secdev · gpotter2 · Sep 21, 2025 · Sep 16, 2025 · Sep 21, 2025 · Sep 21, 2025
diff --git a/scapy/asn1/asn1.py b/scapy/asn1/asn1.py
@@ -93,7 +93,7 @@ def _fix(self, n=0):
             return o(GeneralizedTime()._fix())
         elif issubclass(o, ASN1_STRING):
             z1 = int(random.expovariate(0.05) + 1)
-            return o("".join(random.choice(self.chars) for _ in range(z1)))
+            return o("".join(random.choice(self.chars) for _ in range(z1)).encode())
         elif issubclass(o, ASN1_SEQUENCE) and (n < 10):
             z2 = int(random.expovariate(0.08) + 1)
             return o([self.__class__(objlist=self.objlist)._fix(n + 1)
@@ -520,7 +520,7 @@ def __repr__(self):
         )
 
 
-class ASN1_STRING(ASN1_Object[str]):
+class ASN1_STRING(ASN1_Object[bytes]):
     tag = ASN1_Class_UNIVERSAL.STRING
 
 
@@ -555,11 +555,11 @@ class ASN1_UTF8_STRING(ASN1_STRING):
     tag = ASN1_Class_UNIVERSAL.UTF8_STRING
 
 
-class ASN1_NUMERIC_STRING(ASN1_STRING):
+class ASN1_NUMERIC_STRING(ASN1_Object[str]):
     tag = ASN1_Class_UNIVERSAL.NUMERIC_STRING
 
 
-class ASN1_PRINTABLE_STRING(ASN1_STRING):
+class ASN1_PRINTABLE_STRING(ASN1_Object[str]):
     tag = ASN1_Class_UNIVERSAL.PRINTABLE_STRING
 
 
@@ -579,7 +579,7 @@ class ASN1_GENERAL_STRING(ASN1_STRING):
     tag = ASN1_Class_UNIVERSAL.GENERAL_STRING
 
 
-class ASN1_GENERALIZED_TIME(ASN1_STRING):
+class ASN1_GENERALIZED_TIME(ASN1_Object[str]):
     """
     Improved version of ASN1_GENERALIZED_TIME, properly handling time zones and
     all string representation formats defined by ASN.1. These are:
@@ -723,7 +723,7 @@ def __repr__(self):
         # type: () -> str
         return "<%s[%r]>" % (
             self.__dict__.get("name", self.__class__.__name__),
-            self.val.decode("utf-16be"),  # type: ignore
+            self.val.decode("utf-16be"),
         )
 
 
@@ -742,7 +742,7 @@ class ASN1_SET(ASN1_SEQUENCE):
     tag = ASN1_Class_UNIVERSAL.SET
 
 
-class ASN1_IPADDRESS(ASN1_STRING):
+class ASN1_IPADDRESS(ASN1_Object[str]):
     tag = ASN1_Class_UNIVERSAL.IPADDRESS
 
 

diff --git a/scapy/asn1/mib.py b/scapy/asn1/mib.py
@@ -260,13 +260,36 @@ def load_mib(filenames):
     "1.3.14.3.2.29": "sha1RSASign",
 }
 
+#       nist        #
+
+nist_oids = {
+    "2.16.840.1.101.3.4.2.1": "sha256",
+    "2.16.840.1.101.3.4.2.2": "sha384",
+    "2.16.840.1.101.3.4.2.3": "sha512",
+    "2.16.840.1.101.3.4.2.4": "sha224",
+    "2.16.840.1.101.3.4.2.5": "sha512-224",
+    "2.16.840.1.101.3.4.2.6": "sba512-256",
+    "2.16.840.1.101.3.4.2.7": "sha3-224",
+    "2.16.840.1.101.3.4.2.8": "sha3-256",
+    "2.16.840.1.101.3.4.2.9": "sha3-384",
+    "2.16.840.1.101.3.4.2.10": "sha3-512",
+    "2.16.840.1.101.3.4.2.11": "shake128",
+    "2.16.840.1.101.3.4.2.12": "shake256",
+}
+
 #       thawte      #
 
 thawte_oids = {
     "1.3.101.112": "Ed25519",
     "1.3.101.113": "Ed448",
 }
 
+#       pkcs7       #
+
+pkcs7_oids = {
+    "1.2.840.113549.1.7.2": "id-signedData",
+}
+
 #       pkcs9       #
 
 pkcs9_oids = {
@@ -471,6 +494,7 @@ def load_mib(filenames):
     "2.5.29.69": "id-ce-holderNameConstraints",
     # [MS-WCCE]
     "1.3.6.1.4.1.311.2.1.14": "CERT_EXTENSIONS",
+    "1.3.6.1.4.1.311.10.3.4": "szOID_EFS_CRYPTO",
     "1.3.6.1.4.1.311.20.2": "ENROLL_CERTTYPE",
     "1.3.6.1.4.1.311.25.1": "NTDS_REPLICATION",
     "1.3.6.1.4.1.311.25.2": "NTDS_CA_SECURITY_EXT",
@@ -560,6 +584,12 @@ def load_mib(filenames):
     "1.2.840.10045.4.3.4": "ecdsa-with-SHA512"
 }
 
+#       ansi-x942       #
+
+x942KeyType_oids = {
+    "1.2.840.10046.2.1": "dhpublicnumber",  # RFC3770 sect 4.1.1
+}
+
 #       elliptic curves       #
 
 ansiX962Curve_oids = {
@@ -672,11 +702,29 @@ def load_mib(filenames):
     '1.3.6.1.4.1.311.2.2.30': 'NEGOEX - SPNEGO Extended Negotiation Security Mechanism',
 }
 
+#      kerberos      #
+
+kerberos_oids = {
+    "1.3.6.1.5.2.3.1": "id-pkinit-authData",
+    "1.3.6.1.5.2.3.2": "id-pkinit-DHKeyData",
+    "1.3.6.1.5.2.3.3": "id-pkinit-rkeyData",
+    "1.3.6.1.5.2.3.4": "id-pkinit-KPClientAuth",
+    "1.3.6.1.5.2.3.5": "id-pkinit-KPKdc",
+    # RFC8363
+    "1.3.6.1.5.2.3.6": "id-pkinit-kdf",
+    "1.3.6.1.5.2.3.6.1": "id-pkinit-kdf-sha1",
+    "1.3.6.1.5.2.3.6.2": "id-pkinit-kdf-sha256",
+    "1.3.6.1.5.2.3.6.3": "id-pkinit-kdf-sha512",
+    "1.3.6.1.5.2.3.6.4": "id-pkinit-kdf-sha384",
+}
+
 
 x509_oids_sets = [
     pkcs1_oids,
     secsig_oids,
+    nist_oids,
     thawte_oids,
+    pkcs7_oids,
     pkcs9_oids,
     attributeType_oids,
     certificateExtension_oids,
@@ -690,9 +738,11 @@ def load_mib(filenames):
     evPolicy_oids,
     x962KeyType_oids,
     x962Signature_oids,
+    x942KeyType_oids,
     ansiX962Curve_oids,
     certicomCurve_oids,
     gssapi_oids,
+    kerberos_oids,
 ]
 
 x509_oids = {}

diff --git a/scapy/asn1fields.py b/scapy/asn1fields.py
@@ -606,6 +606,8 @@ def i2repr(self, pkt, x):
         # type: (ASN1_Packet, _I) -> str
         if self.holds_packets:
             return super(ASN1F_SEQUENCE_OF, self).i2repr(pkt, x)  # type: ignore
+        elif x is None:
+            return "[]"
         else:
             return "[%s]" % ", ".join(
                 self.fld.i2repr(pkt, x) for x in x  # type: ignore
@@ -979,11 +981,40 @@ class ASN1F_STRING_PacketField(ASN1F_STRING):
     def i2m(self, pkt, val):
         # type: (ASN1_Packet, Any) -> bytes
         if hasattr(val, "ASN1_root"):
-            val = ASN1_STRING(bytes(val))  # type: ignore
+            val = ASN1_STRING(bytes(val))
         return super(ASN1F_STRING_PacketField, self).i2m(pkt, val)
 
     def any2i(self, pkt, x):
         # type: (ASN1_Packet, Any) -> Any
         if hasattr(x, "add_underlayer"):
             x.add_underlayer(pkt)
         return super(ASN1F_STRING_PacketField, self).any2i(pkt, x)
+
+
+class ASN1F_STRING_ENCAPS(ASN1F_STRING_PacketField):
+    """
+    ASN1F_STRING that encapsulates a single ASN1 packet.
+    """
+
+    def __init__(self,
+                 name,  # type: str
+                 default,  # type: Optional[ASN1_Packet]
+                 cls,  # type: Type[ASN1_Packet]
+                 context=None,  # type: Optional[Any]
+                 implicit_tag=None,  # type: Optional[int]
+                 explicit_tag=None,  # type: Optional[int]
+                 ):
+        # type: (...) -> None
+        self.cls = cls
+        super(ASN1F_STRING_ENCAPS, self).__init__(
+            name,
+            default and bytes(default),  # type: ignore
+            context=context,
+            implicit_tag=implicit_tag,
+            explicit_tag=explicit_tag
+        )
+
+    def m2i(self, pkt, s):  # type: ignore
+        # type: (ASN1_Packet, bytes) -> Tuple[ASN1_Packet, bytes]
+        val = super(ASN1F_STRING_ENCAPS, self).m2i(pkt, s)
+        return self.cls(val[0].val, _underlayer=pkt), val[1]