Project

General

Profile

Bug #12162

OpenSSL::PKCS7 seems to create broken objects (nested asn.1 error)

Added by wesoly_opos (Jarosław Górny) over 3 years ago. Updated about 3 years ago.

Status:
Third Party's Issue
Priority:
Normal
Assignee:
openssl
Target version:
-
ruby -v:
ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-darwin15]
[ruby-core:74245]

Description

When trying to read previously created OpenSSL::PKCS7 object, it fails with 'nested asn.1 error'. Seems like object is broken.

Steps to reproduce:

  1. Generate x.509 certificate (either from CLI or in Ruby) and store it in OpenSSL::X509::Certificate object.
  2. Create new OpenSSL::PKCS7 object, set the 'type' attribute to ':signed'
  3. Add OpenSSL::X509::Certificate object to OpenSSL::PKCS7 object with #add_certificate() method
  4. Try to read back the object created in step '3' with: OpenSSL::PKCS7.new(pkcs7_obj.to_s)

Result:

ArgumentError: Could not parse the PKCS7: nested asn1 error
from (pry):8:in `initialize'

Expected result:
OpenSSL::PKCS7.new() should be able to read from previously created PKCS7 object (casted to string with #to_s method)

The session is attached to this ticket. It can be also found online: https://gist.github.com/jnahorny/9ccbb186c9f7c20c9f3e

note 1: I was able to reproduce this problem with ruby 2.2.x and latest head (2.4.0). On Linux too.
note 2: This code used to work when ruby was linked to openssl v 0.9.8.


Files

gistfile1.txt (4.35 KB) gistfile1.txt Example interactive session, where the error can be observed. wesoly_opos (Jarosław Górny), 03/09/2016 02:55 PM

Related issues

Has duplicate Ruby master - Bug #12794: Invalid ASN1 from OpenSSL::X509::RequestsRejectedActions

History

Updated by shyouhei (Shyouhei Urabe) over 3 years ago

  • Status changed from Open to Assigned
  • Assignee set to openssl

Updated by rhenium (Kazuki Yamaguchi) about 3 years ago

  • Status changed from Assigned to Third Party's Issue

The direct reason is that PKCS7#to_s returns a broken PEM. It looks like the behavior was changed in OpenSSL 1.0.1i:

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d70c0be4c1e33985a79d691786db72661fdfd057

But since the PKCS7 object is actually incomplete at that time you call PKCS7#to_s, I'm not sure whether if this is a bug or not.

#3

Updated by rhenium (Kazuki Yamaguchi) almost 3 years ago

  • Has duplicate Bug #12794: Invalid ASN1 from OpenSSL::X509::Requests added

Also available in: Atom PDF