pyca
Remove BER in PKCS#7 and PKCS#12
Starting in 45.0.0, we emit warnings on PKCS#7/PKCS#12 that are parsed by OpenSSL but not by our own DER parser. We are now in the "waiting to see how many people file issues" phase.
Once a sufficient period of time/low issue volume has been established, we will remove the OpenSSL codepaths entirely.
Trackers for filed issues
PKCS#7
- [ ] Australian Taxation Office
- [ ] Sectigo (Invalid SET ordering)
- [ ] Microsoft ActiveDirectory Certificate Services CA (Invalid SET ordering)
- [ ] ...
PKCS#12
- [ ] Apple Pay Payment Token (https://github.com/pyca/cryptography/issues/13034)
- [ ] ...
I trigger the BER warning when parsing a PKCS#7 response in my application, which integrates with the Australian Government’s digital identity system (myID), administered by the Australian Taxation Office (ATO). Certificates are issued by the ATO Certificate Authority: http://pki.ato.gov.au/policy/ca.html.
@eidorb thank you for reporting this, is there a PKCS#7 structure that you can share publicly with us, or do they contain PII? Are you able to report this to the Australian Government, or do you need our assistance?
@alex, see the snippet below (no PII, just UUID).
I don't fully understand the issue to be reported -- can you explain or point to a doc explaining the issue? Is it an issue only for users of the cryptography library going forward, or does it pose a risk to the issuing CA? Are we talking about a MITM exploiting BER to execute arbitrary code during parsing?
import base64
from cryptography import x509
from cryptography.hazmat.primitives.serialization import pkcs7
from pydantic import BaseModel
class CertificateResponse(BaseModel):
id: int
p7: str
p10: str
credentialToken: str
links: list[dict[str, str]]
def decode_certificate_chain(self) -> list[x509.Certificate]:
"""Returns certificate chain contained in `p7` field.
>>> certificate = CertificateResponse(id=0, p7="MIAGCSqGSIb3DQEHAqCAMIACAQExDTALBglghkgBZQMEAgEwgAYJKoZIhvcNAQcBoIAEAAAAAACggDCCBgIwggTqoAMCAQICFB3hbk57eLEgttua1Svz9rPYOJesMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAkFVMSMwIQYDVQQKDBpBdXN0cmFsaWFuIFRheGF0aW9uIE9mZmljZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxKDAmBgNVBAMMH0FUTyBTdWIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjUwMzIwMDcyMTM4WhcNMjcwMzIwMDcyMTM3WjBmMQswCQYDVQQGEwJBVTEXMBUGA1UECgwObXlnb3ZpZC5nb3YuYXUxDzANBgNVBAMMBnBvaSBpZDEtMCsGA1UELhMkNmE0YWJhNDItYjg5Ny00NDc4LWI5ODMtNjc4ZjJiYWQxODIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlIA0bxl1altezGE4TqFTwxhcTJuaoDnPxGYBmkFIEkwSyMnk+daJh7eDEYDKRUWgvK74vw6duHFYz9ngACS6vGiJCG+1M3hhyXQyh5B5m0Aoa8KvsY9NhvKLQTKp7x6dzUmRWnw4fVnU6UyaemF2Kd1IHOz8yxC6Nb8qSC7x2Oc1ab099mkjFB/GYmUwa0oOGduD8Jh8oS+OXm5lihKNCbKiRXrmYtNGUINmSrihO/gNZQx/FjRkQQgL9WEnpz/MxhSyhZaLP+AI8K1wJeSB7MjS6ycZ0aqWX6WYnQCKobB9NfkaWy0B0I9ANWN0MSIV1ePHMO1zxmN0cTFnU8FE2QIDAQABo4ICjjCCAoowDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRe1Ha1ieBZfU4PIcVmBuktVbvuSzBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9wa2kuYXRvLmdvdi5hdS9jcmxzL2F0b3N1YmNhLmNydDCCAZQGA1UdIASCAYswggGHMIIBgwYJKiQBxikBAQcBMIIBdDCCAT4GCCsGAQUFBwICMIIBMB6CASwAVQBzAGUAIAB0AGgAaQBzACAAYwBlAHIAdABpAGYAaQBjAGEAdABlACAAbwBuAGwAeQAgAGYAbwByACAAdABoAGUAIABwAHUAcgBwAG8AcwBlACAAcABlAHIAbQBpAHQAdABlAGQAIABpAG4AIAB0AGgAZQAgAGEAcABwAGwAaQBjAGEAYgBsAGUAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABQAG8AbABpAGMAeQAuACAATABpAG0AaQB0AGUAZAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBwAHAAbABpAGUAcwAgAC0AIAByAGUAZgBlAHIAIAB0AG8AIAB0AGgAZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAFAAbwBsAGkAYwB5AC4wMAYIKwYBBQUHAgEWJGh0dHA6Ly9wa2kuYXRvLmdvdi5hdS9wb2xpY3kvY2EuaHRtbDATBgNVHSUEDDAKBggrBgEFBQcDAjA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vcGtpLmF0by5nb3YuYXUvY3Jscy9hdG9zdWJjYS5jcmwwHQYDVR0OBBYEFCedjwuKBn6gZRpMIwmt01E+7QjJMA4GA1UdDwEB/wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAQEAFQ3/NnDVQhlYEGZVywprXwKbEusk7OoG/7oDs3633gyiX+xCG2gxKO5XZXtTr2rYxH2cuaQ/DMkXhax/u18HRqoGrlvGnD0qrDJThoEXOGh56APXw9AJlm6zK2nwhX2549kE/UfiV7IhxugpxbXV+O9vdF/h+mcCdGJvdHELkJ3ouOTUsm3sBjYkO818tLh2qQrF2adE8XiYHl/uytyJSrwNpEJqUzmLj8NfeIjt6uAsRN7VZJvJ28lqBfYNeW4tl5i6giRVPaGv5oRRWsiaQDwOfvnWzkfcuzRTyQ8KUcHNNQWq1hrOU/4IH1+gSseOXUtOxjvShC4l5nqLQ6byhTCCBw4wggT2oAMCAQICFF5i28KmWnMoY4zEsZLsSDmdn0sdMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNVBAYTAkFVMSMwIQYDVQQKDBpBdXN0cmFsaWFuIFRheGF0aW9uIE9mZmljZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxKTAnBgNVBAMMIEFUTyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE5MDQwODAxMzA0MloXDTI5MDQwNTAxMzA0MlowfjELMAkGA1UEBhMCQVUxIzAhBgNVBAoMGkF1c3RyYWxpYW4gVGF4YXRpb24gT2ZmaWNlMSAwHgYDVQQLDBdDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEoMCYGA1UEAwwfQVRPIFN1YiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMyYJutAt3p60HPSCC044RBfCKAnpUPzsKK3pXS45lKtyOKAjemff9+3sGFvE87+kLXK89/regDQKmnZmhTmos2PBjbPcG/GuJ2L4CjUqiISDMixQQjxyPZ6L3C5VRboZRjSPhUzPggXzQyaMVU+quOk5CeKfU8qID4FHiUD9I4pQtOpolkmws3o4EsjuGoN1hwIZgIUgT6viz+nzvY9UeLQxt0mhMoQ7GLqI+8Pvy+KxgI1crniTMqtpJ91ZeEMLwVZ9jR8704X7RKM6991hHcu8mGSIUDA7XUcpAHaxj0yGf/I/S/apvh9ZVIBFHta3qGBdta0c3bA7I8Z7aG9y3MCAwEAAaOCAoEwggJ9MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU+UoZ71xAOZm3VEo99IxuzmIK8SYwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihodHRwOi8vcGtpLmF0by5nb3YuYXUvY3Jscy9hdG9yb290Y2EuY3J0MIIBlAYDVR0gBIIBizCCAYcwggGDBgkqJAHGKQEBAQEwggF0MIIBPgYIKwYBBQUHAgIwggEwHoIBLABVAHMAZQAgAHQAaABpAHMAIABjAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABvAG4AbAB5ACAAZgBvAHIAIAB0AGgAZQAgAHAAdQByAHAAbwBzAGUAIABwAGUAcgBtAGkAdAB0AGUAZAAgAGkAbgAgAHQAaABlACAAYQBwAHAAbABpAGMAYQBiAGwAZQAgAEMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAFAAbwBsAGkAYwB5AC4AIABMAGkAbQBpAHQAZQBkACAAbABpAGEAYgBpAGwAaQB0AHkAIABhAHAAcABsAGkAZQBzACAALQAgAHIAZQBmAGUAcgAgAHQAbwAgAHQAaABlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAUABvAGwAaQBjAHkALjAwBggrBgEFBQcCARYkaHR0cDovL3BraS5hdG8uZ292LmF1L3BvbGljeS9jYS5odG1sMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9wa2kuYXRvLmdvdi5hdS9jcmxzL2F0b3Jvb3RjYS5jcmwwHQYDVR0OBBYEFF7UdrWJ4Fl9Tg8hxWYG6S1Vu+5LMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAgEAM3uMn7F5LhvQGuAZ9cQOSVmgHVEGLY982tUeYr5utoe4UPo3x2UJy66V5E4RgabTBStYh9JUAroR6N4dCUICYkNgO8Vw9KnYlFIiEiriY+dy4fMyDC7pApDUtyrFKUoSAtuxtw764EMPhCWRTZYTs/zz0ayJyjLmcDCT+4uBzukqKgJnMM8oCVjG7gvUiZfMxK87pphWFYX82jWvK02VtTVZvI32DWodZ2fOVu6DNqq1HCEgC27bLIA05SegY5PdFe6NuCJSbWwAyo31fEy/CozHuQo7tzgTRiNPWII97YUt7O1qu6vl69Da1CgKWrileFFiJKdY/PsmI15mJcoyqj+lDd+18/TDcb4yQRgXHzVpiYLkQI34y7Dn8zJasTOLj77ew7V3RlSOHoNprXLQXKHKzNaBvEInS+IrjLWIEcdEuQVT5RKjxDmIl88hKosY431iaFXFZWS/DAAt5I3JNbdwr7E+AJf6G3GqvuGSC9xq9KsP8oQ8m2xwVK/YCpgBY+H+XJYcAOOLqSNYMGm4q7bActSt6g9HjgHNTxzL8HATzYHQ8thAl/U2ssCTvY52gAonWnetVQlcGcYkaflqBuOZg0HYNvby2YFqKAbVk9CEDPd5lW5VMoHiyQdyyrYnSygi5i40XwdRNDKOfHFzFVsiyHnD4aajXOkZhGjtbeowggfQMIIFuKADAgECAhR9Z3eMg8ktGgVxrRgTg/0tj59eBjANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJBVTEjMCEGA1UECgwaQXVzdHJhbGlhbiBUYXhhdGlvbiBPZmZpY2UxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MSkwJwYDVQQDDCBBVE8gUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xOTA0MDgwMDM4NTBaFw0zOTA0MDgwMDM4NTBaMH8xCzAJBgNVBAYTAkFVMSMwIQYDVQQKDBpBdXN0cmFsaWFuIFRheGF0aW9uIE9mZmljZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxKTAnBgNVBAMMIEFUTyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtfrVqSRHAxo6EoO+tFaJ5PSVem8jcd7lwFqEZnNFO8e0wNpXPx6/i3mVrWpvyUbSCLldbWd8ph5K2Btxdn+anKDKfKzNJ5ZmPDqXYxIiEoB4HfqrmTJIWr0h3MbtZECQYCVOS1JIl9qsTXOxrrYLLOonFyLMxVUCdq4HWDKVRbkTgszzKseckpZAJgIMFK+iiuzZa5nFOEc3KwmmVSIdwL0zYdAHy7VfP4U0HRjkZnvxnXlaqE8tiNlRswmkiMXdG6SZNTJRmZj5zV08pEkog3iSBNxGivWCP1iI/dhax7wMSXdQY/TrpnqmTttnAw6k6CDtX8k7xBHVzCwc+1mArwu5R36zO1QactYMNxXIVqMNWkNgiwQUQYcKTsAZ/YbdzORbFsngX6pbXaJG3ivemaOuqcjW6hQcT3hWGnLJjtCPQzdTOeBfqu1M2hfM2EWu25arcfPdvHsMjosJvWw8lcstOaOQUv0dbJ4gqsoyNnH0/rcggPtqjpTUXLQc/e2kARIR78AqPJYuf96GOpsOyazNJLdVsE1iiLjoj77wyYmQJPQN/4Dl/PiHxUatJMfNtCH5bn5q49tAHPtgnutcViYMunCw3B4J9R6ol0b008BUmqx2ZdwPsQwLIkeJpieFA26cAwfo+mNbS9PTvy9V+dQ0+IOmclhGiCw2tipGD2sCAwEAAaOCAkIwggI+MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU+UoZ71xAOZm3VEo99IxuzmIK8SYwRAYIKwYBBQUHAQEEODA2MDQGCCsGAQUFBzAChihodHRwOi8vcGtpLmF0by5nb3YuYXUvY3Jscy9hdG9yb290Y2EuY3J0MIIBkwYDVR0gBIIBijCCAYYwggGCBggqJAHGKQEBATCCAXQwggE+BggrBgEFBQcCAjCCATAeggEsAFUAcwBlACAAdABoAGkAcwAgAGMAZQByAHQAaQBmAGkAYwBhAHQAZQAgAG8AbgBsAHkAIABmAG8AcgAgAHQAaABlACAAcAB1AHIAcABvAHMAZQAgAHAAZQByAG0AaQB0AHQAZQBkACAAaQBuACAAdABoAGUAIABhAHAAcABsAGkAYwBhAGIAbABlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAAUABvAGwAaQBjAHkALgAgAEwAaQBtAGkAdABlAGQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAcABwAGwAaQBlAHMAIAAtACAAcgBlAGYAZQByACAAdABvACAAdABoAGUAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABQAG8AbABpAGMAeQAuMDAGCCsGAQUFBwIBFiRodHRwOi8vcGtpLmF0by5nb3YuYXUvcG9saWN5L2NhLmh0bWwwHQYDVR0OBBYEFPlKGe9cQDmZt1RKPfSMbs5iCvEmMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQsFAAOCAgEAGxf6n1gvy9l+fijdkcE2N4pZpfAmc7CQ2v4h6vhqUoqcr/EzPe2K5Sy8BkWkXn+Oc9HAR4SmAzyVi3/5tKq+rBEQ48a7aFqbl7mX1L99xrVrF4A21jAbz0TU0BWJGw5azsPJvReobOe6CGHZFUsyT89TLwxNOObp/E4LkPdkViDAjt54a309NqW6/V1yqfGBn6kTArTHe+eOr45y0MH4AuiVDW1FIL6ZqejMJGICwrABsdxyl6d3VHsA95vRunwVY/k/v6l1eClAAXgV728h0klp8ssjBw1my7NmbxXj3AdPzPHv8knfmxLY4bwmoMKEMRkaprSQtkl99jhq6PJJi2+IB0GoW2Cup8kMLVR5y0zpsThSEumGqngQIJUQtna0uYTc4SAMfhSfOVUyerjqLo/4Ka0FbuTo4frx7k10IEjjvynBrTIOgpKMCYG+3rJEdto7ZPZOCO8cvEzWOOTrK6W7nMs5Ze1l89tgwtO07Sd494/KZWd4qqMIxc2KTAKMqftWPwK8nziivYILYNfRrdj4xwL2I7nlTUuRcMZ0winBBhZz8M8CqO9olVdDzKBICyC0eydADd1UTbnfuVxChMAwJqtOewPQSTfJIQxxemEkAg9Qh2IKiK8g8Fp8uOHnnb8lvdCxMoakwSpvHJ1vHU9MQ6a96rfW4xtzOuO/6vkAADGCAlowggJWAgEBMIGXMH8xCzAJBgNVBAYTAkFVMSMwIQYDVQQKDBpBdXN0cmFsaWFuIFRheGF0aW9uIE9mZmljZTEgMB4GA1UECwwXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxKTAnBgNVBAMMIEFUTyBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhReYtvCplpzKGOMxLGS7Eg5nZ9LHTALBglghkgBZQMEAgGggZYwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjUwMzIwMDczMTM4WjArBgkqhkiG9w0BCTQxHjAcMAsGCWCGSAFlAwQCAaENBgkqhkiG9w0BAQsFADAvBgkqhkiG9w0BCQQxIgQg47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFUwDQYJKoZIhvcNAQELBQAEggEAI0EE0TkdnbTPI30mXRBBJyt46AA7lWhBIDwDdkQJLTF/ZMzSPaTSZ5q2AQiPz0SrH2AClD7gxVeMi6mo/h2gIx8hO0IGkK1+9ul4kTK0MqCRHMi53LljqqEvD4ExBKewDa1/bHiL15KbmwqnxPJ3cu/Vsc+jtVhWeCthZc/k+zIFlcYoHOF3/fIFD+VRs50ohi2G0P0mE3zN4VOBmIT0SERDyPYod4mVIkS7D4fwy7Q2sPINhmg++nG0/PwYXBbD+0fni4ZQ3TVyclGmky5Mg+o9yUyfhkVHkAaD58YA5hgeXkp75pT5H8mlmmAlO2x7OYM7iq4DknT2zEnYzArP1gAAAAAAAA==", p10="...", credentialToken="...", links=[{"...": "..."}])
>>> certificates = certificate.decode_certificate_chain()
>>> certificates
[<Certificate(subject=<Name(C=AU,O=mygovid.gov.au,CN=poi id,2.5.4.46=6a4aba42-b897-4478-b983-678f2bad1821)>, ...)>, <Certificate(subject=<Name(C=AU,O=Australian Taxation Office,OU=Certification Authority,CN=ATO Sub Certification Authority)>, ...)>, <Certificate(subject=<Name(C=AU,O=Australian Taxation Office,OU=Certification Authority,CN=ATO Root Certification Authority)>, ...)>]
"""
return pkcs7.load_der_pkcs7_certificates(base64.standard_b64decode(self.p7))
The concern here is that it requires us to retain a BER parser. Basically every modern cryptographic protocol uses DER (which is a subset of BER and is more rigid).
In our case, we have a Rust (memory safe) DER parser, and rely on OpenSSL (memory unsafe) for BER parsing. We'd like to migrate PKCS#7 to our Rust DER parser, but can't do that as long as we need to support BER. There's no particular risk to the issuer here, but we think most folks will want to do the right thing and just use DER -- there's no real reason not to.
Looks like in this case the issue is that they use indefinite length encodings.
Understood. I will attempt to communicate with the abyss as a courtesy, explaining the above. It may be a simple checkbox or flag in their system's configuration. As mentioned in the other issue, DER is a strict subset of BER, so there should not be compatibility issues for existing consumers. It just makes sense.
Thank you! I'll also see if I can find a contact at the ATO.
On Fri, Aug 29, 2025 at 5:51 PM eidorb @.***> wrote:
eidorb left a comment (pyca/cryptography#12936) https://github.com/pyca/cryptography/issues/12936#issuecomment-3238365296
Understood. I will attempt to communicate with the abyss as a courtesy, explaining the above. It may be a simple checkbox or flag in their system's configuration. As mentioned in the other issue, DER is a strict subset of BER, so there should not be compatibility issues for existing consumers. I just makes sense.
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12936#issuecomment-3238365296, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBFSHJBHUCEFX7MTIML3QDDMNAVCNFSM6AAAAAB5L42TQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTEMZYGM3DKMRZGY . You are receiving this because you were mentioned.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
@vteague do you have a contact who would be across ATO's PKI/myID infra?
myID's list of third party licenses indicate probable use of Dot Net cryptography libraries. It should certainly support DER, and as mentioned above, compatibility issues should be minimal due to DER being a more rigid subset of BER.
(PS: Apologies for tagging you without any context whatsoever 🙇)
+1 for the Apple Pay use case.
> pkcs7.load_der_pkcs7_certificates(data)
UserWarning: PKCS#7 certificates could not be parsed as DER, falling back to parsing as BER. Please file an issue at https://github.com/pyca/cryptography/issues explaining how your PKCS#7 certificates were created. In the future, this may become an exception.
I also had the case with a PKCS#7 S-MIME certificate generated today from Sectigo.
Here is the log:
[07/Oct/2025 11:19:54: WARNING/ForkPoolWorker-1] /app/main/certificates_helpers.py:64: UserWarning: PKCS#7 certificates could not be parsed as DER, falling back to parsing as BER. Please file an issue at https://github.com/pyca/cryptography/issues explaining how your PKCS#7 certificates were created. In the future, this may become an exception.
certs = pkcs7.load_pem_pkcs7_certificates(pkcs7_cert.encode("utf-8"))
Are you able to share the PKCS#7 module so we can clearly report the issue to sectigo?
I'm not sure how to get the module from my PKCS#7 file? (I have access to openssl CLI)
Ah okay sorry I thought it was only a part of the certificate.
Here is a dummy one generated just now:
-----BEGIN PKCS7-----
MIIVmwYJKoZIhvcNAQcCoIIVjDCCFYgCAQExADALBgkqhkiG9w0BBwGgghVwMIIF
nTCCBIWgAwIBAgIRANI0mgfGJ9oSicJoPe0aiB8wDQYJKoZIhvcNAQELBQAwgZYx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1
U2VjdGlnbyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h
aWwgQ0EwHhcNMjUxMDA3MDAwMDAwWhcNMjYxMDA3MjM1OTU5WjCBnjELMAkGA1UE
BhMCQ0gxDzANBgNVBAgTBlZhbGFpczEaMBgGA1UEChMRSG9waXRhbCBkdSBWYWxh
aXMxDjAMBgNVBGETBUdPVkNIMSAwHgYJKoZIhvcNAQkBFhF0ZXN0QGhvcGl0YWx2
cy5jaDENMAsGA1UEBBMEdG90bzENMAsGA1UEKhMEdGVzdDESMBAGA1UEAxMJdGVz
dCB0b3RvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0edjUHIJTEMf
fCFUcbSW57GitQFWSUBx4BwnDZmdUGthx1GnQMz3Q9WddZGy9SauSw6k/iUSF70A
XXllbdPcKqQ9EybbSpzxqL3R/YSD85gUxMHPjDfObePztF3hwzqJMy7fgOk1PwEP
yaL+JO2M3eO890fboSrE9SymaeALPAoK1tQ1CPrdNTm/mmbTAvjQmPr/LBsQH380
5gACVrHLETLiARM/YMfM26pLoUVvH0u1pADkTQZjCc/ncheNeiQtQ2DJ0Vh4Ra7g
yhUzaM6HbUGPcb8kTx+Aen/oqXLNhQyTJg/1U5vsgDzhclum9OXE2HUmOY+KgOjc
T6HuB7MZRQIDAQABo4IB2jCCAdYwHwYDVR0jBBgwFoAUCcDy/AvalNtf/ivfqJlC
z8ngrQAwHQYDVR0OBBYEFF8vDqcokbp2+uWjVY5kB9o3vN55MA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcD
AjBQBgNVHSAESTBHMDoGDCsGAQQBsjEBAgEKBDAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3NlY3RpZ28uY29tL1NNSU1FQ1BTMAkGB2eBDAEFAwIwWgYDVR0fBFMwUTBP
oE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0
aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBigYIKwYBBQUHAQEEfjB8
MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29SU0FD
bGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAcBgNVHREEFTATgRF0ZXN0QGhv
cGl0YWx2cy5jaDANBgkqhkiG9w0BAQsFAAOCAQEAZ6C1nXimdmT+mqXwV3tt07Ft
wSkHWtvz8bX+nN1s6Iw9SIxg+0NI27Hpdwpa86oIpqDONasea6n5M+YJYdvUrOde
5PWyiluy88AiR6OnoQruAL4bt3pFVYEDopHqlEyXgqI4s91k1DBPIbSK4aKi8qUs
gpcoj3ZBPL3dKutBExxYm365Xn6tIGAS7i52nTfQkR9Yg1rh/EPYjKjoyA1BHMwb
RvLFpY/Aep3IROeLOfWBDEob3be3iv2xFXy4j/P+cbREOFsfkNYkaDYdOdHmtUma
1YMqJR5IwMX6z/b0QG7uRgw5zR6NftxnY4EODPhpkp9mNQx9umlyqV6Vn6moUzCC
BhAwggP4oAMCAQICEE2ULBDUO+CUCcWBLTorBk8wDQYJKoZIhvcNAQEMBQAwgYgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz
ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD
EyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw
MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgZYxCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT
D1NlY3RpZ28gTGltaXRlZDE+MDwGA1UEAxM1U2VjdGlnbyBSU0EgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDKPO2UCkH/3vlGuejWO+bakr8rEE6qGryCvb4mHCkq
KtLNnFCBP22ULvOXqGfV9eNKjkypdR8i0yW2sxpepwRIm4rx20rno0JKuriIMpoq
r03E5cWapdfbM3wccaNDZvZe/S/Uvk2TUxA8oDX3F5ZBykYQYVRR3SQ36gejH4v1
pXWuN82IKPdsmTqQlo49ps+LbnTeef8hNfl7xZ8+cbDhW5nv0qGPVgGt/biTkR7W
wtMewu2mIr06MbiJBEF2rpn9OVXH+EYB7PmHfpsEkzGp0cul3AhSROpPyx7d53Q9
7ANyH/yQc+jl9mXm7UHR5ymr+wM3/mwIbnYOz5BTk7kTAgMBAAGjggFkMIIBYDAf
BgNVHSMEGDAWgBRTeb9aqitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUCcDy/Ava
lNtf/ivfqJlCz8ngrQAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBEGA1UdIAQKMAgwBgYE
VR0gADBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20v
VVNFUlRydXN0UlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUH
AQEEajBoMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNF
UlRydXN0UlNBQWRkVHJ1c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw
LnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggIBAEFEdQCrOcIV9d6OlW0y
cWiMAN0X13ocEDiQyOOxvRcxkfO244K0oX7GzCGHYaqRbklCszzNWVT4DZU/vYrL
aeVEDUbCYg+Ci7vhNn9dNqscbzN0xKBoOuRVjPPWDechU70geT3pXCxpwi8EXwl+
oiz7xpYfY99JSs3E/piztTSxljHitcPr5yoWr9lbkFR8KU3+uGTZ11BfKfuSSaRr
ZFBv133SeY0d2AqvB9Dj2ZDaFZA0OQkkhfAqNgDpVRH99lQV4JSKx0N7/QAEtMj6
OF5dRXV6hhXuU3A0Eql4d0247oBpxvnfcmV95QfG8HP059hZSJe7T2wwC+IzXVDQ
O4xnnvrQJ07ZWemxc/grFpgiG+o+pQxapF1bKftysi02Rl6uhdp5wbTeLeYzt2SI
9oKSChwGDQQFixtkNnxuwbdrTwvASwvViDPdIGzIQJrTBqriE5/9nzkXbDZmld8/
7DyriJ/A73RIZllX4dH8mHqsRpU8NEX8IQZWpHWGK5A5nVgvl7MxNfRlIvCvKZQT
SnCL8oNqJgHXm6zCB4gBwDonM8V/2kuQAUVazVA3I376eIWGwzjuqh3H88v7mNHz
ubLHm5h0ERCSQNz6UoHVZy3q5xeqbYSaxpDQz3lCNObL6sNaOQNh3DcyzqZJYTcG
fuLlmC3AIteAAh7lbybJszYnMIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1
lTANBgkqhkiG9w0BAQwFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRl
ciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8g
Q0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4X
DTE5MDMxMjAwMDAwMFoXDTI4MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UE
ChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNB
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p
7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i
6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+
fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9
tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND
8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt
925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/Y
gIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPt
W//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ
51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV
4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB
8jCB7zAfBgNVHSMEGDAWgBSgEQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQU
U3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6
Ly9jcmwuY29tb2RvY2EuY29tL0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQG
CCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2Eu
Y29tMA0GCSqGSIb3DQEBDAUAA4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJv
m3WOnnL+5Nb+qh+cli3vA0p+rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU
4M309z/+3ri0ivCRlv79Q2R+/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTO
ok3JMrO66BQavHHxW/BBC5gACiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3
O9LEApE9GQDTF1w52z97GA1FzZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBz
J0RHfxBdiSprhTEUxOipakyAvGp4z7h/jnZymQyd/teRCBaho1+VMIIEMjCCAxqg
AwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEbMBkGA1UECAwS
R3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRowGAYDVQQKDBFD
b21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmljYXRlIFNlcnZp
Y2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UEBhMC
R0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9y
ZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0
aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1U
Y8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRP
n2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4YgNW8IoaE+ox
ox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZRrOme9Hg6jc8P
2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cmez6KJcfA3Z3m
NWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W8Qfs
4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYD
VR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlm
aWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9B
QUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8
AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl
7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLzRt0vxuBqw8M0
Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2G9w84FoVxp7Z
8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsil2D4kF501KKa
U73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIsgtRq
AEFQ8TmDn5XpNpaYbjEA
-----END PKCS7-----
Thanks -- the issue here is that certificates is supposed to be a SET but the values here are not in lexicographic order. I'll report this to Sectigo. Thank you for the detailed report.
