Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for alternative CSR headers/footers #2040

Merged
merged 4 commits into from
Jan 24, 2019

Conversation

redtangent
Copy link
Contributor

Description

Adds support for alternative CSR headers, as defined by RFC7468. Microsoft uses alternative footers/headers for CSR's that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of 'BEGIN CERTIFICATE REQUEST'. This PR adds support for those CSRs.

This is an enhancement in the sense that it supports more tools, but it's also a fix for an interoperability problem. The fix comes at no cost to the API, so I think it should be backported. I'll do that once this PR is approved.

This PR fixes #767.

Status

READY

Requires Backporting

Yes
Which branch?
mbedtls-2.7 and mbedtls-2.1

Todos

  • Tests
  • Documentation
  • Changelog updated
  • Backported

@simonbutcher simonbutcher added CLA not applicable needs-review Every commit must be reviewed by at least two team members, component-x509 labels Sep 30, 2018
ChangeLog Outdated
@@ -13,6 +13,8 @@ Changes
* Close a test gap in (D)TLS between the client side and the server side:
test the handling of large packets and small packets on the client side
in the same way as on the server side.
* Add support for alternative CSR headers, as used by Microsoft and defined
in RFC7468. Found by Michael Ernst. Fixes #767.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually use a space after "RFC".

buf, NULL, 0, &use_len );
cert_header = "-----BEGIN CERTIFICATE REQUEST-----";
cert_footer = "-----END CERTIFICATE REQUEST-----";
start = strstr( (const char *) buf, cert_header);
Copy link

@hanno-becker hanno-becker Oct 1, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should leave the detection of headers to mbedtls_pem_read_buffer(). It has a dedicated error code MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT in case they are not present, so we can call mbedtls_pem_read_buffer() with -----{BEGIN/END} CERTIFICATE REQUEST----- first, and fall back to ----{BEGIN/END} NEW CERTIFICATE REQUEST----- if it fails with MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT.

Copy link

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a minor style issue in the ChangeLog. In regards to the implementation itself, I think we should build on the existing mbedtls_pem_read_buffer() to signal that PEM header/footers are not present, and not do the detection ourselves.

@simonbutcher simonbutcher added needs-work and removed needs-review Every commit must be reviewed by at least two team members, labels Oct 2, 2018
Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's
that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of
'BEGIN CERTIFICATE REQUEST'.
Add a test case for alternative headers possible for CSR's, as defined in
RFC7468.
Add Changelog entry for fix for alternative header/footers in CSR's.
@redtangent
Copy link
Contributor Author

You're right @hanno-arm. That's a better solution. I've adapted the PR and submitted a new solution based on your suggestion.

library/x509_csr.c Outdated Show resolved Hide resolved
Copy link

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second call to mbedtls_pem_read_buffer() should be made only if the first failed with the error for missing headers and footers. For other errors, we might (theoretically at least) call mbedtls_pem_read_buffer() with a corrupted data structure otherwise.

Change the secondary X509 CSR parsing call for the alternative MS header to only
occur if the first call fails due to the header being unfound, instead of any
call.
@redtangent
Copy link
Contributor Author

Review comments addressed. Please re-review @hanno-arm.

@simonbutcher simonbutcher added needs-review Every commit must be reviewed by at least two team members, and removed needs-work labels Oct 8, 2018
Copy link
Contributor

@AndrzejKurek AndrzejKurek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine for me now.

Copy link

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hanno-becker hanno-becker removed the needs-review Every commit must be reviewed by at least two team members, label Oct 9, 2018
@simonbutcher simonbutcher added needs-ci Needs to pass CI tests approved Design and code approved - may be waiting for CI or backports and removed needs-ci Needs to pass CI tests labels Oct 9, 2018
@simonbutcher simonbutcher added the needs-backports Backports are missing or are pending review and approval. label Oct 28, 2018
@simonbutcher
Copy link
Contributor

retest

@hanno-becker hanno-becker removed the needs-backports Backports are missing or are pending review and approval. label Jan 14, 2019
@simonbutcher
Copy link
Contributor

CI is failing on BSD timing test, which is as good as a pass.

@simonbutcher simonbutcher merged commit e1660af into Mbed-TLS:development Jan 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Design and code approved - may be waiting for CI or backports bug component-x509
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CSR parsing error (mbedtls_x509_csr_parse)
4 participants