PKCS7 beeing treated as a certificate in unpack_cert_content

[MatLaft]

I' m trying to validate this pdf signature but an error occurs when it tries to validate the pkcs7 pulled from the AIA's signing certificate.

It's being treated as a certificate in unpack_cert_content because the content-type returned by the server is 'binary/octet-stream' , which is accepted by both certificate and pkcs7 files.

It can load the pkcs7 in a asn1crypto.Certificate object but when it tries to use some attribute it raise an error.

Here I propose a solution for this problem. Unfortunately I couldn't make a code that doesn't include a try/except block.

Example code that demonstrate the error described

[MatthiasValvekens]

Argh, if only CAs would actually bother to follow what the dang specification requires... 😠

I think your trial-and-error approach is the only viable one generally speaking, if the server doesn't respect the Content-Type requirements, the only way to tell whether something is a certificate or a PKCS#7 payload is to decode it...

That said, I would do the check slightly differently: maybe it's slightly safer to do a core.Sequence.load(...) and use the length of the resulting sequence value to discriminate (for a certificate it will be 3, for a PKCS#7 payload it'll be 2). The reason why I think this is better is because cert.native will attempt to parse the full Certificate structure completely, and if it's just a regular old badly encoded cert, this'll lead to a very confusing stack trace (also, maybe the encoding error would be otherwise inconsequential anyway).

But I'm happy to take a PR to fix this issue, provided you also add a regression test :). Thanks!

[MatthiasValvekens]

Fixed in pyhanko-certvalidator>=0.26.3 thanks to a PR from @MatLaft; see MatthiasValvekens/certvalidator#13.