Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TimeStampResp error when policy is not supported #286

Open
ricardo-reis-1970 opened this issue Jan 9, 2025 · 0 comments
Open

TimeStampResp error when policy is not supported #286

ricardo-reis-1970 opened this issue Jan 9, 2025 · 0 comments

Comments

@ricardo-reis-1970
Copy link

Just to be sure, this is a question about asn1crypto, not openssl. I'm using asn1crypto 1.5.1 (latest).

Setup

I created a couple requests and replies with openssl:

openssl ts -query -data 10_Visuals.pdf -no_nonce -out req.tsq
openssl ts -reply -config x509.cnf -queryfile req.tsq -out req.tsr
openssl ts -query -data 10_Visuals.pdf -no_nonce -tspolicy 2.16.756.1.89 -out reqpol.tsq
openssl ts -reply -config x509.cnf -queryfile reqpol.tsq -out reqpol.tsr

The config file was this:

[ server ]
basicConstraints = CA:TRUE, pathlen:0
extendedKeyUsage = critical, timeStamping

[ tsa ]
default_tsa = tsa_config

[ tsa_config ]
dir              = .
serial           = $dir/serial
crypto_device    = builtin
signer_cert      = $dir/tsa.crt
signer_digest    = SHA256
signer_key       = $dir/tsa.key
default_policy   = 2.16.756.1.17
digests          = sha256
accuracy         = secs:1, millisecs:500, microsecs:100
ordering         = yes
tsa_name         = yes

And this is the file to be timestamped, just for good measure:
10_Visuals.pdf

Here are the openssl verifications:

$ openssl ts -verify -queryfile req.tsq -in req.tsr -CAfile ca.crt -untrusted tsa.crt
Using configuration from /etc/ssl/openssl.cnf
Verification: OK

$ openssl ts -verify -config x509.cnf -queryfile reqpol.tsq -in reqpol.tsr -CAfile ca.crt -untrusted tsa.crt
Using configuration from x509.cnf
Verification: FAILED
40C739B922740000:error:1780006B:time stamp routines:ts_check_status_info:no time stamp token:../crypto/ts/ts_rsp_verify.c:390:status code: rejection, status text: Requested policy is not supported., failure codes: unacceptedPolicy

So, the verification failed, but this is an operational error, not a bug. The response file reqpol.tsr is fully legitimate according to RFC3161.

asn1crypto

Now I had these 4 files and I loaded them with the appropriate loaders:

  • asn1crypto.tsp.TimeStampReq.load for the requests
  • asn1crypto.tsp.TimeStampResp.load for the replies
    No errors were issued at this point.

I can get the native of the query:

# reqpol.tsq
>>> reqpoltsq.native
{
  'version': 'v1',
  'message_imprint': {
    'hash_algorithm': {
      'algorithm': 'sha256',
      'parameters': None,
    },
    'hashed_message': b"\xfc\xca\x01rs\xc3'\x9c9\x0cK\x84\x87C{\x15\nZIj\x06e\xe5\xb7B\xf1\x1b\x81\xeaT\x91\xe2",
  },
  'req_policy': '2.16.756.1.89',
  'nonce': None,
  'cert_req': False,
  'extensions': None,
}

However, when I try and visualize the failed response, I get an error:

# reqpol.tsr
>>> reqpoltsr.native
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 4053, in native
    self._parse_children(recurse=True)
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3997, in _parse_children
    raise e
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3985, in _parse_children
    raise ValueError(unwrap(
ValueError: Field "time_stamp_token" is missing from structure
    while parsing asn1crypto.tsp.TimeStampResp

I cannot even access its status field:

>>> reqpoltsr['status']
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3516, in __getitem__
    self._parse_children()
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3997, in _parse_children
    raise e
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3985, in _parse_children
    raise ValueError(unwrap(
ValueError: Field "time_stamp_token" is missing from structure
    while parsing asn1crypto.tsp.TimeStampResp

So, I'm trying to access one field and it complains that the other field is missing.

I believe this should not happen, because RFC 3161 defines:

TimeStampResp ::= SEQUENCE {
  status                   PKIStatusInfo,
  timeStampToken           TimeStampToken      OPTIONAL  }

and further states:

When the TimeStampToken is not present, the failInfo indicates the
reason why the time-stamp request was rejected and may be one of the
following values.

So, an error condition is transmitted to the client as a legitimate response, but the client cannot read it, because the library is raising an exception.

Suggestion (almost a pull request...)

I believe that the issue lies in asn1crypto/tsp.py, lines 156-160:

class TimeStampResp(Sequence):
    _fields = [
        ('status', PKIStatusInfo),
        ('time_stamp_token', ContentInfo),
    ]

Particularly, line 159 should read:

        ('time_stamp_token', ContentInfo, {'optional': True}),

In fact, I introduced this change in tsp.py, and now I have:

>>> reqpoltsr['status']
<asn1crypto.tsp.PKIStatusInfo 131359013820016 b'0.\x02\x01\x020$\x0c"Requested policy is not supported.\x03\x03\x00\x00\x01'>
>>> reqpoltsr['time_stamp_token']
<asn1crypto.core.Void 131359040865872 b''>
>>> reqpoltsr.native
{
  'status': {
    'status': 'rejection',
    'status_string': [
      'Requested policy is not supported.',
    ],
    'fail_info': {
      'unaccepted_policy',
    },
  },
  'time_stamp_token': None,
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant