Comments (5)
Because "\x02\x01\x00\x00"
is not a valid BER encoding, it is expected that OpenSSL::ASN1.decode refuses to parse. Why do you use such a nonreversible padding?
from openssl.
not exactly me, but it's the result of decrypting an SNMPv3 encrypted PDU. I'm also using openssl for the decryption, and am explicitly setting the padding to 0, as specified in the rfc. Along these lines:
cipher = Cipher::DES.new(:CBC)
cipher.decrypt
cipher.padding = 0
cipher.key = key
cipher.iv = iv
data = cipher.update(encrypted_pdu) + cipher.final
# data was padded before encryption, so a BER-encoded PDU might have length 77, while the decrypted
# part might be length 80
# what to do here to safely remove padding before decoding?
And this is my question. Right now, I'm slicing all \x00
from the resulting decrypted payload. But this is not a solution, as the last value can be a ber-encoded null, or a ber-encoded integer with value 0, and that would mess up my decoding.
The example I gave you might not be a valid BER encoding, but I thought there could be an hidden API which would ignore bytes which aren't part of a BER-encoded sequence, and so on, like:
stream = "0\x03\x02\x01\x00\x02\x01\x00"
OpenSSL::ASN1.decode stream
This will fail with a type mismatch error, but it also could just decode the sequence and ignore the subsequence integer, with, let's say, an imaginary argument ignore_mismatches: true
.
Anyway, this is just an idea. I'd totally understand if this weren't to be supported, and would appreciate any kind of suggestions you'd have on remove padding from deciphered payloads, as I don't have currently any idea on how to do that besides the faulty patch I mentioned above.
from openssl.
The protocol doesn't seem to give the actual content length. That's unfortunate.
I however think such an option is useful in too limited situations to provide from the openssl library.
In this case, I think you can workaround by inspecting the real content length with OpenSSL::ASN1.traverse[1]:
str = "\x02\x01\x00\x00"
headerlen, bodylen = OpenSSL::ASN1.traverse(str) { |_, _, x, y, *| break x, y }
decoded = OpenSSL::ASN1.decode(str.byteslice(0, headerlen+bodylen))
[1] http://ruby.github.io/openssl/OpenSSL/ASN1.html#method-c-traverse
from openssl.
The protocol does give the content length (in that case, it's an integer with size 1 and value 0, it would work the same for sequences). You need to decode it first, however. It is possible, and something that the library could do, but you know the situations in which this part of openssl is used better than me.
The workaround with traverse does seem to solve my issue. I'll have a quick try in a few minutes and will let you know. Thx for the tip!
from openssl.
It did the trick. Thx Again!
from openssl.
Related Issues (20)
- FIPS: DH: OpenSSL::PKey.generate_parameters returning a value with block of break. HOT 7
- macos-latest truffeeruby-head: test_basic_response_response_operations failing HOT 3
- truffleruby-head 24.0.0-dev: Failing to compile dependant stringio gem. HOT 14
- OpenSSL::PKey::EC.new(nil).generate_key fails with OpenSSL::PKey::PKeyError HOT 6
- OpenSSL 3.2.0 - sessions, time, signed vs unsigned, failure with negative session timeout values HOT 6
- OpenSSL::SSL::SSLContext.new returns SSL_CTX_new: library has no ciphers HOT 6
- Respect system wide minimum TLS version HOT 2
- windows-latest 3.3 case failing with "OpenSSL::Provider::ProviderError: Failed to load legacy provider: (null) (name=legacy)" HOT 8
- OpenSSL::PKey::PKey subclass for EVP_PKEY_RSA_PSS HOT 4
- Error "Failed to build gem native extension." when running "gem install openssl" in Fedora HOT 4
- OpenSSL udate 3.2.1 for CVE-2023-6129 HOT 3
- OpenSSL 3 | Providers | Support broader range of URI schemes for loading keys HOT 3
- OpenSSL 3 support for loading engine keys HOT 3
- OpenSSL version 3.3.0-dev: OpenSSL::ASN1::ASN1Error: utctime/generalizedtime is too short HOT 7
- OpenSSL::ASN1.decode doesn't correctly parse UTCTime or GeneralizedTime with fractional seconds or a timezone
- remove file check to support proxied SSL connection HOT 5
- When decrypted with a different private key, `OpenSSL::PKey::RSAError` does not occur HOT 2
- Upcoming OpenSSL Webinar: Writing Your First OpenSSL Application
- Invalid CSR versions set in regress tests HOT 2
- OpenSSL::SSL::SSLError: SSL_write: unsupported method HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openssl.