acme-client: relax certificate parsing

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

acme-client: relax certificate parsing

Florian Obser-2
Relax parsing of pem files a bit. Apparently there are CAs that use
\r\n line endings.
From Bartosz Kuzma as part of a larger diff.

OK?

diff --git certproc.c certproc.c
index 7fde96e970e..975e12afaaa 100644
--- certproc.c
+++ certproc.c
@@ -28,7 +28,8 @@
 
 #include "extern.h"
 
-#define MARKER "-----END CERTIFICATE-----\n"
+#define BEGIN_MARKER "-----BEGIN CERTIFICATE-----"
+#define END_MARKER "-----END CERTIFICATE-----"
 
 int
 certproc(int netsock, int filesock)
@@ -81,19 +82,25 @@ certproc(int netsock, int filesock)
  if ((csr = readbuf(netsock, COMM_CSR, &csrsz)) == NULL)
  goto out;
 
- if (csrsz < strlen(MARKER)) {
+ if (csrsz < strlen(END_MARKER)) {
  warnx("invalid cert");
  goto out;
  }
 
- chaincp = strstr(csr, MARKER);
+ chaincp = strstr(csr, END_MARKER);
 
  if (chaincp == NULL) {
  warnx("invalid cert");
  goto out;
  }
 
- chaincp += strlen(MARKER);
+ chaincp += strlen(END_MARKER);
+
+ if ((chaincp = strstr(chaincp, BEGIN_MARKER)) == NULL) {
+ warnx("invalid certificate chain");
+ goto out;
+ }
+
  if ((chain = strdup(chaincp)) == NULL) {
  warn("strdup");
  goto out;


--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: acme-client: relax certificate parsing

Sebastian Benoit-3
ok

Florian Obser([hidden email]) on 2020.09.14 17:12:01 +0200:

> Relax parsing of pem files a bit. Apparently there are CAs that use
> \r\n line endings.
> From Bartosz Kuzma as part of a larger diff.
>
> OK?
>
> diff --git certproc.c certproc.c
> index 7fde96e970e..975e12afaaa 100644
> --- certproc.c
> +++ certproc.c
> @@ -28,7 +28,8 @@
>  
>  #include "extern.h"
>  
> -#define MARKER "-----END CERTIFICATE-----\n"
> +#define BEGIN_MARKER "-----BEGIN CERTIFICATE-----"
> +#define END_MARKER "-----END CERTIFICATE-----"
>  
>  int
>  certproc(int netsock, int filesock)
> @@ -81,19 +82,25 @@ certproc(int netsock, int filesock)
>   if ((csr = readbuf(netsock, COMM_CSR, &csrsz)) == NULL)
>   goto out;
>  
> - if (csrsz < strlen(MARKER)) {
> + if (csrsz < strlen(END_MARKER)) {
>   warnx("invalid cert");
>   goto out;
>   }
>  
> - chaincp = strstr(csr, MARKER);
> + chaincp = strstr(csr, END_MARKER);
>  
>   if (chaincp == NULL) {
>   warnx("invalid cert");
>   goto out;
>   }
>  
> - chaincp += strlen(MARKER);
> + chaincp += strlen(END_MARKER);
> +
> + if ((chaincp = strstr(chaincp, BEGIN_MARKER)) == NULL) {
> + warnx("invalid certificate chain");
> + goto out;
> + }
> +
>   if ((chain = strdup(chaincp)) == NULL) {
>   warn("strdup");
>   goto out;
>
>
> --
> I'm not entirely sure you are real.
>