picky-rs

picky-rs copied to clipboard

The following tests started failing:

x509::pkcs7::authenticode::test::full_validation_authenticode_signature_with_well_known_ca
x509::pkcs7::authenticode::test::full_validation_self_signed_authenticode_signature
x509::pkcs7::authenticode::test::full_validation_self_signed_authenticode_signature_with_only_leaf_certificate
x509::pkcs7::authenticode::test::full_validation_self_signed_authenticode_signature_with_root_and_leaf_certificate
x509::pkcs7::authenticode::test::self_signed_authenticode_signature_validation_against_ctl
x509::pkcs7::authenticode::test::self_signed_authenticode_signature_validation_against_ctl_with_excluded_ca_certificate
x509::pkcs7::authenticode::test::self_signed_authenticode_signature_validation_against_ctl_with_excluded_not_existing_ca_certificate
x509::pkcs7::ctl::tests::create_ctl

In all cases, the error is

panicked at 'called Result::unwrap() on an Err value: FailedToParseCtl(Cert(Asn1Deserialization { element: "pkcs7 certificate", source: InvalidData }))',

No commit in picky-rs can explain the regression; it's likely that something changed In Microsoft's serialized trust list. Although it's possible, I doubt the file is broken (it's used by Windows Update to update Windows' root certificates). Something in the current file is causing picky to choke.

As an interim measure, the tests were disabled in #256.

This make the way to verify signature against user provided CA cert https://github.com/Devolutions/picky-rs/issues/214 invalid :(, maybe its better to seperate the verify logic from the CTL pathway

Hi @pkking

I don’t remember very well how this part of the codebase is implemented. I think you may know better than me. If you have a way of testing this, and can suggest a better API, we would welcome PRs for improving all of that! :)