Skip to content

Commit

Permalink
Tag CMS signer identifier implicitly (#218)
Browse files Browse the repository at this point in the history
As pointed out in
#203, the
SignerIdentifier in PKCS#7 CMS should be implicitly tagged while the
currently swift-certificates explicitly tags it. This PR contains
changes for SignerIdentifier of SubjectKeyIdentifier type to be
implicitly tagged.

[RFC 5652 §
12.1](https://datatracker.ietf.org/doc/html/rfc5652#section-12.1):
```
SignerIdentifier ::= CHOICE {
  issuerAndSerialNumber IssuerAndSerialNumber,
  subjectKeyIdentifier [0] SubjectKeyIdentifier }
  ```
  
  
  Resolves: #203

---------

Co-authored-by: Nicholas Kim <[email protected]>
  • Loading branch information
nicholaskim94 and Nicholas Kim authored Jan 14, 2025
1 parent 274f866 commit 8210859
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 13 deletions.
23 changes: 10 additions & 13 deletions Sources/X509/CryptographicMessageSyntax/CMSSignerIdentifier.swift
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ import SwiftASN1
/// ```
@usableFromInline
enum CMSSignerIdentifier: DERParseable, BERParseable, DERSerializable, BERSerializable, Hashable, Sendable {

@usableFromInline
static let skiIdentifier = ASN1Identifier(tagWithNumber: 0, tagClass: .contextSpecific)

Expand All @@ -36,13 +35,14 @@ enum CMSSignerIdentifier: DERParseable, BERParseable, DERSerializable, BERSerial
self = try .issuerAndSerialNumber(.init(derEncoded: node))

case Self.skiIdentifier:
self = try DER.explicitlyTagged(
node,
tagNumber: Self.skiIdentifier.tagNumber,
tagClass: Self.skiIdentifier.tagClass
) { node in
.subjectKeyIdentifier(.init(keyIdentifier: try ASN1OctetString(derEncoded: node).bytes))
}
self = try .subjectKeyIdentifier(
.init(
keyIdentifier: ASN1OctetString(
derEncoded: node,
withIdentifier: Self.skiIdentifier
).bytes
)
)

default:
throw ASN1Error.unexpectedFieldType(node.identifier)
Expand All @@ -56,11 +56,8 @@ enum CMSSignerIdentifier: DERParseable, BERParseable, DERSerializable, BERSerial
try issuerAndSerialNumber.serialize(into: &coder)

case .subjectKeyIdentifier(let subjectKeyIdentifier):
try coder.serialize(
ASN1OctetString(contentBytes: subjectKeyIdentifier.keyIdentifier),
explicitlyTaggedWithIdentifier: Self.skiIdentifier
)

try ASN1OctetString(contentBytes: subjectKeyIdentifier.keyIdentifier)
.serialize(into: &coder, withIdentifier: Self.skiIdentifier)
}
}

Expand Down
13 changes: 13 additions & 0 deletions Tests/X509Tests/CMSTests.swift
Original file line number Diff line number Diff line change
Expand Up @@ -1134,6 +1134,19 @@ final class CMSTests: XCTestCase {
}
XCTAssertInvalidCMSBlock(isValidSignature)
}

func testSubjectKeyIdentifierIsCorrectlyImplicitylyTagged() throws {
let implicitlyTaggedSki: [UInt8] = [
0x80, // Context-specific tag [0]
0x04, // Length
0x0a, 0x14, 0x1e, 0x28,
]

XCTAssertEqual(
try CMSSignerIdentifier(derEncoded: implicitlyTaggedSki),
CMSSignerIdentifier.subjectKeyIdentifier(.init(keyIdentifier: [10, 20, 30, 40]))
)
}
}

extension DERSerializable {
Expand Down

0 comments on commit 8210859

Please sign in to comment.