Rob from Sectigo here. Thanks for the report, @alex and @joachimBurket. I'll see what I can do to fix our PKCS#7 DER-encoder.
@eidorb I'm sorry for not noticing this thread earlier - no unfortunately I don't have any contacts in the ATO. Did you find anyone? Reporting problems to AusGov is always a challenge, but usually if you can guess your way through the options here https://www.cyber.gov.au/report-and-recover/report there's a possibility it will be read by someone who can pass on the information to where it is needed.
Hi All,
I'm also receiving the UserWarning when attempting to parse a PKCS#7 payload returned by a Microsoft ActiveDirectory Certificate Services CA (Windows Server 2022 Standard - build 21H2). The CA also erroneously returns the PKCS#7 with a
-----BEGIN CERTIFICATE---- pem block (bum bum bah bum....), but thats for another story. After string replacing the BEGIN/END CERTIFICATE with the appropriate BEGIN/END PKCS7 the UserWarning is generated.
Here's the PKCS#7 data:
-----BEGIN PKCS7-----
MIIOEAYJKoZIhvcNAQcCoIIOATCCDf0CAQExADALBgkqhkiG9w0BBwGggg3lMIIH
CzCCBPOgAwIBAgITOgAAAANqxkGcqRq+ewAAAAAAAzANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEXMBUGA1UEBxMO
S2VubmV0dCBTcXVhcmUxKjAoBgNVBAsTIUluZm9ybWF0aW9uIFRlY2hub2xvZ3kg
RGVwYXJ0bWVudDEZMBcGA1UEChMQTG9uZ3dvb2QgR2FyZGVuczEoMCYGA1UEAxMf
TG9uZ3dvb2QgR2FyZGVucyBSb290IEF1dGhvcml0eTAeFw0yNTEwMDYyMjU5NTJa
Fw0zNTEwMDYyMzA5NTJaMIG2MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5
bHZhbmlhMRcwFQYDVQQHEw5LZW5uZXR0IFNxdWFyZTEZMBcGA1UEChMQTG9uZ3dv
b2QgR2FyZGVuczEqMCgGA1UECxMhSW5mb3JtYXRpb24gVGVjaG5vbG9neSBEZXBh
cnRtZW50MTAwLgYDVQQDEydMb25nd29vZCBHYXJkZW5zIEludGVybWVkaWF0ZSBB
dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDNOZas31QW
si7h4/cLiOW4rhL8SsSYBcCgx6o48TQ5aNyxxGXrIAB55Ru2/ZYHS4BNMOnlDNQP
jtI7mUNdde2nKGcEO21yaTI8uXuUcCw5czQJ4M3p+0BvbOF7/Eq+7yRTvHIQ1CeF
NAGxFtRSjTkqTuxq/IWwuVPtcwcVuaL78DVWPd5IoCHfYBfHJ4goYQT74ouz/65l
whyf6W++KulCtnM25Up16rR9ldWbaA1F/zpOIsQxCoDjhyapLEKH3cMzg+po9MhH
QWpgQ9uWrr6hAQwsEOl7AmvTO3VygKN+IND7nJJ9Anp/rGjI6+Rii7XDED5RvWJ6
sTkxYg1kAsIMGoTIEuIZz5VwK1WyANQc1mtUnd76S6CMyZpyf3ciSM2S0ZLb1dbV
d/RJV1aogCkSLeycEHYnvirU6ECaBHQedKOM6sLTjoGW2xoGnwH/ag+KrqiblC6R
2YgGvNAOewCbxpJunJfi3UTNJbEoLGOPHjqRa0IxDuGZxIQRq3XHz8xyaL1k3r6u
s+MsV/kczBgfubX//k0/4focihQBQdzaHUW4LO9k8eMNbPy1tq7fXlLDxz/hrM7n
5OYlrsqkjiSfCaxFtmEXbCBP5rMn/aIx4AFJ9nUlFKFaerr13f8dBHhXyN7dMzF7
yYuwNeX9+u4YNhdxjf2nN1I6Gz9AB+mMKQIDAQABo4IBFjCCARIwEAYJKwYBBAGC
NxUBBAMCAQEwIwYJKwYBBAGCNxUCBBYEFIr5Mw+NL44WVO9ftZtotWQNIzgpMB0G
A1UdDgQWBBTzfK0TVUMwRII9UT/aE3VqaNUF7jAZBgkrBgEEAYI3FAIEDB4KAFMA
dQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAW
gBRbAGTa/Cvzl0tb+xeOENdyDr7F1zBgBgNVHR8EWTBXMFWgU6BRhk9odHRwOi8v
cGtpLmhxLmxvbmd3b29kZ2FyZGVucy5vcmcvcGtpL0xvbmd3b29kJTIwR2FyZGVu
cyUyMFJvb3QlMjBBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBCwUAA4ICAQBV/O0B
0hEEZJTKoN3PAH0/ENQlTl2t7VvGnFl7nIFO/ZmDKB6BP6DoAjlFUwHQ/c+tU+0V
p5Kt8YIxeLn9UmoWkLHs+zcuhPMLYgMPo1alP4jxuZX4UNhplg1D3bt1Qn4ySpcn
+A3CpBSTyoJ4DucYaogXd+im6fH6e2k/dnUKSlbekfa6EbVQ5YoVCER/OsnX3WIX
YHUvkcJ2H0BQj1/obngjrdKVq3LRAmEcER7/sqOGP1pDPcrD92/pWhqDXQ18k5a4
zo9gvMwXhAAjZsKMd0o2EvzfAmoQWnoPLnYrC4WxpLiyuD332hL8lo9+l+qCxcLY
ajHKb0i9CJSEQRcAAbw2XBwZCUrAOM2M7IkasrtMAYYuYSgEYnHNrJnEd8ECzXT5
