endesive icon indicating copy to clipboard operation
endesive copied to clipboard

Published 20 hours ago verified publisher icon m32

Load method not working, dont know exactly what is causing issue.

Open nolanding opened this issue 4 years ago • 20 comments

ValueError: Error parsing asn1crypto.cms.ContentInfo - method should have been constructed, but primitive was found

nolanding avatar Feb 03 '21 11:02 nolanding

traceback ? some more info ?

m32 avatar Feb 03 '21 11:02 m32

/my_drive/pdf_signature/venv/bin/python /my_drive/pdf_signature/pdf_sign_verification.py Traceback (most recent call last): File "/my_drive/pdf_signature/pdf_sign_verification.py", line 164, in raise e File "/my_drive/pdf_signature/pdf_sign_verification.py", line 159, in data = pdf.verify(f.read()) File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/endesive/pdf/verify.py", line 17, in verify return verifier.verify(bcontents, signedData, certs) File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/endesive/verifier.py", line 116, in verify return cls.verify(datas, datau) File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/endesive/verifier.py", line 42, in verify signed_data = cms.ContentInfo.load(datas)['content'] File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/asn1crypto/core.py", line 230, in load signature is not present value, _ = _parse_build(encoded_data, spec=spec, spec_params=kwargs, strict=strict) File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/asn1crypto/core.py", line 5672, in _parse_build return (_build(*info, spec=spec, spec_params=spec_params), new_pointer) File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/asn1crypto/core.py", line 5551, in _build raise ValueError(unwrap( ValueError: Error parsing asn1crypto.cms.ContentInfo - method should have been constructed, but primitive was found

nolanding avatar Feb 03 '21 12:02 nolanding

Please share signed and unsigned pdf document.

m32 avatar Feb 03 '21 12:02 m32

I only have signed pdf.

On Wed, Feb 3, 2021 at 5:41 PM Grzegorz Makarewicz [email protected] wrote:

Please share signed and unsigned pdf document.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/m32/endesive/issues/87#issuecomment-772462677, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFCRRAG3RWUEX7ZFQR2TZPLS5E4OXANCNFSM4XAVMB3A .

nolanding avatar Feb 03 '21 12:02 nolanding

ok

m32 avatar Feb 03 '21 13:02 m32

Did you get why I was facing the issue?

nolanding avatar Feb 05 '21 05:02 nolanding

How do you think I can find out where the problem is? I don't have a pdf document, I don't know your code - traceback alone is not enough information. Use the examples, there is a pdf-verify.py file, does it work for you?

m32 avatar Feb 05 '21 09:02 m32

I shared the signed document with you. Using only pdf.verify function I was trying to get if my signature is valid or not. I'm unable to follow the error message which I'm getting. For the given examples I tried few it worked for me. Can you suggest me some changes in pdf which I should try to get more insight of the error which I'm getting.

On Fri, 5 Feb, 2021, 2:52 pm Grzegorz Makarewicz, [email protected] wrote:

How do you think I can find out where the problem is? I don't have a pdf document, I don't know your code - traceback alone is not enough information. Use the examples, there is a pdf-verify.py file, does it work for you?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/m32/endesive/issues/87#issuecomment-773907201, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFCRRAFCYEBGKAA262JAKT3S5O2HHANCNFSM4XAVMB3A .

nolanding avatar Feb 05 '21 11:02 nolanding

I don't see any link to the pdf file in this conversation.

There are different ways to sign a pdf file, endesive only uses one of them. Without a pdf file, I can't say anything about the reason, and from what I can see there is practically nothing: File "/my_drive/pdf_signature/venv/lib/python3.9/site-packages/asn1crypto/core.py", line 230, load signature is not present

m32 avatar Feb 05 '21 11:02 m32

The above message was from exception, which I wrote to handle the error. Please find attached file,I was actually using mails. sample09.pdf

nolanding avatar Feb 05 '21 15:02 nolanding

I was wrong. The document is signed with a root certificate. I think this is not a normal situation, but will add some code to check this situation.

m32 avatar Feb 05 '21 15:02 m32

Thanks for the update. Can you tell what was error actually about, then I'll also be able to work around to solve it and cover other cases.

nolanding avatar Feb 05 '21 16:02 nolanding

/Contents <0481807645e70c3eabeb4bc186b806e373710f05caecadf75cf18118c90cf345a0aee0865715eeef868930668d98115dbf71fcad9789852e8db876b5cc26be41f3f00a39c7688cfceb08d88d4821dc703206dfdfce939a6664 c4e5b7921633285749c1be4ca60bb3f495cb23d44b7b2fb735e7cb8c8079638445622d52964d8eb9803c>/SubFilter/adbe.x509.rsa_sha1/Location(Sign Location / city)/ByteRange [0 30700 30964 181761 ]

According to the pdf documentation, Contents should be cms.ContentInfo but here is asncrypto.core.OctetString. From my point of view, this is some strange case that I don't want to spend any time on. If you have an idea how to read it, I am waiting for PR.

<</Reference[<</Data 13 0 R/Type/SigRef/TransformParams<</Type/TransformParams/V/1.2/P 1>>/DigestMethod/MD5/DigestLocation[0 0]/DigestValue(aa)/TransformMethod/DocMDP>>]/Type/Sig/Name(Alice) /M(D:20091004152818+05'00')/Cert(.....CERT IS HERE...)

m32 avatar Feb 05 '21 16:02 m32

Ideally /SubFilter has value /adbe.pkcs7.detached but in this case /SubFilter/adbe.x509.rsa_sha1 Will assert this in code Probably this Contents is only SHA1(document), and signature is elsewhere (in xml ?). Just another uncommon case of signatures in pdf.

m32 avatar Feb 05 '21 16:02 m32

All the government signed PDFs here in Austria give me this error. Any idea on how I can verify such a PDF?

Filter: Adobe.PPKLite
SubFilter: adbe.x509.rsa_sha1

panzi avatar Jul 29 '21 20:07 panzi

@panzi There is no single method of saving a signature in pdf documents, so there is no single method to verify them. If the situation repeats, maybe it is worth adding it to the endesive code - it will be useful to you, maybe others too.

m32 avatar Jul 30 '21 09:07 m32

The situation does repeat in as much all PDFs signed by any Austrian government agency seem to be signed that way. I managed to write my own hacky verifier (that only supports these kinds of PDFs) now, though. I hope I did everything right, i.e. don't have any vulnerabilities.

panzi avatar Jul 30 '21 13:07 panzi

Add a signature verification test, and if all tests pass successfully, we can add your code to endesive.

m32 avatar Jul 30 '21 19:07 m32

Well, the document(s) that I have to validate are confidential (health stuff), so I don't know how to write a test that can be publicly shared for that.

panzi avatar Jul 30 '21 23:07 panzi

Cut confidential data and send it to me (e.g. e-mail) - the document will not be legible or verifiable, but I will be able to see where and how the signature information is written. This will give me a chance to write a program.

m32 avatar Aug 15 '21 09:08 m32

The old ways of signing are not supported by endesive, adbe.x509.rsa_sha1 is just that. Out of curiosity I added the script: pdf-verify-rsa_sha1.py, it only works for the simplest case DigestLocation = [0 0], DigestValue = 'aa'

m32 avatar Oct 09 '22 22:10 m32