asn1crypto.x509.URI Object #4461935632
        Header: 0x867a
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c61737325323033253230434125323032253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c697374
          Native: ldap://directory.d-trust.net/CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE?certificaterevocationlist
  asn1crypto.x509.GeneralName Object #4461903696
    Data: 0x8681846c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e253344442d5452555354253230526f6f74253230436c61737325323033253230434125323032253230323030392532434f253344442d5472757374253230476d62482532434325334444453f63657274696669636174657265766f636174696f6e6c697374
      asn1crypto.x509.URI Object #4461903440
        Header: 0x868184
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e253344442d5452555354253230526f6f74253230436c61737325323033253230434125323032253230323030392532434f253344442d5472757374253230476d62482532434325334444453f63657274696669636174657265766f636174696f6e6c697374
          Native: ldap://directory.d-trust.net/CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE?certificaterevocationlist
  asn1crypto.x509.GeneralName Object #4461903440
    Data: 0x867f6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c697374
      asn1crypto.x509.URI Object #4461932688
        Header: 0x867f
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e3d442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392c4f3d442d5472757374253230476d62482c433d44453f63657274696669636174657265766f636174696f6e6c697374
          Native: ldap://directory.d-trust.net/CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE?certificaterevocationlist
  asn1crypto.x509.GeneralName Object #4461903504
    Data: 0x8681896c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e253344442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392532434f253344442d5472757374253230476d62482532434325334444453f63657274696669636174657265766f636174696f6e6c697374
      asn1crypto.x509.URI Object #4461714640
        Header: 0x868189
          primitive context tag 6 (implicitly tagged)
        Data: 0x6c6461703a2f2f6469726563746f72792e642d74727573742e6e65742f434e253344442d5452555354253230526f6f74253230436c617373253230332532304341253230322532304556253230323030392532434f253344442d5472757374253230476d62482532434325334444453f63657274696669636174657265766f636174696f6e6c697374
          Native: ldap://directory.d-trust.net/CN=D-TRUST Root Class 3 CA 2 EV 2009,O=D-Trust GmbH,C=DE?certificaterevocationlist

I'm going to assume that the issue is caused by URL-encoding various characters in the LDAP path segments when force-encoding.

@wbond
Copy link
Owner

wbond commented Feb 27, 2017

Fixed by 8c9011f

@wbond wbond closed this as completed Feb 27, 2017
@joernheissler joernheissler mentioned this issue Dec 8, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wbond @joernheissler