Skip to content

Commit 9a1a547

Browse files
psafontpsafont
authored
CA-404236, gencert: when parsing pems, ignore data between key and certificates (#6207)
CA-404236, gencert: when parsing pems, ignore data between key and crrtificates This is needed in order to be compliant with RFC 7468: https://datatracker.ietf.org/doc/html/rfc7468#section-2 Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. Signed-off-by: Pau Ruiz Safont <[email protected]>
2 parents c264219 + 2d84622 commit 9a1a547

File tree

3 files changed

+157
-9
lines changed

3 files changed

+157
-9
lines changed

ocaml/gencert/pem.ml

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ type t = {private_key: string; host_cert: string; other_certs: string list}
1818

1919
let is_data = function '-' -> false | _ -> true
2020

21+
let is_eol = function '\n' | '\r' -> true | _ -> false
22+
2123
let data = take_while1 is_data
2224

2325
type kind = RSA | EC | OTHER
@@ -43,29 +45,39 @@ let footer = function
4345
| OTHER ->
4446
"-----END PRIVATE KEY-----"
4547

46-
let key_header = string "-----BEGIN" *> kind <* string "PRIVATE KEY-----"
48+
let key_header =
49+
string "-----BEGIN" *> kind <* string "PRIVATE KEY-----" <?> "key_header"
4750

48-
let key_footer k = string (footer k)
51+
let key_footer k = string (footer k) <?> "key_footer"
4952

50-
let cert_header = string "-----BEGIN CERTIFICATE-----"
53+
let cert_header = string "-----BEGIN CERTIFICATE-----" <?> "cert_header"
5154

52-
let cert_footer = string "-----END CERTIFICATE-----"
55+
let cert_footer = string "-----END CERTIFICATE-----" <?> "cert_footer"
5356

5457
let key =
5558
key_header >>= fun kind ->
5659
data >>= fun body ->
5760
key_footer kind *> return (String.concat "" [header kind; body; footer kind])
61+
<?> "key"
62+
63+
let line = take_till is_eol *> end_of_line
64+
65+
(* try to read a key, or skip a line and try again *)
66+
let until_key = fix (fun m -> key <|> line *> m) <?> "until_key"
5867

5968
let cert =
6069
cert_header >>= fun hd ->
6170
data >>= fun body ->
62-
cert_footer >>= fun tl -> return (String.concat "" [hd; body; tl])
71+
cert_footer >>= fun tl -> return (String.concat "" [hd; body; tl]) <?> "cert"
72+
73+
(* try to read a cert, or skip a line and try again *)
74+
let until_cert = fix (fun m -> cert <|> line *> m) <?> "until_cert"
6375

6476
let pem =
65-
many end_of_line *> key >>= fun private_key ->
66-
many end_of_line *> cert >>= fun host_cert ->
67-
many end_of_line *> many cert >>= fun other_certs ->
68-
many end_of_line *> return {private_key; host_cert; other_certs}
77+
until_key >>= fun private_key ->
78+
until_cert >>= fun host_cert ->
79+
many until_cert >>= fun other_certs ->
80+
many end_of_line *> return {private_key; host_cert; other_certs} <?> "pem"
6981

7082
let defer f = Fun.protect ~finally:f
7183

ocaml/gencert/test_data/pems/pass-extra-lines-multiple-certs.pem

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
extra line
2+
-----BEGIN RSA PRIVATE KEY-----
3+
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7lI5jUArCqncH
4+
tzcSFK+OJgXMv16Ai0sjsLKmxUVCnlElen/0VEIyTWwsHeB+oxxDluGE8zhB9bSI
5+
r3C1xHEUgtgj+gf6/A0Qnl/fIGkhuOFsPoholxXXGk2QkPQlGrE9FRxFNGQpIur0
6+
eniepJw4K+SMqAaGUvdwWfe44pYjOsmAS3IWLERdpjxcupgvHLwEnk+4zheypp93
7+
iVvmqwrX8okLiJJZap1ew6EgKzeK2mw9HUed4d0AGKCkAhghzGTl/IsLz4QOOFes
8+
rY4awQwzK1SwBvF49xAuOiRbURdzt+K7GsoN0lm5P8CxZmrDSGpGR1BICrMSatSG
9+
N0NuOCJ9AgMBAAECggEATgm51VKZ0+Kew5Twjzo9bqGawPVHsiYDK9H+yL5+inij
10+
gTWrhTWxxvq/KDwoS//6n3ipAd2UQNmfo5qQIsIJtawUsaw4V4Fh6BrIcGUUV3KK
11+
8lG/bHoZOz0cfFCKewv5mJH4z/q9awk6ypVG3yb+kmoDHiJsy7Pmr0IpFn+qxMg1
12+
EYZU91G10DguXekciRtNcZJRL0wCQR3s2OwDdQUC+XIotvAsKiuhWl++MLwn42ad
13+
EwhzLuLd312qWg58ByCcNq8/XJkHJUbKDTWmBRGopWRliduP+Kb6vJZ16KL0G2B+
14+
OKuTQxMOzVVmumXdEVj3kH54cjpn7kCq9jwhhSJiQQKBgQD94ZFOzsUzZfmNlDZ3
15+
hFmkFuFpQCacH58FQX/vD6JQ84HwEHJx69aHYI6olCNaKcNwMhsOw+0KqBRWZnCf
16+
A6oMWUf3pkogV5JZJy7DyHNOmkfI/w8NcWtqJ03pCoA237f5RH0sul2ady9BVzsJ
17+
/8rb3B5uDw8+XesnG8Ryj6BCsQKBgQD9rhKfHxJgsZUzyassIumYcLTefgdoeCq5
18+
awd+YaM9jrGGN1ty8dTEzo3rbovnz8y+ZJMzaDRbCUeNTQjKDox8mWffRTpjxcks
19+
rJzImY7coBdnZT8K4C5OMoeCAr30FI1veXBk/XFfr56h1X8QbmM2kuJwpsf5bOaf
20+
CTfL2q2XjQKBgHem4pvYuXoC2n1OV+k2GCVMn0nCcS/tez234/qgTKiISzoAFl/4
21+
fW/qIvHyd0LcIf7zrmrkDgiStJsPxo465N7TCSb/WToq649W9yRQiX+HGMPy6X41
22+
cSFjisWFLG4wO/2fuLrmzoypFT1fRjTtOAcsk67dLBsBmn0hChHP/QDRAoGASXS7
23+
XaogpzEk1A8kaq5dV8/i/74cpQqOzIwKanUZULzd+NBUwa72/loVTEQBbQmF7ueu
24+
nCcjae0A9BCHaALYeUfuhP9Fzhg6jZ4Z9BhK/uW4gS8XFy4dGnWVOXdTy7ab0din
25+
TAb7akqvM4tftMFSJz5XJWmV5Eq9aPXBW10iAQ0CgYBl6PsdqWBjvPnqX3NCyAGH
26+
ZO4iUcrqODdeTcKpILgqBmh9/IepClgCtwW1Iluna7QTDtVqotKcft1BtHJzeKWT
27+
6TvCgje2k0RWo6TkzroaF74lyAojzWOrmuq+skVbWTiebc4bCA1KtLMLaQHIEtdo
28+
FIPEq03cDKVNDCgABw4mkw==
29+
-----END RSA PRIVATE KEY-----
30+
extra line
31+
-----BEGIN CERTIFICATE-----
32+
MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
33+
AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
34+
MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
35+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
36+
gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
37+
+vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
38+
hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
39+
WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
40+
ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
41+
oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
42+
AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
43+
LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
44+
GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
45+
erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
46+
/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
47+
JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
48+
-----END CERTIFICATE-----
49+
extra line
50+
-----BEGIN CERTIFICATE-----
51+
MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
52+
AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
53+
MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
54+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
55+
gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
56+
+vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
57+
hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
58+
WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
59+
ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
60+
oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
61+
AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
62+
LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
63+
GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
64+
erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
65+
/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
66+
JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
67+
-----END CERTIFICATE-----
68+
extra line
69+
-----BEGIN CERTIFICATE-----
70+
MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
71+
AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
72+
MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
73+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
74+
gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
75+
+vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
76+
hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
77+
WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
78+
ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
79+
oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
80+
AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
81+
LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
82+
GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
83+
erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
84+
/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
85+
JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
86+
-----END CERTIFICATE-----
87+
extra line

