Commit - certmonger - fe0b1a212b0448d5c34deac9ad8a30f45c7f0a65

    Add a PEM validity checker and validate SCEP CA files
    
    If a non-PEM file was passed into add-scep-ca it would
    accept it without question but later fail with:
    
    status: CA_UNREACHABLE
    ca-error: Error: failed to verify signature on server response.
    
    Try to do basic validation of user-provided PEM files by:
    
    - stripping BEGIN/END headers
    - removing newlines and carriage returns
    - using OpenSSL EVP library to base64 decode the block
    
    This isn't fool-proof but it at least does some basic
    sanity checking to ensure the file(s) exist and appear
    to be PEM files.
    
    The unit tests use some Let's Encrypt CA certificates.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1492112
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>

src/Makefile.am

file modified

+1 -1

src/getcert-add-scep-ca.1.in

file modified

+2 -0

src/getcert.c

file modified

+35 -4

src/util-o.c

file modified

+144 -0

src/util-o.h

file modified

+7 -0

tests/040-pem/bad.empty

file added

empty file added

tests/040-pem/bad.isrg-root-x1-cross-signed.der

file added

empty file added

tests/040-pem/expected.out

file added

tests/040-pem/good.isrg-root-x1-cross-signed.pem

file added

+31

tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem

file added

+31

tests/040-pem/good.lets_encrypt_chain.pem

file added

+93

tests/040-pem/run.sh

file added

+18

tests/Makefile.am

file modified

+6 -2

tests/tools/Makefile.am

file modified

+2 -1

tests/tools/pem.c

file added

+69

certmonger

Source Code

Documentation

fe0b1a2 Add a PEM validity checker and validate SCEP CA files

Authored and Committed by rcritten 2 years ago

`fe0b1a2` Add a PEM validity checker and validate SCEP CA files