_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568

JammingBen · 2020-12-30T12:21:06Z

Apparently _extractBER() cannot strip -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- completely out of certificate bundles anymore. This was working in versions <= 2.0.29.

Probably happens due to the changes in https://github.com/phpseclib/phpseclib/blob/2.0.29/phpseclib/File/X509.php#L5061 -> https://github.com/phpseclib/phpseclib/blob/2.0.30/phpseclib/File/X509.php#L5063

The text was updated successfully, but these errors were encountered:

terrafrost · 2020-12-30T14:32:14Z

Can you post an example cert that it's not working on?

Thanks!

JammingBen · 2020-12-30T14:35:46Z

Sure, here's one:

The outer -----BEGIN/END CERTIFICATE----- get removed successfully, the inner unfortunately do not.

terrafrost · 2020-12-31T12:04:26Z

So I didn't even know phpseclib handled "bundles" at all until #1542 .

So you have two certs. The first one's subject is "ownCloud Code Signing Intermediate Authority" and the second one's subject is "ownCloud Code Signing Root Authority".

With the old way, attempting to load the "bundled" cert you posted would simply return the first cert. With the new way it returns false.

I guess you could do a little bit of preprocessing now on the cert:

$str = 'the cert';

$str = strlen($str) <= ini_get('pcre.backtrack_limit') ?
    preg_replace('#.*?^-+[^-]+-+[\r\n ]*$#ms', '', $str, 1) :
    $str;
$str = preg_replace('#-+[^-]+-+#', '', $str);

$x509->loadX509($str);

I guess I could also make it so that all text after the first -----END CERTIFICATE----- line gets removed. This (vs the approach I adopted in response to #1542) would preserve the <= 2.0.29 behavior altho I suppose, technically, even that approach could cause some malformed certs to cease parsing.

My aim with 2.0 is to preserve BC but it can get a little tricky with "bugs" lol. Some people may be relying on the behavior of "bugs" to achieve certain effects so, in some ways, one could argue that true BC requires you never ever fix bugs, ever. Even something like fixing a timing attack... someone could, in theory, say that "you broke my code! I was using your lib to demo timing attacks!" upon you fixing them. Where you draw the line is fairly subjective imho.

Anyway, I'll mull on this some and decide what I want to do.

Thanks!

terrafrost · 2021-01-08T04:08:26Z

I've updated it so that when a bundled cert is found only the first cert is parsed. The issue in #1542 of inconsistent behavior has been resolved as well as it now explicitly removes everything after the first "-END...".

See 9de5f3f

terrafrost referenced this issue Jan 8, 2021

X509: always parse the first cert of a bundle

9de5f3f

terrafrost closed this as completed Jan 8, 2021

krestenk mentioned this issue May 19, 2021

Problems with loading .PEM data if there are any comments/text before the -----BEGIN CERTIFICATE----- marker #1659

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568

_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568

JammingBen commented Dec 30, 2020

terrafrost commented Dec 30, 2020

JammingBen commented Dec 30, 2020

terrafrost commented Dec 31, 2020

terrafrost commented Jan 8, 2021

_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568

_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568

Comments

JammingBen commented Dec 30, 2020

terrafrost commented Dec 30, 2020

JammingBen commented Dec 30, 2020

terrafrost commented Dec 31, 2020

terrafrost commented Jan 8, 2021