mirrors/ipxe
1
0
Fork 0
mirror of https://github.com/ipxe/ipxe.git synced 2025-08-06 22:57:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

[crypto] Switch to using python-asn1crypto instead of python-asn1

Browse Source 
Version 3.0.0 of python-asn1 has a serious defect that causes it to
generate invalid DER.

Fix by switching to the asn1crypto module, which also allows for
simpler code to be used.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
This commit is contained in:
Michael Brown 2025-04-11 12:36:45 +01:00
parent 7e64e9b670
commit 96dfaa7e7a
1 changed files with 23 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
contrib/crypto/cmsdetach
View File

@ -7,8 +7,9 @@ message into a separate file.
""" """
import argparse import argparse
from pathlib import Path
import asn1 from asn1crypto.cms import ContentInfo, AuthEnvelopedData, EnvelopedData
# Parse command-line arguments # Parse command-line arguments
# #
@ -16,64 +17,45 @@ parser = argparse.ArgumentParser(
description=__doc__, description=__doc__,
formatter_class=argparse.RawDescriptionHelpFormatter, formatter_class=argparse.RawDescriptionHelpFormatter,
) )
parser.add_argument("-d", "--data", metavar="FILE", parser.add_argument("-d", "--data", metavar="FILE", type=Path,
help="Write detached data (without envelope) to FILE") help="Write detached data (without envelope) to FILE")
parser.add_argument("-e", "--envelope", metavar="FILE", parser.add_argument("-e", "--envelope", metavar="FILE", type=Path,
help="Write envelope (without data) to FILE") help="Write envelope (without data) to FILE")
parser.add_argument("-o", "--overwrite", action="store_true", parser.add_argument("-o", "--overwrite", action="store_true",
help="Overwrite output files") help="Overwrite output files")
parser.add_argument("file", help="Input envelope file") parser.add_argument("file", type=Path, help="Input envelope file")
args = parser.parse_args() args = parser.parse_args()
if args.data is None and args.envelope is None: if args.data is None and args.envelope is None:
parser.error("at least one of --data and --envelope is required") parser.error("at least one of --data and --envelope is required")
outmode = "wb" if args.overwrite else "xb" outmode = "wb" if args.overwrite else "xb"
# Create decoder # Read input envelope
# #
decoder = asn1.Decoder() envelope = ContentInfo.load(args.file.read_bytes())
with open(args.file, mode="rb") as fh:
decoder.start(fh.read())
# Create encoder # Locate encrypted content info
# #
encoder = asn1.Encoder() content = envelope["content"]
encoder.start() if type(content) is AuthEnvelopedData:
encinfo = content["auth_encrypted_content_info"]
# Detach encrypted data elif type(content) is EnvelopedData:
# encinfo = content["encrypted_content_info"]
data = None else:
datastack = [
asn1.Numbers.Sequence, 0, asn1.Numbers.Sequence, asn1.Numbers.Sequence
]
stack = []
while stack or not decoder.eof():
tag = decoder.peek()
if tag is None:
encoder.leave()
decoder.leave()
stack.pop()
elif tag.typ == asn1.Types.Constructed:
encoder.enter(nr=tag.nr, cls=tag.cls)
decoder.enter()
stack.append(tag.nr)
else:
(tag, value) = decoder.read()
if stack == datastack and tag.nr == 0:
data = value
else:
encoder.write(value, nr=tag.nr, cls=tag.cls)
envelope = encoder.output()
if data is None:
parser.error("Input file does not contain any encrypted data") parser.error("Input file does not contain any encrypted data")
# Detach encrypted content data
#
data = encinfo["encrypted_content"]
del encinfo["encrypted_content"]
# Write envelope (without data), if applicable # Write envelope (without data), if applicable
# #
if args.envelope: if args.envelope:
with open(args.envelope, mode=outmode) as fh: with args.envelope.open(mode=outmode) as fh:
fh.write(envelope) fh.write(envelope.dump())
# Write data (without envelope), if applicable # Write data (without envelope), if applicable
# #
if args.data: if args.data:
with open(args.data, mode=outmode) as fh: with args.data.open(mode=outmode) as fh:
fh.write(data) fh.write(data.contents)