Cryptography parsed the CRL file with an incorrect inner identifier. #14267
Description
Version: 45.0.3
Hello developers, I used the cryptography library to parse a CRL file with an inner identifier OID of 1.2.840.98445.1.1.11, while its outer identifier is sha256_rsa. When I parsed this CRL file using Go, it displayed the error: "inner and outer signature algorithm identifiers don't match".
Test Case:
Code:
import os
import sys
from cryptography import x509
from cryptography.hazmat.backends import default_backend
# Try to import asn1crypto for low-level structure analysis
try:
from asn1crypto import crl as asn1_crl
HAS_ASN1CRYPTO = True
except ImportError:
HAS_ASN1CRYPTO = False
print("Warning: 'asn1crypto' library is not installed. It is recommended to run 'pip install asn1crypto' to view detailed inner/outer algorithm comparison.")
def parse_crl_algorithm_identifier(file_path):
# Check if file exists
if not os.path.exists(file_path):
print(f"Error: File {file_path} not found")
return
try:
# Read file in binary mode
with open(file_path, "rb") as f:
crl_data = f.read()
print(f"Analyzing file: {os.path.basename(file_path)}")
print("=" * 60)
# ==========================================
# 1. Low-level structure analysis with asn1crypto (check inner/outer algorithms)
# ==========================================
if HAS_ASN1CRYPTO:
try:
# Parse ASN.1 structure
parsed_crl = asn1_crl.CertificateList.load(crl_data)
# Extract outer signature algorithm (CertificateList -> signatureAlgorithm)
outer_algo = parsed_crl['signature_algorithm']['algorithm'].native
# Extract inner signature algorithm (CertificateList -> tbsCertList -> signature)
inner_algo = parsed_crl['tbs_cert_list']['signature']['algorithm'].native
print(f"【Algorithm Consistency Check】")
print(f" Outer SignatureAlgorithm: {outer_algo}")
print(f" Inner TBSCertList.signature: {inner_algo}")
if outer_algo != inner_algo:
print(f" ⚠️ Warning: Inner and outer algorithms do not match! (MISMATCH)")
else:
print(f" Status: Matched (MATCH)")
print("-" * 60)
except Exception as e:
print(f"ASN.1 low-level parsing failed: {e}")
print("-" * 60)
# ==========================================
# 2. Standard parsing with cryptography
# ==========================================
try:
# Load DER-formatted CRL
crl = x509.load_der_x509_crl(crl_data, default_backend())
# Print algorithm identified by cryptography (usually outer algorithm)
print(f"【Cryptography Library Parsing Result】")
print(f" Identified Algorithm OID: {crl.signature_algorithm_oid.dotted_string} ({crl.signature_algorithm_oid._name})")
except ValueError as e:
print(f"\n❌ Cryptography parsing failed: {e}")
print(" This is usually due to file format errors, or the library refusing to load due to enforced inner/outer algorithm consistency check.")
except Exception as e:
print(f"Unknown error occurred: {e}")
if __name__ == "__main__":
target_file = r"crl_wrong_inner_signature_oid.der"
parse_crl_algorithm_identifier(target_file)