ocaml/gencert/test_data/pems/pass-extra-lines-one-cert.pem

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
extra line
2+
-----BEGIN PRIVATE KEY-----
3+
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD7lI5jUArCqncH
4+
tzcSFK+OJgXMv16Ai0sjsLKmxUVCnlElen/0VEIyTWwsHeB+oxxDluGE8zhB9bSI
5+
r3C1xHEUgtgj+gf6/A0Qnl/fIGkhuOFsPoholxXXGk2QkPQlGrE9FRxFNGQpIur0
6+
eniepJw4K+SMqAaGUvdwWfe44pYjOsmAS3IWLERdpjxcupgvHLwEnk+4zheypp93
7+
iVvmqwrX8okLiJJZap1ew6EgKzeK2mw9HUed4d0AGKCkAhghzGTl/IsLz4QOOFes
8+
rY4awQwzK1SwBvF49xAuOiRbURdzt+K7GsoN0lm5P8CxZmrDSGpGR1BICrMSatSG
9+
N0NuOCJ9AgMBAAECggEATgm51VKZ0+Kew5Twjzo9bqGawPVHsiYDK9H+yL5+inij
10+
gTWrhTWxxvq/KDwoS//6n3ipAd2UQNmfo5qQIsIJtawUsaw4V4Fh6BrIcGUUV3KK
11+
8lG/bHoZOz0cfFCKewv5mJH4z/q9awk6ypVG3yb+kmoDHiJsy7Pmr0IpFn+qxMg1
12+
EYZU91G10DguXekciRtNcZJRL0wCQR3s2OwDdQUC+XIotvAsKiuhWl++MLwn42ad
13+
EwhzLuLd312qWg58ByCcNq8/XJkHJUbKDTWmBRGopWRliduP+Kb6vJZ16KL0G2B+
14+
OKuTQxMOzVVmumXdEVj3kH54cjpn7kCq9jwhhSJiQQKBgQD94ZFOzsUzZfmNlDZ3
15+
hFmkFuFpQCacH58FQX/vD6JQ84HwEHJx69aHYI6olCNaKcNwMhsOw+0KqBRWZnCf
16+
A6oMWUf3pkogV5JZJy7DyHNOmkfI/w8NcWtqJ03pCoA237f5RH0sul2ady9BVzsJ
17+
/8rb3B5uDw8+XesnG8Ryj6BCsQKBgQD9rhKfHxJgsZUzyassIumYcLTefgdoeCq5
18+
awd+YaM9jrGGN1ty8dTEzo3rbovnz8y+ZJMzaDRbCUeNTQjKDox8mWffRTpjxcks
19+
rJzImY7coBdnZT8K4C5OMoeCAr30FI1veXBk/XFfr56h1X8QbmM2kuJwpsf5bOaf
20+
CTfL2q2XjQKBgHem4pvYuXoC2n1OV+k2GCVMn0nCcS/tez234/qgTKiISzoAFl/4
21+
fW/qIvHyd0LcIf7zrmrkDgiStJsPxo465N7TCSb/WToq649W9yRQiX+HGMPy6X41
22+
cSFjisWFLG4wO/2fuLrmzoypFT1fRjTtOAcsk67dLBsBmn0hChHP/QDRAoGASXS7
23+
XaogpzEk1A8kaq5dV8/i/74cpQqOzIwKanUZULzd+NBUwa72/loVTEQBbQmF7ueu
24+
nCcjae0A9BCHaALYeUfuhP9Fzhg6jZ4Z9BhK/uW4gS8XFy4dGnWVOXdTy7ab0din
25+
TAb7akqvM4tftMFSJz5XJWmV5Eq9aPXBW10iAQ0CgYBl6PsdqWBjvPnqX3NCyAGH
26+
ZO4iUcrqODdeTcKpILgqBmh9/IepClgCtwW1Iluna7QTDtVqotKcft1BtHJzeKWT
27+
6TvCgje2k0RWo6TkzroaF74lyAojzWOrmuq+skVbWTiebc4bCA1KtLMLaQHIEtdo
28+
FIPEq03cDKVNDCgABw4mkw==
29+
-----END PRIVATE KEY-----
30+
extra line
31+
-----BEGIN CERTIFICATE-----
32+
MIIC5jCCAc6gAwIBAgIIaYRSm3Q7zc8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
33+
AwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMB4XDTIwMTAxNDE1NTc1MloXDTMwMTAx
34+
MjE1NTc1MlowIDEeMBwGA1UEAwwVbGN5Mi1kdDExMC54ZW5ydGNsb3VkMIIBIjAN
35+
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+5SOY1AKwqp3B7c3EhSvjiYFzL9e
36+
gItLI7CypsVFQp5RJXp/9FRCMk1sLB3gfqMcQ5bhhPM4QfW0iK9wtcRxFILYI/oH
37+
+vwNEJ5f3yBpIbjhbD6IaJcV1xpNkJD0JRqxPRUcRTRkKSLq9Hp4nqScOCvkjKgG
38+
hlL3cFn3uOKWIzrJgEtyFixEXaY8XLqYLxy8BJ5PuM4Xsqafd4lb5qsK1/KJC4iS
39+
WWqdXsOhICs3itpsPR1HneHdABigpAIYIcxk5fyLC8+EDjhXrK2OGsEMMytUsAbx
40+
ePcQLjokW1EXc7fiuxrKDdJZuT/AsWZqw0hqRkdQSAqzEmrUhjdDbjgifQIDAQAB
41+
oyQwIjAgBgNVHREEGTAXghVsY3kyLWR0MTEwLnhlbnJ0Y2xvdWQwDQYJKoZIhvcN
42+
AQELBQADggEBAHEkeEjHilXdVgQhD/z46prXObB26uO97yFUcUIalzhb/P3zmfjb
43+
LFatTFn5jgienMmdP90uj7Ly1R6VOa+tX/o+XtSJaZwuNMtixv9qwo3nrFZdw8yF
44+
GgsmbAR+1hu0TG3RNpDIiES4D3JmVP8MgmwLw1kN3cBVptx73lE3uc8vZnNtIDOl
45+
erJb9fD3IOv/RZ78mxMnajZTHY5kg2e96d/a6HgY39vXMwycjp8wIE/+4g94fIc/
46+
/a2+BGYjCWJZyoLgmHcXEU8fOxe9yUWbFQf0wnqsLJIqzaQU1w2w6mkh4+xsI/nA
47+
JwFfXQKd3fzsvgmufpAbXt/AHljFvC/qjTI=
48+
-----END CERTIFICATE-----
49+
extra line

0 commit comments

Comments
 (0)