From 8e4765893758dd69302f0b85d70e5516edd05722 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mar 12 2018 22:00:26 +0000
Subject: Allow leading/trailing data when looking for certificates


When parsing the list of certificates provided for signing
verification the parser did not allow leading or trailing
data, like headers you might find in openSSL exported PKCS#12
values:

Bag Attributes
2.16.840.1.113730.5.1.1.1: CT,C,C
localKeyID: 00 9B 92 61 B3 05 7F EE 42 9B 6A AF DE 5B 08 ...
friendlyName: CA Signing Certificate
subject=/O=ACME/CN=CA Signing Certificate
issuer=/O=ACME/CN=CA Signing Certificate

https://pagure.io/certmonger/issue/93

---

diff --git a/src/pkcs7.c b/src/pkcs7.c
index 991ef91..6de1775 100644
--- a/src/pkcs7.c
+++ b/src/pkcs7.c
@@ -976,10 +976,11 @@ cm_pkcs7_verify_signed(unsigned char *data, size_t length,
 		 * concatenated, always break them up. */
 		p = s;
 		while ((p != NULL) && (*p != '\0')) {
-			if (strncmp(p, "-----BEGIN", 10) != 0) {
+			p = strstr(p, "-----BEGIN");
+			if (p == NULL) {
 				break;
 			}
-			q = strstr(p, "----END");
+			q = strstr(p, "-----END");
 			if (q == NULL) {
 				break;
 			}