weixin_40009026
weixin_40009026
2021-01-09 17:46

certificate.subject for certificate having numericstring values results in InternalError: Unknown OpenSSL error

I have certificate with some subject's field have NUMERICSTRING value type - 1.2.643.100.1 and 1.2.643.3.131.1.1, and when I try to get its subject property, cryptography raises InternalError exception:


Python 2.7.6 (default, Mar 22 2014, 22:59:56) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import cryptography
>>> cryptography.__version__
'1.2.2'
>>> from cryptography import x509
>>> from cryptography.hazmat.backends import default_backend
>>> with open('example.der', 'rb') as f:
...     cert = x509.load_der_x509_certificate(f.read(), default_backend())
... 
>>> cert.subject
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File ".../lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 324, in subject
    return _decode_x509_name(self._backend, subject)
  File ".../lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 52, in _decode_x509_name
    attributes.append(_decode_x509_name_entry(backend, entry))
  File ".../lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 42, in _decode_x509_name_entry
    value = backend._asn1_string_to_utf8(data)
  File ".../lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 2255, in _asn1_string_to_utf8
    self.openssl_assert(res >= 0)
  File ".../lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 719, in openssl_assert
    return binding._openssl_assert(self._lib, ok)
  File ".../lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 43, in _openssl_assert
    errors
cryptography.exceptions.InternalError: Unknown OpenSSL error. Please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([])
</module></stdin>

It happens because OpenSSL's function ASN1_STRING_to_UTF8 does not handle NUMERICSTRING type and returns -1, so cryptography fails. May be values with such types should be handled separately. example.zip

该提问来源于开源项目:pyca/cryptography

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

6条回答

  • weixin_39828338 weixin_39828338 4月前

    I think a reasonable first step here would be to fail with something other than InternalError.

    On Mon, Feb 15, 2016 at 11:08 AM, Paul Kehrer notifications.com wrote:

    These certs have more than a few properties that make them difficult to handle for our current backend. You've already noted the NUMERICSTRING problem, but they also use GOST, which is not a supported algorithm without the GOST engine in OpenSSL (so our statically linked binaries on OS X and Windows will not support this).

    — Reply to this email directly or view it on GitHub https://github.com/pyca/cryptography/issues/2724#issuecomment-184274508.

    "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: 125F 5C67 DFE9 4084

    点赞 评论 复制链接分享
  • weixin_39828338 weixin_39828338 4月前

    IMO we should close this and declare it "as fixed as it's ever going to get" -- I don't think we should hold out for GOST and all the other bizzare nonsense being in cryptography anytime soon.

    点赞 评论 复制链接分享
  • weixin_39926191 weixin_39926191 4月前

    I'm okay with saying this is as fixed as it's going to get barring someone contributing a PR that handles this better.

    点赞 评论 复制链接分享
  • weixin_39828338 weixin_39828338 4月前

    Here's the cert as a PEM, it's pretty bizzare in many respects:

    
    -----BEGIN CERTIFICATE-----
    MIIFGTCCBMigAwIBAgIQNGgeQMtB7zOpoLfIdpKaKTAIBgYqhQMCAgMwggFKMR4w
    HAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRwwGgYD
    VQQIDBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAx
    PzA9BgNVBAkMNjEyNTM3NSDQsy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQotCy0LXR
    gNGB0LrQsNGPLCDQtC4gNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfR
    jCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqF
    AwOBAwEBEgwwMDc3MTA0NzQzNzUxQTA/BgNVBAMMONCT0L7Qu9C+0LLQvdC+0Lkg
    0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMB4XDTEyMDcy
    MDEyMzExNFoXDTI3MDcxNzEyMzExNFowggFKMR4wHAYJKoZIhvcNAQkBFg9kaXRA
    bWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQIDBM3NyDQsy4g0JzQvtGB
    0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxPzA9BgNVBAkMNjEyNTM3NSDQ
    sy4g0JzQvtGB0LrQstCwLCDRg9C7LiDQotCy0LXRgNGB0LrQsNGPLCDQtC4gNzEs
    MCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAW
    BgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQz
    NzUxQTA/BgNVBAMMONCT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA
    0Y/RjtGJ0LjQuSDRhtC10L3RgtGAMGMwHAYGKoUDAgITMBIGByqFAwICIwEGByqF
    AwICHgEDQwAEQI+lv3kQI8jWka1kMVdbvpvFioP0Pyn3Knmp+2XD6KgPWnXEIlSR
    X8g/IYracDr51YsNc2KE3C7mkH6hA3M3ofujggGCMIIBfjCBxgYFKoUDZHAEgbww
    gbkMI9Cf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7DCDQn9CQ0Jog
    wqvQk9C+0LvQvtCy0L3QvtC5INCj0KbCuww20JfQsNC60LvRjtGH0LXQvdC40LUg
    4oSWIDE0OS8zLzIvMi05OTkg0L7RgiAwNS4wNy4yMDEyDDjQl9Cw0LrQu9GO0YfQ
    tdC90LjQtSDihJYgMTQ5LzcvMS80LzItNjAzINC+0YIgMDYuMDcuMjAxMjAuBgUq
    hQNkbwQlDCPQn9CQ0JrQnCDCq9Ca0YDQuNC/0YLQvtCf0YDQviBIU03CuzBDBgNV
    HSAEPDA6MAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMAgGBiqFA2RxBDAI
    BgYqhQNkcQUwBgYEVR0gADAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
    /zAdBgNVHQ4EFgQUi5g7iRhR6O+cAni46sjUILJVyV0wCAYGKoUDAgIDA0EA23Re
    ec/Y27rpMi+iFbgWCazGY3skBTq5ZGsQKOUxCe4mO7UBDACiWqdA0nvqiQMXeHgq
    o//fO9pxuIHtymwyMg==
    -----END CERTIFICATE-----
    
    点赞 评论 复制链接分享
  • weixin_40009026 weixin_40009026 4月前

    here you can find more such certificates: http://e-trust.gosuslugi.ru/MainCA

    点赞 评论 复制链接分享
  • weixin_39926191 weixin_39926191 4月前

    These certs have more than a few properties that make them difficult to handle for our current backend. You've already noted the NUMERICSTRING problem, but they also use GOST, which is not a supported algorithm without the GOST engine in OpenSSL (so our statically linked binaries on OS X and Windows will not support this).

    点赞 评论 复制链接分享

相关推荐