forge forge.pkcs7.messageFromPem stop working since 1.3.0 version

forge.pkcs7.messageFromPem stop working since 1.3.0 version

Open albertoinch opened this issue 2 years ago • 7 comments

I was using this function to decode a pem of pkcs#7, but from 1.3.0 version it's returning:

Unparsed DER bytes remain after ASN.1 parsing.

Best regards,

Apr 19 '22 17:04 albertoinch

Can you provide an example PEM file?

As you read in the changelog, there were changes to make things more strict to address some other serious vulnerabilities. Perhaps there were some unintended side effects for reasonable use cases. If you have an example with valid data that is failing, we'd like to see that so it can be fixed. There are flags to fromDer to disable that behavior you see. You could try adding those to the call in messageFromPem and see what happens. If there are good use cases to start bubbling up low level flags, we could do that. But I'm afraid that might start covering up bugs due to bad data. I'm not sure what the best way to handle that is.

Apr 19 '22 19:04 davidlehn

Well, I extracted it from pdf signed with acrobat reader.

I put an example:

Apr 21 '22 19:04 albertoinch

Thanks. 2647 bytes of data and 896 trailing zeros. Looking at the PEM RFC 7468, I see the contents are BER, not DER, so things like trailing useless data are, I think, acceptable. I'm guessing that's for some sort of padding, who knows. They do have an appendix that basically says to use DER, which I suppose most tools do. openssl trying to convert that input back to PEM just drops the zeros.

So I'm guessing everywhere the code calls fromDer on PEM data is a bit misnamed, and the new strict by default mode isn't correct. Changing it to asn1.fromDer(msg.body, {parseAllBytes: false}) will fix the issue here.

I'll make a patch soon and try to address this for all the related cases.

Apr 21 '22 21:04 davidlehn

Patch available in https://github.com/digitalbazaar/forge/pull/977. Still pondering if that's the best approach. Will release something soon.

Apr 22 '22 00:04 davidlehn

Thanks, I really appreciate your help.

Apr 22 '22 14:04 albertoinch

I'm encountering this error when parsing receipts from Apple's App Attest service.

Dec 20 '23 11:12 DePasqualeOrg

@davidlehn run into this parsing problem, when parsing padded DER data from a smart cards EF.ATR file which looked like this:

e01102020809020300800202020809020208095f520c806605444549444d739621f3d003040600d2104445494658534c433332474441040000d310444549444d4d4843475f473232020206d410444549444d4548435f39303030030005d610444549444d50565656352e3030010000cf15cfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcf

Adding { parseAllBytes: false } fixed the error and I could parse the values.

One minor issue in typescript though: The definition file is not up to date with the current node-force function signatures.

Feb 29 '24 14:02 pke

forge forge copied to clipboard

forge.pkcs7.messageFromPem stop working since 1.3.0 version

forge
forge copied to clipboard