-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
does picky-asn1 support BER? #264
Comments
Hi! Thank you for considering collaborating further with us!! Unfortunately, I don’t think I can recommend you picky as a low-level building block for DER (and BER, even if we were to support it). I believe that using serde as our deserializer / serializer engine was not a great idea. The reason is that it’s impossible to map the whole ASN.1 data model into the serde data model. It is possible to map the serde data model into the ASN.1 data model, but the other way around is simply not possible. In a sense the ASN.1 data model is a superset of the serde data model, it has more types. It’s possible to build a serde Serializer and Deserializer for a subset of DER/BER, and that’s still nice, but we realized it was a poor fit to implement the data structures defined in the various specifications and RFCs. Indeed, these data structures are requiring types which cannot be modelized using serde data model. This led us to implement a few workarounds. Here are some workarounds:
Again, these workarounds are strongly suggesting that the serde data model is not a good fit. I have to admit that we are not using serde as it was meant to be used, and, as a result, even though our data structures are implementing the Incidentally, the der crate by RustCrypo is exactly how I would rewrite picky-asn1 / picky-asn1-der today if I had the time for that. Instead, I just recommend using this crate for DER needs. Unfortunately, I don’t think it’s possible to use it for BER yet. Out of curiosity, why are you considering changing your ASN.1 library? |
At the moment we're using the lber / nom parser which has it's quirks but it works. There's a lot we could improve in ldap3. It was more that I know Devolutions uses ldap3, and if you have an ASN1 library that is supported, I would trust it as a building block for ldap3. It's sometimes good to re-examine our building blocks and who works on them. Saying this, the der crate from RustCrypto seems good, I'll see if they are considering BER as well. |
That’s a good idea! Alternatively, the asn1-rs crate is looking quite good too and supports both DER and BER! I know that the author has been working on Kerberos / LDAP stacks for a few years. It may be worth to check it out. |
Fantastic! I'll follow up and see what's going on there too. Thanks so much. :) |
Actually, even a cursory glance shows most of their protocols are FromBer/Der only. We'd need to look into to writing the encoding side. Part of what brought this up is that soon I'll need to write a CA and you have picky-asn1 and x509 that's used by rust-tss-esapi which I'm quite involved in, but also a KDC so I'll need KRB support too. So I was hoping to standardise on a single framework for these, and since I trust you and your work I was hoping I could jump over to the picky-asn1 crates. The asn1-rs crate looks good but mostly it seems to be one way. So maybe I'll have to put in some work for that. I'd like us all to be in a place where we have a solid base to work from be in ldap or x509. |
At least the doc mentions DER and BER encoders: https://docs.rs/asn1-rs/latest/asn1_rs/#berder-encoders However, as you said, crates built on top such as |
Of course, you can use picky crates for KDC and X509 certificates, they works well, but the building blocks we used could have been better, and today I think that the right approach for DER/BER is not the one we took. Sadly, we can't just fix it either. All that being said, if you would still rather use picky-asn1, it's absolutely possible to build a picky-asn1-ber crate. Essentially, you could copy paste picky-asn1-der and make the deserializer more lenient. |
Right now I'm looking at the rust crypto der crate, I think it may be the best option long term then :) |
Hi there!
I was needing an x509 crate and who ever should I find makes an excellent set of crates in this space!
Currently I know that devolutions is using my ldap3 library, but it's using an alternate asn library. If picky-asn1 supported ber, I'd have no problems changing it over to collaborate more with you all.
And if picky-asn1 doesn't support BER today, what would it take to add it?
Thanks!
The text was updated successfully, but these errors were encountered: