[openssl-users] Certificate format question?
steffen at sdaoden.eu
Tue Sep 25 18:57:24 UTC 2018
Viktor Dukhovni wrote in <5D44B1E9-CDB3-49C1-A3E5-4AB0D889C40F at dukhovni.org>:
|That particular parser tries to parse an arbitrary single
|PEM-encoded object, rather than a first object of a particular
|type (as with "pkey", "req", "x509", ...). The code for that
|is more specialized, and does support leading free-form text.
|While it could skip to the first boundary, and a well written
|pull request would be welcome, it is not critical for asn1parse
|to be able to ignore free-form text above the PEM object.
|In the meantime:
| $ perl -ne 'print if (/^-----BEGIN/../^-----END/);' foo.pem |
| openssl asn1parse
The RFC 7468 term "parsers SHOULD ignore whitespace and other non-
base64 characters" makes me wonder. I know (or used to know) that
the OpenSSL base64 decoder is (or was) pretty bad in doing so.
But this RFC is about PKIX specifics, of course, yet i (as a MUA
maintainer) struggled with how to deal with embedded data in
base64 encodings, and this RFC seems to explicitly allow them.
And i struggled because i have seen mail messages with data
embedded in base64; the rewrite of the MIME encoder (MUA commit
[d91a4bd0]), necessary to deal with those sequences. says a. o.:
In both cases: except that we, due to lack of a context, cannot
give an error message, say, once per handled message. I.e., we
cannot provide any error logging in order to avoid a possibly
infinite amount of such messages.
Regarding the garbage in base64 parts that we now simply skip.
I mean, it is possible to embed abuse porn or similar shit in
between the valid data, and now we _also_ simply skip over the
"garbage", silently extraditing our users to automatic parsers
which may gobble that s..t!
Also because the mutt(1) MUA is pretty good in skipping over
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the openssl-users