Cryptography parsed the CRL file with an incorrect inner identifier.

[onepeople158]

Version: 45.0.3

Hello developers, I used the cryptography library to parse a CRL file with an inner identifier OID of 1.2.840.98445.1.1.11, while its outer identifier is sha256_rsa. When I parsed this CRL file using Go, it displayed the error: "inner and outer signature algorithm identifiers don't match".

Test Case:

wrong_inner_signature_oid.zip

Code:

import os
import sys
from cryptography import x509
from cryptography.hazmat.backends import default_backend

# Try to import asn1crypto for low-level structure analysis
try:
    from asn1crypto import crl as asn1_crl
    HAS_ASN1CRYPTO = True
except ImportError:
    HAS_ASN1CRYPTO = False
    print("Warning: 'asn1crypto' library is not installed. It is recommended to run 'pip install asn1crypto' to view detailed inner/outer algorithm comparison.")


def parse_crl_algorithm_identifier(file_path):
    # Check if file exists
    if not os.path.exists(file_path):
        print(f"Error: File {file_path} not found")
        return

    try:
        # Read file in binary mode
        with open(file_path, "rb") as f:
            crl_data = f.read()

        print(f"Analyzing file: {os.path.basename(file_path)}")
        print("=" * 60)

        # ==========================================
        # 1. Low-level structure analysis with asn1crypto (check inner/outer algorithms)
        # ==========================================
        if HAS_ASN1CRYPTO:
            try:
                # Parse ASN.1 structure
                parsed_crl = asn1_crl.CertificateList.load(crl_data)

                # Extract outer signature algorithm (CertificateList -> signatureAlgorithm)
                outer_algo = parsed_crl['signature_algorithm']['algorithm'].native

                # Extract inner signature algorithm (CertificateList -> tbsCertList -> signature)
                inner_algo = parsed_crl['tbs_cert_list']['signature']['algorithm'].native

                print(f"【Algorithm Consistency Check】")
                print(f"  Outer SignatureAlgorithm: {outer_algo}")
                print(f"  Inner TBSCertList.signature: {inner_algo}")

                if outer_algo != inner_algo:
                    print(f"  ⚠️ Warning: Inner and outer algorithms do not match! (MISMATCH)")
                else:
                    print(f"  Status: Matched (MATCH)")
                print("-" * 60)
            except Exception as e:
                print(f"ASN.1 low-level parsing failed: {e}")
                print("-" * 60)

        # ==========================================
        # 2. Standard parsing with cryptography
        # ==========================================
        try:
            # Load DER-formatted CRL
            crl = x509.load_der_x509_crl(crl_data, default_backend())

            # Print algorithm identified by cryptography (usually outer algorithm)
            print(f"【Cryptography Library Parsing Result】")
            print(f"  Identified Algorithm OID: {crl.signature_algorithm_oid.dotted_string} ({crl.signature_algorithm_oid._name})")

        except ValueError as e:
            print(f"\n❌ Cryptography parsing failed: {e}")
            print("   This is usually due to file format errors, or the library refusing to load due to enforced inner/outer algorithm consistency check.")

    except Exception as e:
        print(f"Unknown error occurred: {e}")


if __name__ == "__main__":
    target_file = r"crl_wrong_inner_signature_oid.der"
    parse_crl_algorithm_identifier(target_file)