Comments (5)
gpotter2
commented on June 14, 2024
1
Hi. Thanks for the detailed bug report.
Could you try out #4223 and report if it's fixed? Thanks
from scapy.
gpotter2
commented on June 14, 2024
Could you provide example code where this fails? Thanks.
from scapy.
wasmachensachen98
commented on June 14, 2024
this is already triggering the error.
ocsp_response_bytes = OCSP_ResponseBytes()
ocsp_response_bytes.responseBytes.signatureAlgorithm.algorithm = ASN1_OID('1.2.840.10045.4.3.2')
ocsp_response_bytes.self_build()If that isn't enough I included a small script that can be used to replicate the ocsp error more easily. here:
from scapy.asn1.asn1 import (ASN1_BIT_STRING, ASN1_ENUMERATED, ASN1_OID)
from scapy.layers.x509 import (
OCSP_Response, OCSP_ResponseBytes,
OCSP_ResponseData, X509_AlgorithmIdentifier)
from cryptography.x509.ocsp import load_der_ocsp_response
def _hex_to_asn1_bit_string(hex_string: str) -> ASN1_BIT_STRING:
bin_string = bin(int(hex_string, 16))[2:]
# padding so dividable by 4
padding = 0 if len(bin_string) % 4 == 0 else 4 - len(bin_string)
return ASN1_BIT_STRING("0" * padding + bin_string)
# insert a custom DER OCSP-Response here to load into scapy (in hex format)
der_ocsp_reponse_in_hex = (
'3082013d0a0100a08201363082013206092b060105050730010104820123'
'3082011f3081c7a2160414117f8e44bbe97fca27fe4790895c18ea0ea5235'
'7180f32303234303131393230313632335a30773075304d300906052b0e03'
'021a050004140bafcc2324b8b0f8b0322c9a506e3956535714140414117f8'
'e44bbe97fca27fe4790895c18ea0ea5235702141026996a09aab93ede06b6'
'2362a9e44741071b328000180f32303234303131393230313632335aa0111'
'80f32303234303132303230313632335aa1233021301f06092b0601050507'
'30010204120410f12a655449ab6402f4da66c549414e2c300a06082a8648c'
'e3d0403020347003044022012710a72736e76b60f4573508e62be25973dfd'
'a9719e9a678f2e1c0add131dfc022050abc8ba475f8f1ed2f74ca9f2c976e'
'a1da0b51dd28cf8735487f2d3c076cb24'
)
ocsp_resonse_original = load_der_ocsp_response(bytes.fromhex(der_ocsp_reponse_in_hex))
ocsp_response_bytes = OCSP_ResponseBytes()
ocsp_response_bytes.responseType = ASN1_OID("1.3.6.1.5.5.7.48.1.1")
ocsp_response_bytes.tbsResponseData = OCSP_ResponseData(
ocsp_resonse_original.tbs_response_bytes
)
signature_hex = ocsp_resonse_original.signature.hex()
ocsp_response_bytes.signature = _hex_to_asn1_bit_string(signature_hex)
algo_identifier = X509_AlgorithmIdentifier()
# taking from original
#algo_identifier.algorithm = ASN1_OID(ocsp_resonse_original.signature_algorithm_oid.dotted_string)
# hardcode ecdsa-withSHA256 faulty
algo_identifier.algorithm = ASN1_OID('1.2.840.10045.4.3.2')
# sha256WithRSAEncryption working
#algo_identifier.algorithm = ASN1_OID('1.2.840.113549.1.1.11')
algo_identifier.parameter = None
ocsp_response_bytes.signatureAlgorithm = algo_identifier
scapy_ocsp_response = OCSP_Response()
scapy_ocsp_response.reponseStatus = ASN1_ENUMERATED(0)
scapy_ocsp_response.responseBytes = ocsp_response_bytes
# when using the ecdsa algorithm the bytes are wrongly encoded
signatureAlgorithm_ecdsa_scapy_ocsp_response = scapy_ocsp_response.self_build()
#test = load_der_ocsp_response(signatureAlgorithm_ecdsa_scapy_ocsp_response)
# it is working with rsa
scapy_ocsp_response.responseBytes.signatureAlgorithm.algorithm = ASN1_OID('1.2.840.113549.1.1.11')
signatureAlgorithm_rsa_ocsp_response = scapy_ocsp_response.self_build()
test = load_der_ocsp_response(signatureAlgorithm_rsa_ocsp_response)
# you can output the file and read parse it with openssl and see
# that the rsa one works but the ecdsa doesnt
from pathlib import Path
import subprocess
ocsp_reponse_directory = 'ocsp_response'
current_dir = Path() / ocsp_reponse_directory
ecdsa_filename = 'ecdsa_ocsp_reponse.bin'
rsa_filename = 'rsa_ocsp_reponse.bin'
(current_dir / ecdsa_filename).write_bytes(signatureAlgorithm_ecdsa_scapy_ocsp_response)
(current_dir / rsa_filename).write_bytes(signatureAlgorithm_rsa_ocsp_response)
openssl_read_ecdsa_cmd = ["openssl", "ocsp", "-text", "-noverify", [f"-respin {ocsp_reponse_directory}/{ecdsa_filename}"]]
openssl_read_rsa_cmd = ["openssl", "ocsp", "-text", "-noverify", [f"-respin {ocsp_reponse_directory}/{rsa_filename}"]]
ecdsa_out = subprocess.run(openssl_read_ecdsa_cmd, capture_output=True, text=True)
rsa_out = subprocess.run(openssl_read_rsa_cmd, capture_output=True, text=True)
print(ecdsa_out.stderr)from scapy.
wasmachensachen98
commented on June 14, 2024
Thanks it seems to be working now
from scapy.
gpotter2
commented on June 14, 2024
Great, thanks. Let's keep this open until the PR is merged.
from scapy.
Related Issues (20)
- list object has no attribute display
- Sniffign in Monitor Mode on Windows Throws Exception - libpcap & WLanHelper path issue
- send(generator) skips first packet HOT 1
- smbclientserver test timing out in autopkgtest HOT 7
- TCPSession rebuild http session bug HOT 2
- sndrcv does not return control to user after KeyboardInterrupt HOT 3
- RFE: support for the DHCP "option overload" option
- Enhancement: Validate one-line comments HOT 1
- Incorrect RTCP SR + RR parsing HOT 6
- As of NetBSD 10.0, it is possible to send packets via bpf through loopback devices HOT 1
- ICMPv6 Time Exceeded is not using `length` field
- haslayer with conditional packet fields HOT 1
- Add stop_filter parameter to SndRcvHandler
- decrypted IPv6 packet using decrypt_esp for NAT-Traversal is return wrong packet
- tls appear as padding HOT 1
- Flaky DoIP test on MacOSX HOT 1
- TLS in Scapy should have more doc HOT 8
- RFE: mDNS unicast-response and cache-flush bits HOT 2
- Why is the encoding mode of 'ifreq' 16s16x? HOT 1
- Issue with Packet Creation in AH Tunnel Mode over Socket HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scapy.