Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: pem parsing detection of last cert errors #4908

Merged
merged 6 commits into from
Dec 12, 2024
Merged

fix: pem parsing detection of last cert errors #4908

merged 6 commits into from
Dec 12, 2024

Conversation

lrstewart
Copy link
Contributor

@lrstewart lrstewart commented Nov 19, 2024
edited
Loading

Release Summary:

Fixed a bug in certificate pem parsing. We now correctly reject certificate chains where the last certificate is unexpectedly significantly truncated (for example, missing the final "-- END CERTIFICATE --" marker).

Resolved issues:

resolves #4788

Description of changes:

Before, certificate parsing ignored errors unless there was unread data left in the stuffer after the failure. That meant any error due to missing data in the last certificate was ignored. My new tests are a good visual representation of what errors were previously ignored.

I modified the parsing logic to require that certificate parsing always succeed. Instead of attempting to parse the next certificate and then deciding how to handle any failures, we now first check for the delimiter characters ("--") and assert that parsing will succeed if the characters are present. If the characters aren't present, then there are no more certificates in the pem file (although there might be whitespace / comments / other garbage, but we also skipped over those before). Basically, we now treat any error that occurs after we find the delimiter characters as a real error, regardless of the state of the stuffer or chain.

The pem parsing code is also used for CRLs, private keys, and DH params, but all those parsing methods assume only one certificate in the pem and treat all errors as failures (although private key parsing does act on those errors).

Call-outs:

I also cleaned up memory management in the parsing method using DEFER_CLEANUP. It makes the diff harder to read, but it's not a large diff. But let me know if the diff is too hard to read and I should move the memory cleanup to another PR.

Testing:

  • I added several new positive parsing cases, which pass both before and after my change.
  • I added several new negative parsing cases, which failed before my change but pass after.
  • I also added a version of the negative parsing test that re-runs all the negative cases, but for a certificate at the end of a longer certificate list. That way we make sure that any errors we add to the negative cases aren't just being caught by our "chain_size > 0" check, like they were before.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@github-actions github-actions bot added the s2n-core team label Nov 19, 2024
@lrstewart lrstewart marked this pull request as ready for review November 19, 2024 18:03
@lrstewart lrstewart requested a review from goatgoose November 21, 2024 01:22
@lrstewart lrstewart enabled auto-merge (squash) December 9, 2024 17:40
@lrstewart lrstewart disabled auto-merge December 10, 2024 20:26
@lrstewart lrstewart enabled auto-merge (squash) December 10, 2024 20:43
@lrstewart lrstewart disabled auto-merge December 10, 2024 20:55
@lrstewart lrstewart enabled auto-merge December 10, 2024 20:56
@lrstewart lrstewart disabled auto-merge December 10, 2024 20:58
@lrstewart lrstewart enabled auto-merge December 10, 2024 20:58
@lrstewart lrstewart disabled auto-merge December 10, 2024 21:01
@lrstewart lrstewart enabled auto-merge December 10, 2024 21:02
@lrstewart lrstewart added this pull request to the merge queue Dec 10, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Dec 10, 2024
@lrstewart lrstewart added this pull request to the merge queue Dec 10, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 10, 2024
@lrstewart lrstewart added this pull request to the merge queue Dec 10, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Dec 11, 2024
@lrstewart lrstewart enabled auto-merge December 12, 2024 04:41
@lrstewart lrstewart added this pull request to the merge queue Dec 12, 2024
Merged via the queue into aws:main with commit b16dd82 Dec 12, 2024
40 checks passed
@lrstewart lrstewart deleted the pem_fix branch December 12, 2024 06:00
@BrewTestBot BrewTestBot mentioned this pull request Dec 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmayclin jmayclin jmayclin approved these changes

@goatgoose goatgoose goatgoose approved these changes

@alexw91 alexw91 Awaiting requested review from alexw91

Assignees
No one assigned
Labels
s2n-core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Pem parsing does not always detect parsing errors for last certificate
3 participants
@lrstewart @goatgoose @jmayclin