[openssl-users] PEM X509 certificate with no newline

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 3 17:31:55 UTC 2015

On Thu, Sep 03, 2015 at 04:35:00PM +0000, Salz, Rich wrote:

> > PEM_read_bio_X509() fails because of the missing newlines.
> The underlying base64 decoder is horrible.  It accepts invalid 8bit chars, and silently enforces a line-length limit.
> Wanna rewrite it? :)

A large part of the complexity is that the base64 BIO is doing
buffering wrong.  Instead of buffering character data it buffers
lines, and thus has to set a line length limit.

Perhaps this BIO is intended to be used on multi-component PEM
files, and to automatically stop when it reaches "-----END ...".
I've not looked too closely and the use-cases.

In any case, it is the messiest and least efficient (in terms of
lines of code not run-time) code I've seen in OpenSSL.  This code
is very old, and has barely been touched for decades (except for
a subtle bug fixed a few years back by EAY himself IIRC).

The mess is just not very appealing to go near.  The first step
would be to figure out what the base64 BIO is currently doing and
what we want it it to do going forward.  Writing new code is likely
easier than figuring out what it is doing now.


More information about the openssl-users mailing list