asn1crypto: CMS Enveloped Data creation failure
I am trying to create a CMS Enveloped Data using asn1crypto as a substitution of the Google’s certificate-transparency source code I forked on my project https://github.com/balena/python-smime. I had the idea of using asn1crypto after having some trouble when parsing indefinite-length attributes generated by certain E-Mail managers (like Thunderbird).
While asn1crypto is great for parsing all kinds of CMS data, I am getting some trouble when generating them. I have an unit test where the PKCS7 output is passed as input to command-line OpenSSL in order to make sure the implementation is compatible. But all I get is an error from OpenSSL when parsing ASN.1 tags (I don’t know exactly which one).
There is a single function responsible for returning a CMS ContentInfo structure as follows:
def __get_enveloped_data(pubkey_cipher, sym_cipher, x509_cert,
encrypted_key, iv, encrypted_content):
return cms.ContentInfo({
'contentType': cms.ContentType(u'enveloped_data'),
'content': cms.EnvelopedData({
'version': u'v0',
'recipient_infos': cms.RecipientInfos([
cms.RecipientInfo(
name='ktri',
value=cms.KeyTransRecipientInfo({
'version': u'v0',
'rid': cms.RecipientIdentifier(
name='issuer_and_serial_number',
value=__get_issuer_and_serial_number(x509_cert)
),
'key_encryption_algorithm': cms.KeyEncryptionAlgorithm({
'algorithm': pubkey_cipher.oid,
'parameters': core.Null()
}),
'encrypted_key': encrypted_key
})
)
]),
'encrypted_content_info': cms.EncryptedContentInfo({
'content_type': cms.ContentType(u'data'),
'content_encryption_algorithm': cms.EncryptionAlgorithm({
'algorithm': sym_cipher.oid,
'parameters': iv
}),
'encrypted_content': cms.OctetString(
encrypted_content, tag=0, tag_type='implicit')
})
}, tag=0, tag_type='explicit')
})
The object returned by the above function is encoded using:
encoded_content = __encode_in_base64(enveloped_data.dump())
And the __encode_in_base64 is just a pretty printer function to convert the DER output into BASE64.
When I execute the OpenSSL function:
$ openssl smime -decrypt -in tmp -inkey private_key.pem
All I get is the following:
Error reading S/MIME message
140702704453280:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338:
140702704453280:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:852:
140702704453280:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:772:Field=type, Type=PKCS7
140702704453280:error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error:asn_mime.c:193:
140702704453280:error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error:asn_mime.c:528:
Do you have any idea what could be the problem? Is there any caveat when encoding asn1crypto structures like the above?
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 18 (10 by maintainers)
As of afd3cac4b33d56aaf8ddcce2c333b60828350c3d, Python 2 should no longer raise an exception when debugging a
core.OctetString.As of 2260ee300972ae3e0cd7d31710d21432466773e0,
core.Sequencewill raise aValueErrorwhen an invalid field is specified.@balena I implemented your suggestion of being able to pass a
dictto acore.Choiceconstructor, but it felt like trying to pound a square peg through a round hole. I ended up stashing it in case I want to revisit later. What about being able to pass a 2-element tuple of(name, value)?