rfc4210 cmp implicit confirm

[ghost]

Hi everyone,
I'm using pyasn1-modules to build a small cmp client (subset of rfc4210). I think there is a mistake in the rfc4210 module in the PKIHeader class.
The last entry should be

namedtype.OptionalNamedType(
            'generalInfo', univ.SequenceOf(
                componentType=rfc4210.InfoTypeAndValue().subtype(
                    sizeSpec=constraint.ValueSizeConstraint(1, MAX))
            ).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))
        )

instead of

namedtype.OptionalNamedType(
            'generalInfo', univ.SequenceOf(
                componentType=InfoTypeAndValue().subtype(
                      sizeSpec=constraint.ValueSizeConstraint(1, MAX),
                      explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8)
              )
)

Stumbled over this when I tried to use cmp implicit confirm. The top code shows how I was able to get it running with a CA-Software.

Thanks,
Alex

[etingof]

Thanks for reporting this! Looks like a typo to me. Cc: @russhousley

[russhousley]

Ilya fixed this in master.

[etingof]

Perhaps the question to @Alex8472 is - which pyasn1-modules version are you using? If you could try master and it works, I'd be happy to cut a release.

[ghost]

Hi, sorry for the late response.
I am using the latest release, that is 0.2.7.

Sadly I'm still running into the same problem with the master branch. Everything works until I'm adding implicit confirm to the message. I'm getting a pyasn1.error.PyAsn1Error, while trying to decode it, using asn1spec='rfc4210.PKIMessage()'

If you look at the above code again, consider/compare the last lines. I added the subtype() to it, as I had the Problem that the tag was at the wrong position. I think this is the 0xa8 tag, if I remember correctly. So the top code with the subtype() added works for me, both for decoding and encoding.

I could provide you with two example DER files, containing two simple cmp messages. One without implicit confirm and one with implicit confirm (constructed with openssl cmp in this case (-implicitconfirm option)). If you like those, let me know if I should post the hex values in here or send you the files via E-Mail.

Thanks,
Alex

[etingof]

Sorry for delayed response! Commit b61bbfa should have fixed that. If you could share a DER blob that verifies this piece, I'd add it to unit tests.

Thanks!

[ghost]

No problem,
here is a little example as hex string.
The attached file contains the binary version.
(With implicit confirm)

308203e83082015f020102a41530133111300f06035504030c084e65775573657231a481a93081a6310b30090603550406130244453110300e06035504080c0744656661756c743116301406035504070c0d54657374204c6f63616c697479311a3018060355040a0c1154657374204f7267616e697a6174696f6e31173015060355040b0c0e5465737420556e6974204e616d653119301706035504030c105465737420436f6d6d6f6e204e616d65311d301b06092a864886f70d010901160e7465737440746573742e74657374a011180f32303139313131333133303535305aa13e303c06092a864886f67d07420d302f041052ba61899b2c0359ea77ecedfe94a203300b0609608648016503040201020201f4300a06082b06010505080102a20a04084e65775573657231a4120410080366dd6a108cc77f39ec983f6fb779a5120410bf422b5e571f6d646d3f643e12d4fa6ca810300e300c06082b0601050507040d0500a08202683082026430820260308201440201003082013da51530133111300f06035504030c084e65775573657231a6820122300d06092a864886f70d01010105000382010f003082010a0282010100df4e6515454e0e7eeb0363bf3d3ffbd9ba0248a29286387ac8d108b8e24886d7619c51a50bf8d02f44771bbd53548baa4ba4bfce39a58a320bc1f7717be850ce077024016a40d5ff58c2d0afe68007652471349d2d8fc8e11b85ba1061bdfa3db6054ee4fd9e04f570f84d03f8037fc18be35a9c12662e3b2ee13235bfcdff97bca3aa45c77a1e53a8ab2fb0e09a3f72acd816f6d5abe3f2e9f763d1e6af06a9a8d0bdedaacec87983058dc7958fbd28727326205d02980f88779d5a1456416d6a50c2188c42d11280d6705dd2e8e198398f554236721eef1dfd90d9558d9be071b86313635b2be838df03d6dc14a7b7f2f9bf52c02f9c7bd3942e087ca5ceab0203010001a1820114300d06092a864886f70d01010b0500038201010069cbe4152fc018c3488c9a75bb63967529564972725328565c3abd006b49664d0710e32f4817cd2e24249036e218209c64b087a84c9d5740da54226637c8fa15f426e234c760b09fb32d92b34e656a56cfe4722e3ce5c1340280964ed47a588fb153e0bbe866f129d0a167d777ef2062d245c21f32ef846e681f0bfefa90ae0d51df0f4d9bb097f16e8f80e9c142295810b4373a5eabe7f94fe429ce0f97c86b91c470b300f31270efe7c578eeb372f03131007f36a278898e8f55e80c339110137f25930f0d7c3a9101f349fc0d20862bf14e18f8d319e0f8d26fb68d30b4c1549eb46488821a4c3c575c47021bfa8d6c87482e7a9f4957bac6eca72f30869aa017031500b25a0acf0cfa91fa1bea5618fc5a2ec4e6be3243

cmp.tar.gz

[russhousley]

It seem that this repository is not being maintained any more. I have made recent additions to https://github.com/inexio/pyasn1-modules. I will make this change in that repository in the next couple of days.

[russhousley]

When I looked more carefully, it seems that Ilya did make this change, and it is also in https://github.com/inexio/pyasn1-modules. So, the change must have been made before the repository was cloned.