-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: pem parsing should allow single dashes in comments #4787
Conversation
4aeaec9
to
b4c8e31
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change looks good. The only other test that I would like to see is a more "real-world" test of parsing some real PEM comments found in the wild.
I think it'd be worthwhile to check in that PEM file under /tests/pems/centos-default-ca-bundle-2019.crt
and verify that s2n's PEM parser correctly skips all 133 of those comments.
Once that is done we can also close out: #1136
We actually already have a trust store checked in for testing: https://github.com/aws/s2n-tls/tree/main/tests/pems/trust-store It's from an Amazon Linux 2012 instance. Is there anything particularly interesting about centos, or did you just want us to test with any copied trust store? |
Description of changes:
Currently, s2n-tls can't parse certificates with comments containing '-' characters. Words and names containing '-' aren't uncommon-- "s2n-tls" has a '-'.
As an easy fix, this PR updates the parser to look for "--" instead of "-". "--" should be less common, and this fixes the problem without requiring a major rewrite of the parser.
This results in two changes to certificate format requirements:
Alternatively, if we want to continue accepting "-BEGIN CERTIFICATE-", I could skip to "-BEGIN" instead of '-' or "--". That would skip any extra preceding dashes and read the BEGIN token. The downsides are:
Testing:
I added some easy to update unit tests, rather than relying on test pem files. They're not exhaustive, but they cover the cases I changed and a couple other important cases.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.