forge.pkcs7.messageFromPem stop working since 1.3.0 version #975

albertoinch · 2022-04-19T17:44:27Z

I was using this function to decode a pem of pkcs#7, but from 1.3.0 version it's returning:

Unparsed DER bytes remain after ASN.1 parsing.

Best regards,

davidlehn · 2022-04-19T19:24:07Z

Can you provide an example PEM file?

As you read in the changelog, there were changes to make things more strict to address some other serious vulnerabilities. Perhaps there were some unintended side effects for reasonable use cases. If you have an example with valid data that is failing, we'd like to see that so it can be fixed. There are flags to fromDer to disable that behavior you see. You could try adding those to the call in messageFromPem and see what happens. If there are good use cases to start bubbling up low level flags, we could do that. But I'm afraid that might start covering up bugs due to bad data. I'm not sure what the best way to handle that is.

albertoinch · 2022-04-21T19:36:35Z

Well, I extracted it from pdf signed with acrobat reader.

I put an example:

davidlehn · 2022-04-21T21:55:12Z

Thanks. 2647 bytes of data and 896 trailing zeros. Looking at the PEM RFC 7468, I see the contents are BER, not DER, so things like trailing useless data are, I think, acceptable. I'm guessing that's for some sort of padding, who knows. They do have an appendix that basically says to use DER, which I suppose most tools do. openssl trying to convert that input back to PEM just drops the zeros.

So I'm guessing everywhere the code calls fromDer on PEM data is a bit misnamed, and the new strict by default mode isn't correct. Changing it to asn1.fromDer(msg.body, {parseAllBytes: false}) will fix the issue here.

I'll make a patch soon and try to address this for all the related cases.

davidlehn · 2022-04-22T00:38:11Z

Patch available in #977. Still pondering if that's the best approach. Will release something soon.

albertoinch · 2022-04-22T14:08:49Z

Thanks, I really appreciate your help.

DePasqualeOrg · 2023-12-20T11:29:49Z

I'm encountering this error when parsing receipts from Apple's App Attest service.

pke · 2024-02-29T14:33:10Z

@davidlehn run into this parsing problem, when parsing padded DER data from a smart cards EF.ATR file which looked like this:

e01102020809020300800202020809020208095f520c806605444549444d739621f3d003040600d2104445494658534c433332474441040000d310444549444d4d4843475f473232020206d410444549444d4548435f39303030030005d610444549444d50565656352e3030010000cf15cfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcfcf

Adding { parseAllBytes: false } fixed the error and I could parse the values.

One minor issue in typescript though:
The definition file is not up to date with the current node-force function signatures.

graikhel-intel mentioned this issue Feb 22, 2023

Web Certificate Management open-amt-cloud-toolkit/open-amt-cloud-toolkit#163

Closed

vbuch mentioned this issue Nov 7, 2023

Unparsed DER bytes remain after ASN.1 parsing. vbuch/node-signpdf#184

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

forge.pkcs7.messageFromPem stop working since 1.3.0 version #975

forge.pkcs7.messageFromPem stop working since 1.3.0 version #975

albertoinch commented Apr 19, 2022

davidlehn commented Apr 19, 2022

albertoinch commented Apr 21, 2022

davidlehn commented Apr 21, 2022

davidlehn commented Apr 22, 2022

albertoinch commented Apr 22, 2022

DePasqualeOrg commented Dec 20, 2023

pke commented Feb 29, 2024

forge.pkcs7.messageFromPem stop working since 1.3.0 version #975

forge.pkcs7.messageFromPem stop working since 1.3.0 version #975

Comments

albertoinch commented Apr 19, 2022

davidlehn commented Apr 19, 2022

albertoinch commented Apr 21, 2022

davidlehn commented Apr 21, 2022

davidlehn commented Apr 22, 2022

albertoinch commented Apr 22, 2022

DePasqualeOrg commented Dec 20, 2023

pke commented Feb 29, 2024