New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_extractBER() fails on certificate bundles since phpseclib 2.0.30 #1568
Comments
Can you post an example cert that it's not working on? Thanks! |
Sure, here's one:
The outer |
So I didn't even know phpseclib handled "bundles" at all until #1542 . So you have two certs. The first one's subject is "ownCloud Code Signing Intermediate Authority" and the second one's subject is "ownCloud Code Signing Root Authority". With the old way, attempting to load the "bundled" cert you posted would simply return the first cert. With the new way it returns false. I guess you could do a little bit of preprocessing now on the cert: $str = 'the cert';
$str = strlen($str) <= ini_get('pcre.backtrack_limit') ?
preg_replace('#.*?^-+[^-]+-+[\r\n ]*$#ms', '', $str, 1) :
$str;
$str = preg_replace('#-+[^-]+-+#', '', $str);
$x509->loadX509($str); I guess I could also make it so that all text after the first My aim with 2.0 is to preserve BC but it can get a little tricky with "bugs" lol. Some people may be relying on the behavior of "bugs" to achieve certain effects so, in some ways, one could argue that true BC requires you never ever fix bugs, ever. Even something like fixing a timing attack... someone could, in theory, say that "you broke my code! I was using your lib to demo timing attacks!" upon you fixing them. Where you draw the line is fairly subjective imho. Anyway, I'll mull on this some and decide what I want to do. Thanks! |
Apparently
_extractBER()
cannot strip-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
completely out of certificate bundles anymore. This was working in versions <= 2.0.29.Probably happens due to the changes in https://github.com/phpseclib/phpseclib/blob/2.0.29/phpseclib/File/X509.php#L5061 -> https://github.com/phpseclib/phpseclib/blob/2.0.30/phpseclib/File/X509.php#L5063
The text was updated successfully, but these errors were encountered: