CA-404640 XSI-1781 accept in PEM key/cert in any order

We have so far hard-coded the exectation that in a PEM file a private
key is followed by a certficate but this is actually not required by the
PEM standard and let to a failure in XSI-1781.

This is a simple fix that permits boths. However, it would still fail if
we have a certficate with multiple certificates followed by a key.

Added new test data for unit tests; fail-01.pem now becomes a passing
test case.

Signed-off-by: Christian Lindig <[email protected]>

Author: Christian Lindig

ocaml/gencert/pem.ml

@@ -73,9 +73,17 @@ let cert =
 (* try to read a cert, or skip a line and try again *)
 let until_cert = fix (fun m -> cert <|> line *> m) <?> "until_cert"
 
+(* accept both orders: key/certificate and certificate/key *)
+let key_cert =
+  until_key >>= fun key ->
+  until_cert >>= fun cert -> return (key, cert)
+
+let cert_key =
+  until_cert >>= fun cert ->
+  until_key >>= fun key -> return (key, cert)
+
 let pem =
-  until_key >>= fun private_key ->
-  until_cert >>= fun host_cert ->
+  key_cert <|> cert_key >>= fun (private_key, host_cert) ->
   many until_cert >>= fun other_certs ->
   many end_of_line *> return {private_key; host_cert; other_certs} <?> "pem"
 

ocaml/gencert/test_data/pems/fail-01.pem renamed to ocaml/gencert/test_data/pems/pass-05.pem

@@ -0,0 +1,51 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7qKYiCfucgzLI
+X78/NTAtFXA97Cp3PfnQwpi90tF0YmWUObOdVdxP2FHvUTyMhItpvimsvztX503D
+C0Q7lI9/omK3AbPPy51lhRCKTMiz8ic2fmiHU9lePmkZMZJv0p/eHgAIcOmIl5Kc
+uvoKvOutLnFTRKrYhUQMu2eyBz0f8rzY/4yhLLNflkQUJ3zc3W0jeMuAUei7Zmtz
+jpj+s3Ll5rwzVYG3xLbndzpCR7NaP5uZcchByhsirohR90m3dQtrFdtLTkiDJ8vJ
+hW7z3AzAA0Btw/CtH1/Ef/rHt3XHKGMJoJ3nQ2zRvSutdrRSAknNqYONe0hyrLvy
+MRGno7SjAgMBAAECggEANHjKw1fRQAk7aOXE3xKrPt/wu4/Oq/rrYGEZPnK1WHqu
+9oxP2d2JNdZBys4HRS9GoDGpC4GJQWIOz0vWL2ax3Tl1qsBSG/dOMnXLkzA3KoG6
+TzV3WueqLvz6fC3tSVE2nG/9CF8yHZxsRWDOy7PZnloPG/5mWxagWYMJUrFNeSH2
+nXd40Rff5uM43OzKtiOOzoKv2bKlKReyJVcI98MkyqSbUiie6qO1/NqrOUhq7rsV
+zFmbtjy8UL4gXR2VVz0itb/w/iV/SDVHdMQ36obo8EM9eyxUFu4QPscrbK0FvjHV
+lsKTnzu1zj/fm68NafXDy/KL5I9jethsj8ReNaQzoQKBgQDLkaIxBtNtAZfcFK7S
+dXtR7fIQfUTtgDrxznYXPqCkCy/0wp53hj7aShX2C/rfFQVElBUPkf2E/P6v7Xnf
+b+M/Zj6TH7XYbScoVu+8cqfIm1ySd3evK4GoqGIUiJeuSYEfeLqZSTp1XxO05lGb
+ZmAEtZUHor24Co9HIV/3P86EcwKBgQDr/fqn6b6V1O64r7/cnOmWhW1+5MjoWO2K
++y0fSutrPMOFK4ItJIk4Q5JbHA42cwyYRMe+oElGXzWJXGbqxyorFhW0Er/+roTa
+6GXwNrRkdA3S0rgPAE7IS42WLDsAO9/muiZJ4heXtk8i0xDoyy3Y8UQ/6hR4h1px
+jtn9Bs4zEQKBgBdW+TuZxr/mwNyQ2oJyydLY7zoIwtBgNWHoBA4iNhTY24S6k6Ss
+laQ9fksZkIfnRxVXzRpd6K1IvIK7PY/qqilotZ/0sMrBqQ2s+gunMamEdpasb+J7
+oIAP3j7wckOfVdif5PUSOkuevQmupoiksjmYACBB/nKNc2P6ZaBZhnoVAoGBAJuc
+4z777BeCzFNuWJaRxZniq9wj4rMLiL+/dvaOgYQ6EjdrBDDeSbmXHRgE/P48iQ6T
+NB9oNEk6GORV0Ot5nz3AF1mhj4bR73smCaoHeJZQzJi7KHGD429CGr/utI0n7jGH
+iB3p/2Kj7bTp9tl6uOW32ihHI26C2knNR8MITMnxAoGAZ+Dpg1a6u2ZMTSgOn9Vc
+pECwENGtOQP4RKyXmnq3ET5ykx1hMMCf9uoA09TXDRuJ/20hVfsAGvLZdbQq/9DL
+C3bckcoalhy8RXC/OV9c6SC/xgoYiggxmZtzV34wnQSLM4Cr+Q/lhOaj7sop6iJi
+apYRps2sXbUdu3pDTub/zSI=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUZeSD7KNhTFOoqpI7cWxxWcN417EwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
+CUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2ZXIx
+FDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI1MDExNDE1NDIwMFoXDTM1MDExMjE1
+NDIwMFowcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNV
+BAcMCUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2
+ZXIxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAu6imIgn7nIMyyF+/PzUwLRVwPewqdz350MKYvdLRdGJllDmznVXc
+T9hR71E8jISLab4prL87V+dNwwtEO5SPf6JitwGzz8udZYUQikzIs/InNn5oh1PZ
+Xj5pGTGSb9Kf3h4ACHDpiJeSnLr6CrzrrS5xU0Sq2IVEDLtnsgc9H/K82P+MoSyz
+X5ZEFCd83N1tI3jLgFHou2Zrc46Y/rNy5ea8M1WBt8S253c6QkezWj+bmXHIQcob
+Iq6IUfdJt3ULaxXbS05IgyfLyYVu89wMwANAbcPwrR9fxH/6x7d1xyhjCaCd50Ns
+0b0rrXa0UgJJzamDjXtIcqy78jERp6O0owIDAQABo1MwUTAdBgNVHQ4EFgQUK3or
+CHusUjk/eheKHz6JMuYQBkAwHwYDVR0jBBgwFoAUK3orCHusUjk/eheKHz6JMuYQ
+BkAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATq7rhHQE3xSk
+NUsD1dIFUwz7NJ1eIbdNQ8kJGybcTkIsBY9PrUcrnXFozEE05dZaZizCK/F0To3v
+903kVAwaBe04sZuIqAVDHAjewH2yfCAIRkgA6RPnSHio6NTCLMi3Ukqrhj5bIFGy
+eqcAKy0akXeV3uLIKKY/ZdNpPRP5gW2UZpC+p9ZBEcVDNKAWEK+GVLDar1MLdyIp
+XyCp4wimx4iK+TyXEYKRK7G5+/HPtYOU2OrHtuUFnppz4G5/QuyuDO7yDAJaK8X/
+9hIuR4tcxzt3FdBMVXju5PViMpKbpw5XslbGxdAFFCSrkSRvzYw98tq7HkUB5IyV
+OgjjLNHdJg==
+-----END CERTIFICATE-----

ocaml/gencert/test_data/pems/pass-xsi-1781-reformat.pem

@@ -0,0 +1,111 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            65:e4:83:ec:a3:61:4c:53:a8:aa:92:3b:71:6c:71:59:c3:78:d7:b1
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = UK, ST = Some-State, L = Cambridge, O = Citrix, OU = XenServer, CN = example.com
+        Validity
+            Not Before: Jan 14 15:42:00 2025 GMT
+            Not After : Jan 12 15:42:00 2035 GMT
+        Subject: C = UK, ST = Some-State, L = Cambridge, O = Citrix, OU = XenServer, CN = example.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bb:a8:a6:22:09:fb:9c:83:32:c8:5f:bf:3f:35:
+                    30:2d:15:70:3d:ec:2a:77:3d:f9:d0:c2:98:bd:d2:
+                    d1:74:62:65:94:39:b3:9d:55:dc:4f:d8:51:ef:51:
+                    3c:8c:84:8b:69:be:29:ac:bf:3b:57:e7:4d:c3:0b:
+                    44:3b:94:8f:7f:a2:62:b7:01:b3:cf:cb:9d:65:85:
+                    10:8a:4c:c8:b3:f2:27:36:7e:68:87:53:d9:5e:3e:
+                    69:19:31:92:6f:d2:9f:de:1e:00:08:70:e9:88:97:
+                    92:9c:ba:fa:0a:bc:eb:ad:2e:71:53:44:aa:d8:85:
+                    44:0c:bb:67:b2:07:3d:1f:f2:bc:d8:ff:8c:a1:2c:
+                    b3:5f:96:44:14:27:7c:dc:dd:6d:23:78:cb:80:51:
+                    e8:bb:66:6b:73:8e:98:fe:b3:72:e5:e6:bc:33:55:
+                    81:b7:c4:b6:e7:77:3a:42:47:b3:5a:3f:9b:99:71:
+                    c8:41:ca:1b:22:ae:88:51:f7:49:b7:75:0b:6b:15:
+                    db:4b:4e:48:83:27:cb:c9:85:6e:f3:dc:0c:c0:03:
+                    40:6d:c3:f0:ad:1f:5f:c4:7f:fa:c7:b7:75:c7:28:
+                    63:09:a0:9d:e7:43:6c:d1:bd:2b:ad:76:b4:52:02:
+                    49:cd:a9:83:8d:7b:48:72:ac:bb:f2:31:11:a7:a3:
+                    b4:a3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                2B:7A:2B:08:7B:AC:52:39:3F:7A:17:8A:1F:3E:89:32:E6:10:06:40
+            X509v3 Authority Key Identifier: 
+                2B:7A:2B:08:7B:AC:52:39:3F:7A:17:8A:1F:3E:89:32:E6:10:06:40
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        4e:ae:eb:84:74:04:df:14:a4:35:4b:03:d5:d2:05:53:0c:fb:
+        34:9d:5e:21:b7:4d:43:c9:09:1b:26:dc:4e:42:2c:05:8f:4f:
+        ad:47:2b:9d:71:68:cc:41:34:e5:d6:5a:66:2c:c2:2b:f1:74:
+        4e:8d:ef:f7:4d:e4:54:0c:1a:05:ed:38:b1:9b:88:a8:05:43:
+        1c:08:de:c0:7d:b2:7c:20:08:46:48:00:e9:13:e7:48:78:a8:
+        e8:d4:c2:2c:c8:b7:52:4a:ab:86:3e:5b:20:51:b2:7a:a7:00:
+        2b:2d:1a:91:77:95:de:e2:c8:28:a6:3f:65:d3:69:3d:13:f9:
+        81:6d:94:66:90:be:a7:d6:41:11:c5:43:34:a0:16:10:af:86:
+        54:b0:da:af:53:0b:77:22:29:5f:20:a9:e3:08:a6:c7:88:8a:
+        f9:3c:97:11:82:91:2b:b1:b9:fb:f1:cf:b5:83:94:d8:ea:c7:
+        b6:e5:05:9e:9a:73:e0:6e:7f:42:ec:ae:0c:ee:f2:0c:02:5a:
+        2b:c5:ff:f6:12:2e:47:8b:5c:c7:3b:77:15:d0:4c:55:78:ee:
+        e4:f5:62:32:92:9b:a7:0e:57:b2:56:c6:c5:d0:05:14:24:ab:
+        91:24:6f:cd:8c:3d:f2:da:bb:1e:45:01:e4:8c:95:3a:08:e3:
+        2c:d1:dd:26
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIUZeSD7KNhTFOoqpI7cWxxWcN417EwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcM
+CUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2ZXIx
+FDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTI1MDExNDE1NDIwMFoXDTM1MDExMjE1
+NDIwMFowcTELMAkGA1UEBhMCVUsxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNV
+BAcMCUNhbWJyaWRnZTEPMA0GA1UECgwGQ2l0cml4MRIwEAYDVQQLDAlYZW5TZXJ2
+ZXIxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAu6imIgn7nIMyyF+/PzUwLRVwPewqdz350MKYvdLRdGJllDmznVXc
+T9hR71E8jISLab4prL87V+dNwwtEO5SPf6JitwGzz8udZYUQikzIs/InNn5oh1PZ
+Xj5pGTGSb9Kf3h4ACHDpiJeSnLr6CrzrrS5xU0Sq2IVEDLtnsgc9H/K82P+MoSyz
+X5ZEFCd83N1tI3jLgFHou2Zrc46Y/rNy5ea8M1WBt8S253c6QkezWj+bmXHIQcob
+Iq6IUfdJt3ULaxXbS05IgyfLyYVu89wMwANAbcPwrR9fxH/6x7d1xyhjCaCd50Ns
+0b0rrXa0UgJJzamDjXtIcqy78jERp6O0owIDAQABo1MwUTAdBgNVHQ4EFgQUK3or
+CHusUjk/eheKHz6JMuYQBkAwHwYDVR0jBBgwFoAUK3orCHusUjk/eheKHz6JMuYQ
+BkAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATq7rhHQE3xSk
+NUsD1dIFUwz7NJ1eIbdNQ8kJGybcTkIsBY9PrUcrnXFozEE05dZaZizCK/F0To3v
+903kVAwaBe04sZuIqAVDHAjewH2yfCAIRkgA6RPnSHio6NTCLMi3Ukqrhj5bIFGy
+eqcAKy0akXeV3uLIKKY/ZdNpPRP5gW2UZpC+p9ZBEcVDNKAWEK+GVLDar1MLdyIp
+XyCp4wimx4iK+TyXEYKRK7G5+/HPtYOU2OrHtuUFnppz4G5/QuyuDO7yDAJaK8X/
+9hIuR4tcxzt3FdBMVXju5PViMpKbpw5XslbGxdAFFCSrkSRvzYw98tq7HkUB5IyV
+OgjjLNHdJg==
+-----END CERTIFICATE-----
+
+
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7qKYiCfucgzLI
+X78/NTAtFXA97Cp3PfnQwpi90tF0YmWUObOdVdxP2FHvUTyMhItpvimsvztX503D
+C0Q7lI9/omK3AbPPy51lhRCKTMiz8ic2fmiHU9lePmkZMZJv0p/eHgAIcOmIl5Kc
+uvoKvOutLnFTRKrYhUQMu2eyBz0f8rzY/4yhLLNflkQUJ3zc3W0jeMuAUei7Zmtz
+jpj+s3Ll5rwzVYG3xLbndzpCR7NaP5uZcchByhsirohR90m3dQtrFdtLTkiDJ8vJ
+hW7z3AzAA0Btw/CtH1/Ef/rHt3XHKGMJoJ3nQ2zRvSutdrRSAknNqYONe0hyrLvy
+MRGno7SjAgMBAAECggEANHjKw1fRQAk7aOXE3xKrPt/wu4/Oq/rrYGEZPnK1WHqu
+9oxP2d2JNdZBys4HRS9GoDGpC4GJQWIOz0vWL2ax3Tl1qsBSG/dOMnXLkzA3KoG6
+TzV3WueqLvz6fC3tSVE2nG/9CF8yHZxsRWDOy7PZnloPG/5mWxagWYMJUrFNeSH2
+nXd40Rff5uM43OzKtiOOzoKv2bKlKReyJVcI98MkyqSbUiie6qO1/NqrOUhq7rsV
+zFmbtjy8UL4gXR2VVz0itb/w/iV/SDVHdMQ36obo8EM9eyxUFu4QPscrbK0FvjHV
+lsKTnzu1zj/fm68NafXDy/KL5I9jethsj8ReNaQzoQKBgQDLkaIxBtNtAZfcFK7S
+dXtR7fIQfUTtgDrxznYXPqCkCy/0wp53hj7aShX2C/rfFQVElBUPkf2E/P6v7Xnf
+b+M/Zj6TH7XYbScoVu+8cqfIm1ySd3evK4GoqGIUiJeuSYEfeLqZSTp1XxO05lGb
+ZmAEtZUHor24Co9HIV/3P86EcwKBgQDr/fqn6b6V1O64r7/cnOmWhW1+5MjoWO2K
++y0fSutrPMOFK4ItJIk4Q5JbHA42cwyYRMe+oElGXzWJXGbqxyorFhW0Er/+roTa
+6GXwNrRkdA3S0rgPAE7IS42WLDsAO9/muiZJ4heXtk8i0xDoyy3Y8UQ/6hR4h1px
+jtn9Bs4zEQKBgBdW+TuZxr/mwNyQ2oJyydLY7zoIwtBgNWHoBA4iNhTY24S6k6Ss
+laQ9fksZkIfnRxVXzRpd6K1IvIK7PY/qqilotZ/0sMrBqQ2s+gunMamEdpasb+J7
+oIAP3j7wckOfVdif5PUSOkuevQmupoiksjmYACBB/nKNc2P6ZaBZhnoVAoGBAJuc
+4z777BeCzFNuWJaRxZniq9wj4rMLiL+/dvaOgYQ6EjdrBDDeSbmXHRgE/P48iQ6T
+NB9oNEk6GORV0Ot5nz3AF1mhj4bR73smCaoHeJZQzJi7KHGD429CGr/utI0n7jGH
+iB3p/2Kj7bTp9tl6uOW32ihHI26C2knNR8MITMnxAoGAZ+Dpg1a6u2ZMTSgOn9Vc
+pECwENGtOQP4RKyXmnq3ET5ykx1hMMCf9uoA09TXDRuJ/20hVfsAGvLZdbQq/9DL
+C3bckcoalhy8RXC/OV9c6SC/xgoYiggxmZtzV34wnQSLM4Cr+Q/lhOaj7sop6iJi
+apYRps2sXbUdu3pDTub/zSI=
+-----END PRIVATE KEY-----

ocaml/gencert/test_data/pems/pass-xsi-1781.pem

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# parse a PEM file for certificate and key and emit them again as a PEM
+# to stdout. This is in response to XSI-1781.
+
+set -o errexit
+set -o pipefail
+if [[ -n "$TRACE" ]]; then set -o xtrace; fi
+set -o nounset
+
+if [[ "${1-}" =~ ^-*h(elp)?$ ]]; then
+    cat <<EOF 
+Usage: $0 /etc/xensource/xapi-ssl.pem 
+
+Reformat a PEM file such that it matches expectations from
+XenServer 8 about its format. The file is emitted to stdout and
+should be re-directed to a file.
+
+EOF
+fi
+
+PEM="$1"
+
+openssl x509  -outform PEM -in "$PEM" -out "$PEM.cert.$$"
+openssl rsa   -outform PEM -in "$PEM" -out "$PEM.key.$$"
+cat "$PEM.key.$$" "$PEM.cert.$$"
+rm -f "$PEM.cert.$$" "$PEM.key.$$"  
+