74f7wAzXNkn/jP0jjSkrM0NIIB0qaI7geNg5RHjXAWyvfWtz9b8LGSJZe8QVso1K
hTS9Dy6K99dbErqm1yu+U2/hPevQNoKxF4AqOcnPdTMZrRGURx2TEETUV7nT7xbt
9DPLG7D/LTeOHVQllU+2rksKjzVqPVmZbN5i9tvf4DbUh5Zhu5NrZlQbwMLrWu4h
23rojDsrl4A/uX5RIZyVzmfIC+RaHQNFvU8T1YCpAK3iZzvDQOkXP0apvg2rlqtV
9WW2uPIvDNgSS6PDfZ1kYz3V+ZPrwL8TetsvYDCCBtIwggS6oAMCAQICEDk+A+zg
AJqBS8cjDsPNGJIwDQYJKoZIhvcNAQELBQAwga4xCzAJBgNVBAYTAlVTMRUwEwYD
VQQIEwxQZW5uc3lsdmFuaWExFzAVBgNVBAcTDktlbm5ldHQgU3F1YXJlMSowKAYD
VQQLEyFJbmZvcm1hdGlvbiBUZWNobm9sb2d5IERlcGFydG1lbnQxGTAXBgNVBAoT
EExvbmd3b29kIEdhcmRlbnMxKDAmBgNVBAMTH0xvbmd3b29kIEdhcmRlbnMgUm9v
dCBBdXRob3JpdHkwIBcNMTYwNTEyMDA1MDE1WhgPMjA2NjA1MTIwMTAwMTBaMIGu
MQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRcwFQYDVQQHEw5L
ZW5uZXR0IFNxdWFyZTEqMCgGA1UECxMhSW5mb3JtYXRpb24gVGVjaG5vbG9neSBE
ZXBhcnRtZW50MRkwFwYDVQQKExBMb25nd29vZCBHYXJkZW5zMSgwJgYDVQQDEx9M
b25nd29vZCBHYXJkZW5zIFJvb3QgQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAvVqnut2jQYm3kXb8DcGEqJmePlYHgE9DBxba81ba34w2
ouLS+SyZhr1g189fKlA1yOf1sKG9mZsShLkwGiitnzuzD+xBuoXd/KOT9HAws9rY
PnBopi0tur8gmP9BClNswhhmZUS2ZnOQ6G8JxlfqcE4hrGN3HAKb94Nqn7IAYkuF
xJ6hvd65ubewHL4ek+wkFzNxQIznpofLvb371FhlcZmuEgCk0B0C/55qQrlp30Yl
sl2qYjkb+1D93it5w10OZUCOc81x2jI8R3YRJGfVcUfaHzFgSZQ6GuCM6Bqq/sK3
o3iUXAolPTYAfP/T67j63KQNVZryAk7x4bHTstLd918donKzkGfvdhQEVdCnG73F
0FGeaPa6mPrqa0YffyZcs+g6n99HXj4dnKnv/VsWp1sMoc0MX1ZmVrtdPITX9cNZ
/txOj3wq47kfcl0H752Vz8UPgB4SQZi3kfFiUSwm4LnrQ4n1X+fV0sGTnZDoZ/k6
DNLMwqK3IPhDbZnNgwFT2CJ6oBqnX2sHMvjrJpnGPJWsWzo0ooUvS3PeEGxCIwkk
IztTGNBUAdHlQFAZ/uj+Dsi1soGZx4h5Q/GGwPOFw31Mz6uqMGR2OA4rDsUgOrYE
WB453+IMMPLok10HUSQhoq4YxSzUWDu3SZfdmjh6nP8aoTDwVdS5DcTmKDiJnEcC
AwEAAaOB5zCB5DALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUWwBk2vwr85dLW/sXjhDXcg6+xdcwEAYJKwYBBAGCNxUBBAMCAQAwgZIGA1Ud
IASBijCBhzCBhAYIKgMEiy9DWQUweDA6BggrBgEFBQcCAjAuHiwATABlAGcAYQBs
ACAAUABvAGwAaQBjAHkAIABTAHQAYQB0AGUAbQBlAG4AdDA6BggrBgEFBQcCARYu
aHR0cDovL3BraS5ocS5sb25nd29vZGdhcmRlbnMub3JnL3BraS9jcHMudHh0ADAN
BgkqhkiG9w0BAQsFAAOCAgEAlcf+zC85AD57vXAF/b85KcKJ5UgftBew7NszElex
E0RMNA2b9qwjIz/aHQANNfadLdZYMHkeUzsdj9QCW72jBOnWrJps/aeUiyzOwGVF
0GFlHssHv40YY8wC1JpA/iFqMSes98LT3+hG/2updo/iVF4X7rgRmHePxLi67NMa
ecS37wnsbb86E/gIR029xhKSDnewjtp0ODZ16zG9rHVJlxG2hIN/GcsvXDqP3nf2
Vd4SjUM0TGLwmUM1v0X9f2H3lQCGIrOjvBvSFgEEiXJGaWmL5iaJSliJRniRwBFq
LU5oDPng18uoVoepIvQS4wQpzcGUuMTKCuGfFTwpY8mez+9BgiBb+xC2hC02n6lt
lmXMx572KTZM8i39N0EZTCXwgPC3svTxXuFRDGgOwlfXh1StsU7wsL3mAKdbiBDg
NukKgvW/AsTKTZVTL6pqSBaDj4gSokunWya56eUVVOwGbA4UJvqsmW8E3D8Ftys8
qZnQc0Nc2qkTI4jxTqlLpvMisy7CvTcxm/9B4LoZyqu2rUJjWTTRK62QKFLo30xA
wBCnxsX7de96uDyB5HsdNovs5V89B5haeMcG99y+tFp5DLKUvqoNZNpYsluMceqN
a1rHluEOyPBiV4v70vWNWV6yfRAJ4fLW+gCoVh/IOrbNXSHNCfkBDQoyuWNtz1C0
dZ4xAA==
-----END PKCS7-----
Thank you in advance for any (if any) insight!
edit: I forgot to include this is encountered when requesting the "chain of authority" endpoint: https://hostname.domain.tld/certsrv/certnew.p7b?ReqID=CACert&Renewal=1&Enc=b64
Looks like this is the same issue as with the Sectigo certs -- the SET is not correctly ordered.
@alex, this is probably not the place/forum for it, but is there a guide or a way you were able to tell that so quickly? I've used
