New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CertificationRequestInfo Attributes should not be optional #189
Comments
I believe the Can you post the code you are using where you try to create a CRI with an empty set of attributes? It wouldn't surprise me if the |
The following example I've cobbled together shows the issue:
Ran as is, it will create a CSR without the With the comment (line below I've also tried changing that line to: I've tried many variations on the above, and get nowhere. |
This works: cri['attributes'] = csr.CRIAttributes([]) |
@joernheissler - thank you. Annoyingly, I didn't try that one! I've just confirmed with |
I'm going to reopen this, as a record that we should find a way to parse the invalid encoding, but always generate the valid encoding. It may end up being we need to add a concept like |
Those snippets run with #!/usr/bin/env python3
from base64 import b64decode, b64encode
from asn1crypto.csr import CertificationRequestInfo
from asn1crypto.keys import PublicKeyInfo
from asn1crypto.x509 import Name
pub = PublicKeyInfo.load(b64decode(
"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4wKygiF54dF09fhqdWV8wgE8jD"
"GjxDXQG0iW4UVv4e0jJn63lSz1QStNaG/QPcXuq35v3e9vjS+nZDU/+fR7Bw=="
))
cri = CertificationRequestInfo({
"version": "v1",
"subject": Name.build({"common_name": "foo"}),
"subject_pk_info": pub,
"attributes": [],
})
print(b64encode(cri.dump(True)).decode())
cri["attributes"] = None
print(b64encode(cri.dump(True)).decode()) #!/usr/bin/env python3
from base64 import b64decode
from asn1crypto.csr import CertificationRequestInfo
a = CertificationRequestInfo.load(b64decode(
"MG4CAQAwDjEMMAoGA1UEAwwDZm9vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4wKygiF54dF0"
"9fhqdWV8wgE8jDGjxDXQG0iW4UVv4e0jJn63lSz1QStNaG/QPcXuq35v3e9vjS+nZDU/+fR7Bw=="
))
b = CertificationRequestInfo.load(b64decode(
"MHACAQAwDjEMMAoGA1UEAwwDZm9vMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4wKygiF54dF0"
"9fhqdWV8wgE8jDGjxDXQG0iW4UVv4e0jJn63lSz1QStNaG/QPcXuq35v3e9vjS+nZDU/+fR7B6AA"
))
print(a.native)
print(b.native) Perhaps this |
The encoding from The one from |
I think |
Shows how much I remember of the nuance of ASN.1 encoding off of the top of my head. |
'b' also aligns with the statement from OpenSSL's |
Oh, wait, one is a correct encoding of the field omitted and the other is an empty set? It doesn't sound to me like Now, setting a field with the type There is clearly an issue that |
I mean if I set |
Can you provide some sample code that shows this? It honestly has been a while since I have done anything with ASN.1 serialization, and I may just be not thinking clearly. As far as I recall, |
To further clarify:
Should read: "As far as I recall, it isn't used to validate that a field has been set when dumping." |
Currently, within the
csr.py
moduleCertificationRequestInfo
is defined as:However, there is no mention in RFC 2986 of the
attributes
field being optional (as shown above). Also, OpenSSL'sreq
has the following to say about it within it's man pages under the-asn1-kludge
option:I currently cannot create a
CertificationRequestInfo
with an empty SET OF attributes. That is, I either have to leave it out (non-compliant) or add at least one attribute (which I don't need).The text was updated successfully, but these errors were encountered: