From 1146a94aeea7d2ea1ead3bfcbddd0f4de696abe6 Mon Sep 17 00:00:00 2001
From: Samuel Williams <samuel.williams@oriontransfer.co.nz>
Date: Sat, 22 May 2021 08:47:20 +1200
Subject: [PATCH] [ruby/openssl] Implement `Certificate.load` to load
 certificate chain. (https://github.com/ruby/openssl/pull/441)

* Add feature for loading the chained certificate into Certificate array.

https://github.com/ruby/openssl/commit/05e1c015d6

Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
---
 ext/openssl/lib/openssl/x509.rb            |   4 +
 ext/openssl/ossl_x509cert.c                | 153 +++++++++++++++++++++
 test/openssl/fixtures/pkey/certificate.der | Bin 0 -> 1325 bytes
 test/openssl/fixtures/pkey/empty.der       |   0
 test/openssl/fixtures/pkey/empty.pem       |   0
 test/openssl/fixtures/pkey/fullchain.pem   |  56 ++++++++
 test/openssl/fixtures/pkey/garbage.txt     |   1 +
 test/openssl/test_x509cert.rb              |  32 +++++
 8 files changed, 246 insertions(+)
 create mode 100644 test/openssl/fixtures/pkey/certificate.der
 create mode 100644 test/openssl/fixtures/pkey/empty.der
 create mode 100644 test/openssl/fixtures/pkey/empty.pem
 create mode 100644 test/openssl/fixtures/pkey/fullchain.pem
 create mode 100644 test/openssl/fixtures/pkey/garbage.txt

diff --git a/ext/openssl/lib/openssl/x509.rb b/ext/openssl/lib/openssl/x509.rb
index 6771b90c1a5bbf..367a899e21e1a2 100644
--- a/ext/openssl/lib/openssl/x509.rb
+++ b/ext/openssl/lib/openssl/x509.rb
@@ -338,6 +338,10 @@ def pretty_print(q)
           q.text 'not_after='; q.pp self.not_after
         }
       end
+      
+      def self.load_file(path)
+        load(File.binread(path))
+      end
     end
 
     class CRL
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index 1385411069f63a..4884fc89a0d9e6 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -707,6 +707,157 @@ ossl_x509_eq(VALUE self, VALUE other)
     return !X509_cmp(a, b) ? Qtrue : Qfalse;
 }
 
+struct load_chained_certificates_arguments {
+    VALUE certificates;
+    X509 *certificate;
+};
+
+static VALUE
+load_chained_certificates_append_push(VALUE _arguments) {
+    struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
+
+    if (arguments->certificates == Qnil) {
+        arguments->certificates = rb_ary_new();
+    }
+
+    rb_ary_push(arguments->certificates, ossl_x509_new(arguments->certificate));
+
+    return Qnil;
+}
+
+static VALUE
+load_chained_certificate_append_ensure(VALUE _arguments) {
+    struct load_chained_certificates_arguments *arguments = (struct load_chained_certificates_arguments*)_arguments;
+
+    X509_free(arguments->certificate);
+
+    return Qnil;
+}
+
+inline static VALUE
+load_chained_certificates_append(VALUE certificates, X509 *certificate) {
+    struct load_chained_certificates_arguments arguments;
+    arguments.certificates = certificates;
+    arguments.certificate = certificate;
+
+    rb_ensure(load_chained_certificates_append_push, (VALUE)&arguments, load_chained_certificate_append_ensure, (VALUE)&arguments);
+    
+    return arguments.certificates;
+}
+
+static VALUE
+load_chained_certificates_PEM(BIO *in) {
+    VALUE certificates = Qnil;
+    X509 *certificate = PEM_read_bio_X509(in, NULL, NULL, NULL);
+
+    /* If we cannot read even one certificate: */
+    if (certificate == NULL) {
+        /* If we cannot read one certificate because we could not read the PEM encoding: */
+        if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
+            ossl_clear_error();
+        }
+
+        if (ERR_peek_last_error())
+            ossl_raise(eX509CertError, NULL);
+        else
+            return Qnil;
+    }
+
+    certificates = load_chained_certificates_append(Qnil, certificate);
+
+    while ((certificate = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
+      load_chained_certificates_append(certificates, certificate);
+    }
+
+    /* We tried to read one more certificate but could not read start line: */
+    if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) {
+        /* This is not an error, it means we are finished: */
+        ossl_clear_error();
+
+        return certificates;
+    }
+
+    /* Alternatively, if we reached the end of the file and there was no error: */
+    if (BIO_eof(in) && !ERR_peek_last_error()) {
+        return certificates;
+    } else {
+        /* Otherwise, we tried to read a certificate but failed somewhere: */
+        ossl_raise(eX509CertError, NULL);
+    }
+}
+
+static VALUE
+load_chained_certificates_DER(BIO *in) {
+    X509 *certificate = d2i_X509_bio(in, NULL);
+
+    /* If we cannot read one certificate: */
+    if (certificate == NULL) {
+        /* Ignore error. We could not load. */
+        ossl_clear_error();
+
+        return Qnil;
+    }
+
+    return load_chained_certificates_append(Qnil, certificate);
+}
+
+static VALUE
+load_chained_certificates(VALUE _io) {
+    BIO *in = (BIO*)_io;
+    VALUE certificates = Qnil;
+
+    /*
+      DER is a binary format and it may contain octets within it that look like
+      PEM encoded certificates. So we need to check DER first.
+    */
+    certificates = load_chained_certificates_DER(in);
+
+    if (certificates != Qnil)
+        return certificates;
+
+    OSSL_BIO_reset(in);
+
+    certificates = load_chained_certificates_PEM(in);
+
+    if (certificates != Qnil)
+        return certificates;
+
+    /* Otherwise we couldn't read the output correctly so fail: */
+    ossl_raise(eX509CertError, "Could not detect format of certificate data!");
+}
+
+static VALUE
+load_chained_certificates_ensure(VALUE _io) {
+    BIO *in = (BIO*)_io;
+
+    BIO_free(in);
+
+    return Qnil;
+}
+
+/*
+ * call-seq:
+ *    OpenSSL::X509::Certificate.load(string) -> [certs...]
+ *    OpenSSL::X509::Certificate.load(file) -> [certs...]
+ *
+ * Read the chained certificates from the given input. Supports both PEM
+ * and DER encoded certificates.
+ *
+ * PEM is a text format and supports more than one certificate.
+ *
+ * DER is a binary format and only supports one certificate.
+ *
+ * If the file is empty, or contains only unrelated data, an
+ * +OpenSSL::X509::CertificateError+ exception will be raised.
+ */
+static VALUE
+ossl_x509_load(VALUE klass, VALUE buffer)
+{
+    BIO *in = ossl_obj2bio(&buffer);
+
+    return rb_ensure(load_chained_certificates, (VALUE)in, load_chained_certificates_ensure, (VALUE)in);
+}
+
 /*
  * INIT
  */
@@ -815,6 +966,8 @@ Init_ossl_x509cert(void)
      */
     cX509Cert = rb_define_class_under(mX509, "Certificate", rb_cObject);
 
+    rb_define_singleton_method(cX509Cert, "load", ossl_x509_load, 1);
+
     rb_define_alloc_func(cX509Cert, ossl_x509_alloc);
     rb_define_method(cX509Cert, "initialize", ossl_x509_initialize, -1);
     rb_define_method(cX509Cert, "initialize_copy", ossl_x509_copy, 1);
diff --git a/test/openssl/fixtures/pkey/certificate.der b/test/openssl/fixtures/pkey/certificate.der
new file mode 100644
index 0000000000000000000000000000000000000000..7d44df8413aac2a7b71767f5926cb70c12bf77f2
GIT binary patch
literal 1325
zcmXqLV%0QgVi8=x%*4pVB*YS}Y5&@@R;=l@RQB2j6>jsr40zc%wc0$|zVk9Na<eiR
z7#VUKaI!Invaks=g$5gn8Hj*5T*ACQsU_;g3a)v{MU@35Fh$J5OhLv5a^k#3h6W~v
z<_1P4#)g(rV6M5L8I)@vV<=@H0WyYJSg^djTrW94B{jb!F}oDV$~9<WR6=$HBP#=Q
z6C*zZP@IdYiII`v_=?Ism+w#VdYhP&e&uU3&lZP68<(Z-l(4&<EF%(h&|LQ2ZjSio
zJKi?7wK-|p-6tlnX=pI2D*YA`t_cjX*=)3dsrH7~llj`xdGV|7DTQlEWLyXcckNMg
z-WA{XrX{^Y%W3bmj=-mT*BbNwKY!<l&R^lM-pMw3uagc$&aP8C6`sYzZxrI-V!3`o
z+4QLI;v4KFRmvuaJfF27((3T-$lZIg_D0QSJm15sRU^7_^@43K?w?cr6~A>qoMbzx
zr^>1MTJ>-D0P$2l@5%3;SHFF9AgW;h6U~I%=l@Fj-~4dnkJqkKJBxlrx;{HD*3g<N
z=qx9i7Z$gptDxNT_=&%Y=NqPJGBGnUFfMLl@-=8;@-*NBhNCP$BjbM-7G@^a1qQMp
zzA6hSo;bAG7+G1_nHk|MCIcRjv@l3HlK}%nF&~Q<i^!=?#hE)c1}Wrr+HMR=T_1ep
z^v*~Fd5~gd76}8f1`!dx&Enf5!cMOX;B<H<zkY7F$f08fp)ivf8Cg6H+zk|Ad;`Wd
z(TtLk0xNy}B4fRLy_{5FI?>B7N;gn~D`9FALnz5aDA6~N0og0aB5EMqge86WfMgX|
zTn(HJIM~?I8+jO+7!AzXxPiW9VQjh&^c<sshJhN)9wtUHDX2Zk1;s#XN{T^_0VZ0o
zdzu(o*|@-3uT?U!FtId#V`==%@R6aMVT!^YxxTBtIUU9FP2Ea5ycciz#^v}=u}!?~
zryt?F=nw+~W5wM!{~{O|SeO|+4BVI$85Tx3zdl%9^Ql5?^Rf9VA@^SBeHVDy?{9Bg
z`|WCCQlT_ZNvr?I(k)WS|7L%$sC#qe=!TEG<2$qdmui@Ci5IZCrExKoF?@@eqJOd6
zKuIJ-g2P}+Sl?q`VM*it_j&XcxX<`~OnD5o*bi*6yMZgv)NAGY>w44LcK*FplvjT;
zzOrX;*M9Rh(eEL$Grbg_w$5Nu;8m;I#dqM87_XMi(eSn)1<mvy`;3(Dwk&zJ?-RqZ
z*ME_-95CMlvm7Hsk)mPemRCVXXH5E6_(|dEN0%AFv2vL+=bvXkHT%b((`hS>)<0d%
z`rr2QKG7YmwflVgdrMEX`EQpL>%S@fJLpwIxE*I>!r55CUu7cf=@OSWdFVyF71$Bv
z9~?CKTXU>wg5=_tSGb&_8xFLn{9@i=sOc{3R1*BtXPNbD-E=+Ktrh=8I~6b6b^O{R
z`AqletB4ubtz(~fH2u4JSH{`#LjH}XKF_lKLtowPc+26nJ-T}4`t$iS*NH6n;p8h9
z*>mvJPPx@S2laVA@YL<uIgR5be`G~b_!)srcGliW@k<(~?9n{qw_0(cl0@9vrd)+9
Z0U@rN4*R}v51n<EYhLPhR_`rGH~}7;-uwUn

literal 0
HcmV?d00001

diff --git a/test/openssl/fixtures/pkey/empty.der b/test/openssl/fixtures/pkey/empty.der
new file mode 100644
index 00000000000000..e69de29bb2d1d6
diff --git a/test/openssl/fixtures/pkey/empty.pem b/test/openssl/fixtures/pkey/empty.pem
new file mode 100644
index 00000000000000..e69de29bb2d1d6
diff --git a/test/openssl/fixtures/pkey/fullchain.pem b/test/openssl/fixtures/pkey/fullchain.pem
new file mode 100644
index 00000000000000..624785d326a071
--- /dev/null
+++ b/test/openssl/fixtures/pkey/fullchain.pem
@@ -0,0 +1,56 @@
+-----BEGIN CERTIFICATE-----
+MIIFKTCCBBGgAwIBAgISBFspP+tJfRaC6xprreB4Rp9KMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yMTA0MTcwMjQzMTlaFw0yMTA3MTYwMjQzMTlaMBwxGjAYBgNVBAMT
+EXd3dy5jb2Rlb3Rha3UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAx6h5vNPfkkrtYWxn1PWDDLRAwrGmZbkYPttjHBRSwTcd7rsIX4PcSzw9fWxm
+K4vIkAYoKAElIvsSE3xRUjyzMrACfdhK5J8rG25fq94iVyoYaNBQV0WMJkO6X47s
+hGeIKkK91ohR5b2tMw3/z9zELP0TVo2TPG7rYsBZm34myldqDA8yVEBEOa+Qdpda
+9xewPhkkdpAU55qgWTrD21m7vGq9WpsBz4wNKnwVsaugtkRH82VPIfaL4ZI9kox6
+QoPWe/tHUBdlDkuT7ud77eLAWnC/5Clg28/9GU/Z8Nj8SrrKuXL6WUXmxxaAhWUR
+Qx4VblZeuIpwd0nHyP0hz4CWKQIDAQABo4ICTTCCAkkwDgYDVR0PAQH/BAQDAgWg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
+A1UdDgQWBBTKiSGZuLFSIG2JPbFSZa9TxMu5WTAfBgNVHSMEGDAWgBQULrMXt1hW
+y65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6
+Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iu
+b3JnLzAcBgNVHREEFTATghF3d3cuY29kZW90YWt1LmNvbTBMBgNVHSAERTBDMAgG
+BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
+LmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AJQgvB6O
+1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLCAAABeN3s/lgAAAQDAEgwRgIhAKFY
+Q+vBe3zyeBazxp8kVN7oLvcQ6Y9PPz199tVhYnEbAiEAhU/xdbQaY/6b93h+7NTF
+sPG7X4lq/3UoNgoXcAVGZgoAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvM
+TvFk4wAAAXjd7P5OAAAEAwBHMEUCIQDWd79+jWaGuf3acm5/yV95jL2KvzeGFfdU
+HZlKIeWFmAIgDSZ6ug7AyhYNKjzFV4ZSICln+L4yI92EpOa+8gDG6/0wDQYJKoZI
+hvcNAQELBQADggEBAHIhMYm06lLFmJL+cfIg5fFEmFNdHmmZn88Hypv4/MtmqTKv
+5asF/z3TvhW4hX2+TY+NdcqGT7cZFo/ZF/tS6oBXPgmBYM1dEfp2FAdnGNOySC5Y
+7RC4Uk9TUpP2g101YBmj6dQKQluAwIQk+gO4MSlHE0J0U/lMpjvrLWcuHbV4/xWJ
+IdM+iPq8GeYt5epYmNc7XeRIgv7V3RxDQdBv2OVM5mtPVerdiO0ISrdbe5mvz2+Z
+rhSg+EJNHlmMwcq5HqtMwS8M8Ax+vLmWCOkPWXhyV8wQaQcFjZJfpIGUvCnMTqsh
+kSIYXq2CbSDUUFRFssNN6EdVms0KnmW3BUu0xAk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
+MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
+AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
+jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
+Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
+U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
+gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
+/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
+oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
+ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
+p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
+AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
+Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
+LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
+r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
+AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
+ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
+S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
+qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
+O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
+UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+-----END CERTIFICATE-----
diff --git a/test/openssl/fixtures/pkey/garbage.txt b/test/openssl/fixtures/pkey/garbage.txt
new file mode 100644
index 00000000000000..557db03de997c8
--- /dev/null
+++ b/test/openssl/fixtures/pkey/garbage.txt
@@ -0,0 +1 @@
+Hello World
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 70fe9d4419af04..818b784b6c2b72 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -288,6 +288,38 @@ def test_marshal
     assert_equal cert.to_der, deserialized.to_der
   end
 
+  def test_load_file_empty_pem
+    empty_path = Fixtures.file_path("pkey", "empty.pem")
+    assert_raise(OpenSSL::X509::CertificateError) do
+      OpenSSL::X509::Certificate.load_file(empty_path)
+    end
+  end
+
+  def test_load_file_fullchain_pem
+    fullchain_path = Fixtures.file_path("pkey", "fullchain.pem")
+    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
+    assert_equal 2, certificates.size
+    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
+    assert_equal "/C=US/O=Let's Encrypt/CN=R3", certificates[1].subject.to_s
+  end
+
+  def test_load_file_certificate_der
+    fullchain_path = Fixtures.file_path("pkey", "certificate.der")
+    certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
+
+    # DER encoding can only contain one certificate:
+    assert_equal 1, certificates.size
+    assert_equal "/CN=www.codeotaku.com", certificates[0].subject.to_s
+  end
+
+  def test_load_file_fullchain_garbage
+    fullchain_path = Fixtures.file_path("pkey", "garbage.txt")
+
+    assert_raise(OpenSSL::X509::CertificateError) do
+      certificates = OpenSSL::X509::Certificate.load_file(fullchain_path)
+    end
+  end
+
   private
 
   def certificate_error_returns_false