-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for alternative CSR headers/footers #2040
Add support for alternative CSR headers/footers #2040
Conversation
ChangeLog
Outdated
@@ -13,6 +13,8 @@ Changes | |||
* Close a test gap in (D)TLS between the client side and the server side: | |||
test the handling of large packets and small packets on the client side | |||
in the same way as on the server side. | |||
* Add support for alternative CSR headers, as used by Microsoft and defined | |||
in RFC7468. Found by Michael Ernst. Fixes #767. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We usually use a space after "RFC".
library/x509_csr.c
Outdated
buf, NULL, 0, &use_len ); | ||
cert_header = "-----BEGIN CERTIFICATE REQUEST-----"; | ||
cert_footer = "-----END CERTIFICATE REQUEST-----"; | ||
start = strstr( (const char *) buf, cert_header); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should leave the detection of headers to mbedtls_pem_read_buffer()
. It has a dedicated error code MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
in case they are not present, so we can call mbedtls_pem_read_buffer()
with -----{BEGIN/END} CERTIFICATE REQUEST-----
first, and fall back to ----{BEGIN/END} NEW CERTIFICATE REQUEST-----
if it fails with MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a minor style issue in the ChangeLog. In regards to the implementation itself, I think we should build on the existing mbedtls_pem_read_buffer()
to signal that PEM header/footers are not present, and not do the detection ourselves.
Add support for RFC7468, and the alternative Microsoft footer/headers for CSR's that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of 'BEGIN CERTIFICATE REQUEST'.
Add a test case for alternative headers possible for CSR's, as defined in RFC7468.
Add Changelog entry for fix for alternative header/footers in CSR's.
e26e2c8
to
5199227
Compare
You're right @hanno-arm. That's a better solution. I've adapted the PR and submitted a new solution based on your suggestion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second call to mbedtls_pem_read_buffer()
should be made only if the first failed with the error for missing headers and footers. For other errors, we might (theoretically at least) call mbedtls_pem_read_buffer()
with a corrupted data structure otherwise.
Change the secondary X509 CSR parsing call for the alternative MS header to only occur if the first call fails due to the header being unfound, instead of any call.
Review comments addressed. Please re-review @hanno-arm. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks fine for me now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
retest |
CI is failing on BSD timing test, which is as good as a pass. |
Description
Adds support for alternative CSR headers, as defined by RFC7468. Microsoft uses alternative footers/headers for CSR's that contain the text 'BEGIN NEW CERTIFICATE REQUEST' instead of 'BEGIN CERTIFICATE REQUEST'. This PR adds support for those CSRs.
This is an enhancement in the sense that it supports more tools, but it's also a fix for an interoperability problem. The fix comes at no cost to the API, so I think it should be backported. I'll do that once this PR is approved.
This PR fixes #767.
Status
READY
Requires Backporting
Yes
Which branch?
mbedtls-2.7
andmbedtls-2.1
Todos