openssl pkcs7 -noout -print to view what appears to be the structure/contents of the PKCS#7 data, but obviously I didn't catch what you did.
I hacked up cryptography to show me the specific error instead of just a generic warning -- I'll try to land something that includes this in the warning.
Unfortunately, GeoTrust (by DigiCert) certificates throw this warning as well.
How do I validate if it's due to the ordering of SET?
cryptography main (since https://github.com/pyca/cryptography/commit/f5802fe7e08774cb8f8d80ede396de91efb1afca) now includes more details in the warning -- if you're able to build on main it should provide information. Or if you can share the PKCS#7 bundle I can verify.
Perfect, thanks for the advice. As expected:
Error details: ValueError: error parsing asn1 value: ParseError { kind: InvalidSetOrdering,
location: ["ContentInfo::content", "SignedData::certificates", 1] }
Awesome -- if you're able to report that to DigiCert it'd be great!
On Tue, Oct 21, 2025 at 12:06 AM mrestorff @.***> wrote:
mrestorff left a comment (pyca/cryptography#12936) https://github.com/pyca/cryptography/issues/12936#issuecomment-3425057986
Perfect, thanks for the advice. As expected:
Error details: ValueError: error parsing asn1 value: ParseError { kind: InvalidSetOrdering, location: ["ContentInfo::content", "SignedData::certificates", 1] }
— Reply to this email directly, view it on GitHub https://github.com/pyca/cryptography/issues/12936#issuecomment-3425057986, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAGBHQ6JQBRKIC4T3GRCL3YXLODAVCNFSM6AAAAAB5L42TQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMRVGA2TOOJYGY . You are receiving this because you were mentioned.Message ID: @.***>
-- All that is necessary for evil to succeed is for good people to do nothing.
I've encountered this with S/MIME (smime.p7s) generated by Outlook (Classic). The .p7s contains "DigiCert Assured ID Root G2", "DigiCert Assured G2 SMIME RSA4096 SHA384 2024 CA1" and one personal certificate under that CA.
Using latest master (https://github.com/pyca/cryptography/commit/50c9a7c2428c8b2f63b027616790895fbb673c39) it gives the following error:
ValueError: error parsing asn1 value: ParseError { kind: InvalidLength }
The fallback works.
Looking into this more it seems like Outlook S/MIME signing outputs a PKCS#7 structure with indefinite length EncapsulatedContentInfo even if no eContent is used in the SEQUENCE.
The CMS RFC says the following:
Signed attributes and authenticated attributes are the only data types used in the CMS that require DER encoding.
The section about EncapsulatedContentInfo says:
The content is represented in the type EncapsulatedContentInfo eContentType is an object identifier. The object identifier uniquely specifies the content type. eContent is the content itself, carried as an octet string. The eContent need not be DER encoded.
While it is somewhat lazy that Outlook doesn't use definite lengths on .p7s S/MIME signatures (with no eContent), it seems to be correct based on the CMS RFC. Which means that if cryptography removes BER fallback it will likely make S/MIME PKCS#7 very annoying to handle. Even if it's for example just to read the certificates within.
Having a memory-safe fallback BER parser would keep this use-case functional.