New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] "keyInfo is not in PEM format or in base64 format" when upgrading to v5 #361
Comments
note that I choose the bug category, though it isn't really a bug, because I did not know what else to choose - since the breaking change happened in a major release, this is mostly for documentation purpose. |
I'd be happy to see what a PR like this would look like. Were the spaces something that were generated by some tool you used or were they are artifact of some other processing you did with them? |
So I don't really know how those spaces appeared tbh, the certificates are provisioned by our customers and it seems some of them have somehow the end of line of the base64 turned to spaces, and we did not validate enough so we accepted those certificates and stored them as is (which worked fine until the update, so we never realized). For the "fix" I don't imagine anything too fancy one of:
One potential issue (we did not encounter, but I think could happen) would also be missing padding, which probably used to work, but would be blocked by the new stricter regexp. I don't know if it would be a good idea to handle that too. |
Wouldn't that affect the header line as well? |
No because the failing assertion is after checking for PEM headers Line 63 in 72a39dc
Our certificate are in base 64 without the PEM headers. When there are PEM header, it seems that the regexp doesn't validate the base 64 at all (.*) so it would also have avoided us the issue |
We had the same problem. Our key files had Bag attributes and Key attributes blocks before begin private key line. Removing those lines fixed the issue. |
8920013 states multiple times that:
I presume it means ABNF https://www.rfc-editor.org/rfc/rfc7468#section-3 section's
@forty you wrote:
IMHO question is then whether RCF7468's General Considerations https://www.rfc-editor.org/rfc/rfc7468#section-2 section contains also discussion of whitespaces. FWIW, found also this answer which might bring some clarity/insight to whitespace stuff https://stackoverflow.com/a/40404153 |
Thank you @srd90 for this research. It does seem that, while we could allow for more lenient whitespace handing, it cautions that this "may run the risk of accepting text that was not intended to be accepted in the first place". However, "the choice of parsing strategy depends on the context of use"; we can pick and still be compliant. It seems we have picked, and we are compliant, and any cert used which has extraneous whitespace is actually not from a compliant generator. The quote in that Stack Overflow answer where it says "Furthermore, parsers SHOULD ignore whitespace and other non-base64 characters" is referring to data before the encapsulation boundaries.
Unless I'm missing something, the approach currently implemented is the most correct one and there isn't a compelling reason to change. Here are some relevant snippets:
|
While I appreciate the strict format, it would be really helpful to have an error message which actually tells, which key/cert is falsy. For us it was the |
That seems very reasonable @KiwiKilian . Can you put up a PR for that? |
Because of this commit 8920013 some of our certificates which contained spaces caused the error
TypeError: keyInfo is not in PEM format or in base64 format
, while it was working fine in previous version.As this breaking change was not explicitly stated in the changelog, I figured out that I'd log this bug in case someone else searches for it. The solution is to clean up the base64 of
idpCert
before passing it to node-saml (so no spaces, correct "=" padding, etc) - I don't know if node-saml should defensively perform the clean up too, up to you (let me know if you'd like a PR for this, happy to do it).The text was updated successfully, but these errors were encountered: