[openssl-dev] [openssl.org #4698] PEM parsing incorrect; whitespace in PEM crashes parser
Timothe Litt via RT
rt at openssl.org
Wed Oct 5 11:38:50 UTC 2016
PEM consists of base64 inside a header and trailer line.
OpenSSL crashes with embedded newlines. This was mentioned to me by the
OpenXPKI project.
See RFC 7468 section 2:
Data before the encapsulation boundaries are
permitted, and parsers MUST NOT malfunction when processing such
data. Furthermore, parsers SHOULD ignore whitespace and other non-
base64 characters and MUST handle different newline conventions.
Reproducible with the attached PEM certificate request and OpenSSL 1.02h
(linux).
openssl req -text -in t/csr1.pem
unable to load X509 request
3086379164:error:0906D066:PEM routines:PEM_read_bio:bad end
line:pem_lib.c:809:
This request is valid - although it (intentionally) also exceeds the
standard line length.
Note that OpenSSL will accept it if re-formatted:
| perl -Mwarnings -Mstrict -MMIME::Base64 -e'local $/; my $x = <STDIN>;
$x =~ s/.*^(-----BEGIN CERTIFICATE REQUEST-----\r?\n)(.*)^(-----END
CERTIFICATE REQUEST-----).*/$1 . encode_base64(decode_base64( $2 )) .
$3/ems; print $x' <t/csr1.pem | openssl req -text||
|
OpenSSL should accept PEM with embedded whitespace and long lines.
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4698
Please log in as guest with password guest if prompted
-------------- next part --------------
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, L=my city, O=Internet Widgits Pty Ltd, OU=Big org, OU=Smaller org, CN=My Name/emailAddress=none at no-email.com, DC=domainComponent
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a0:00:f3:58:dd:26:40:15:1b:67:8d:b6:3d:ab:
cb:c4:8a:86:52:cd:d1:99:b0:e8:4a:b3:1d:f0:20:
11:11:f1:66:75:a1:67:0c:f9:d8:f5:91:80:da:99:
bf:49:d2:d8:4d:57:cc:9b:5b:64:7a:c0:82:e7:09:
23:8f:6e:4c:c4:30:46:ec:68:28:e6:fe:60:28:a1:
d4:b0:3d:02:e3:e4:3e:15:fa:13:42:67:e8:e4:1d:
51:99:e7:99:30:74:cd:77:7f:b6:e2:84:85:f4:6c:
e9:a3:cb:1a:63:e4:61:d9:51:e2:e4:1c:c7:5d:e4:
f1:91:5c:56:b9:84:17:95:3b
Exponent: 65537 (0x10001)
Attributes:
challengePassword :unable to print attribute
unstructuredName :unable to print attribute
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
X509v3 Subject Alternative Name:
email:noway at none.com, URI:https://fred.example.net, email:someday at nowhere.example.com, DNS:www.example.net, DNS:www.example.com, DNS:example.net, DNS:example.com, IP Address:10.2.3.4, IP Address:2001:DB8:741:0:0:0:0:0
X509v3 Subject Key Identifier:
00:12:45:9A
X509v3 Certificate Policies: critical
Policy: postOfficeBox
CPS: http://there.example.net
CPS: http://here.example.net
User Notice:
Organization: Suspicious minds
Numbers: 8, 11
Explicit Text: Trust but verify
User Notice:
Organization: Suspicious minds
Numbers: 8, 11
Explicit Text: Trust but verify
Policy: 1.5.88.103
Signature Algorithm: sha1WithRSAEncryption
9f:49:67:16:4d:d5:14:df:3f:32:ba:e9:02:4a:be:27:16:db:
45:e3:7d:52:d9:14:4b:75:11:0f:22:6d:56:c8:c1:ad:96:f1:
e7:8b:d4:9a:28:79:c4:a8:c3:3f:81:f5:88:b3:d1:7d:e8:f4:
ea:c2:61:ae:04:5e:34:21:a9:1a:79:dd:42:36:bf:a7:85:23:
82:9f:9c:91:eb:aa:5c:18:d6:d3:7a:55:09:97:3d:5f:3a:31:
a1:69:06:58:ed:62:fd:a9:31:73:4d:47:ea:fb:dc:96:b0:14:
85:1e:2a:6e:76:46:f8:b2:f0:fd:86:2f:61:4d:9a:d8:8b:ed:
83:ea
-----BEGIN CERTIFICATE REQUEST-----
MIIEbjCCA9cCAQAwgdQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRl
MRAwDgYDVQQHDAdteSBjaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQxEDAOBgNVBAsMB0JpZyBvcmcxFDASBgNVBAsMC1NtYWxsZXIgb3JnMRAw
DgYDVQQDDAdNeSBOYW1lMSAwHgYJKoZIhvcNAQkBFhFub25lQG5vLWVtYWlsLmNv
bTEfMB0GCgmSJomT8ixkARkWD2RvbWFpbkNvbXBvbmVudDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAoADzWN0mQBUbZ422PavLxIqGUs3RmbDoSrMd8CAREfFm
daFnDPnY9ZGA2pm/SdLYTVfMm1tkesCC5wkjj25MxDBG7Ggo5v5gKKHUsD0C4+Q+
FfoTQmfo5B1RmeeZMHTNd3+24oSF9Gzpo8saY+Rh2VHi5BzHXeTxkVxWuYQXlTsC
AwEAAaCCAlcwFQYJKoZIhvcNAQkHMQgMBlNlY3JldDAXBgkqhkiG9w0BCQIxCgwI
TXlDb0ZvQ28wggIjBgkqhkiG9w0BCQ4xggIUMIICEDAPBgNVHRMBAf8EBTADAQH/
MA4GA1Ud DwEB/wQEAwIF4D BPBgNVHSUESDBGBggrBgEFBQcDBAYIKwYBBQUHAwEG
CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcD
CTCBpgYDVR0RBIGeMIGbgQ5ub3dheUBub25lLmNvbYYYaHR0cHM6Ly9mcmVkLmV4
YW1wbGUubmV0gRtzb21lZGF5QG5vd2hlcmUuZXhhbXBsZS5jb22CD3d3dy5leGFt
cGxlLm5ldIIPd3d3LmV4YW1wbGUuY29tggtleGFtcGxlLm5ldIILZXhhbXBsZS5j
b22HBAoCAwSHECABDbgHQQAAAAAAAAAAAAAwDQYDVR0OBAYEBAASRZowgeMGA1Ud
IAEB/wSB2DCB1TCBywYDVQQSMIHDMCQGCCsGAQUFBwIBFhhodHRwOi8vdGhlcmUu
ZXhhbXBsZS5uZXQwIwYIKwYBBQUHAgEWF2h0dHA6Ly9oZXJlLmV4YW1wbGUubmV0
MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVz
dCBidXQgdmVyaWZ5MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVzdCBidXQgdmVyaWZ5MAUGAy1YZzANBgkqhkiG9w0BAQUFAAOB
gQCfSWcWTdUU3z8yuukCSr4nFttF431S2RRLdREPIm1WyMGtlvHni9SaKHnEqMM/ gfWIs9F96PTqwmGuBF40Iakaed1CNr+nhSOCn5yR66pcGNbTelUJlz1fOjGhaQZY
7WL9qTFzTUfq+9yWsBSFHipudkb4svD9hi9hTZrYi+2D6g==
-----END CERTIFICATE REQUEST-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4577 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20161005/7e9c29ab/attachment-0001.bin>
More information about the openssl-dev
mailing list