Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Certificate.load to load certificate chain. #441

Merged
merged 22 commits into from
May 21, 2021
Merged

Implement Certificate.load to load certificate chain. #441

merged 22 commits into from
May 21, 2021

Conversation

ioquatix
Copy link
Member

Follow up to #361

@ioquatix ioquatix closed this May 12, 2021
@ioquatix ioquatix reopened this May 12, 2021
@ioquatix ioquatix mentioned this pull request May 12, 2021
Closed
11 tasks
@ioquatix ioquatix force-pushed the sikuan-gsoc2020-ruby-sikuan-288 branch from 8936b3b to d5b5ccf Compare May 13, 2021 00:22
@ioquatix ioquatix requested a review from rhenium May 13, 2021 00:25
@ioquatix
Copy link
Member Author

I'm not sure error handling is right. If we have a broken DER certificate, do we get to EOF?

@ioquatix
Copy link
Member Author

There is no easy result from the PEM or DER parser which seems to indicate: "I reached the end of file there are no more certificates."

@rhenium
Copy link
Member

rhenium commented May 13, 2021

Do we need to support concatenated DER? I've never seen it's used somewhere.

@ioquatix
Copy link
Member Author

@rhenium I agree, so I'm changing it.

rhenium
rhenium reviewed May 13, 2021
View reviewed changes
ext/openssl/ossl_x509cert.c Outdated Show resolved Hide resolved
ext/openssl/ossl_x509cert.c Outdated Show resolved Hide resolved
ext/openssl/ossl_x509cert.c Outdated Show resolved Hide resolved
@ioquatix ioquatix requested a review from rhenium May 13, 2021 03:08
@ioquatix ioquatix mentioned this pull request May 13, 2021
Closed
@ioquatix ioquatix linked an issue May 13, 2021 that may be closed by this pull request
OpenSSL::X509::Certificate load entire certificate chain #288
Closed
@ioquatix ioquatix requested a review from rhenium May 13, 2021 04:22
rhenium
rhenium reviewed May 13, 2021
View reviewed changes
ext/openssl/ossl_x509cert.c Outdated Show resolved Hide resolved
ext/openssl/ossl_x509cert.c Show resolved Hide resolved
lib/openssl/x509.rb Show resolved Hide resolved
test/openssl/fixtures/pkey/fullchain.pem Outdated Show resolved Hide resolved
@ioquatix ioquatix force-pushed the sikuan-gsoc2020-ruby-sikuan-288 branch from d6be10d to 3464ab9 Compare May 19, 2021 10:15
@ioquatix
Copy link
Member Author

In order to parse DER first, we have to ignore some error of DER when trying to parse PEM format, specifically:

        /* If we cannot read one certificate because we could not read the DER encoding: */
        if (ERR_GET_REASON(ERR_peek_last_error()) == ERR_R_NESTED_ASN1_ERROR) {
            ossl_clear_error();
        }

Is this acceptable?

@ioquatix ioquatix force-pushed the sikuan-gsoc2020-ruby-sikuan-288 branch from 3464ab9 to 7ad5653 Compare May 19, 2021 10:24
@ioquatix
Copy link
Member Author

@rhenium do you know why this fails on Windows with the pure Ruby load_file?

rhenium
rhenium reviewed May 19, 2021
View reviewed changes
ext/openssl/ossl_bio.c Outdated Show resolved Hide resolved
@rhenium
Copy link
Member

rhenium commented May 19, 2021

In order to parse DER first, we have to ignore some error of DER when trying to parse PEM format, specifically:

        /* If we cannot read one certificate because we could not read the DER encoding: */
        if (ERR_GET_REASON(ERR_peek_last_error()) == ERR_R_NESTED_ASN1_ERROR) {
            ossl_clear_error();
        }

Is this acceptable?

Argh. No, this will not work because parsing random data (PEM-encoding) as DER-encoding can fail in other ways, too.

I don't think there is a direct way to check that the failure is from DER parsing (and not from malloc() or somewhere else).

I'm not sure if there is another way except for falling back to PEM parsing on any kind of error.

@rhenium
Copy link
Member

rhenium commented May 19, 2021

@rhenium do you know why this fails on Windows with the pure Ruby load_file?

I guess it's CRLF conversion... I think it should've used File.binread.

@ioquatix ioquatix force-pushed the sikuan-gsoc2020-ruby-sikuan-288 branch from a03ccd5 to 8591a4d Compare May 19, 2021 11:26
@ioquatix ioquatix requested a review from rhenium May 19, 2021 11:44
@ioquatix ioquatix force-pushed the sikuan-gsoc2020-ruby-sikuan-288 branch from 6bf5670 to 390964b Compare May 19, 2021 11:48
@rhenium rhenium mentioned this pull request May 19, 2021
Merged
rhenium
rhenium reviewed May 19, 2021
View reviewed changes
Copy link
Member

@rhenium rhenium left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I disagree with the change in ext/openssl/ossl_bio.c, but apart from that and two fix-ups I commented in-line, it looks good to me.

test/openssl/test_x509cert.rb Show resolved Hide resolved
test/openssl/fixtures/pkey/fullchain.pem Outdated Show resolved Hide resolved
@ioquatix ioquatix requested a review from rhenium May 19, 2021 21:18
@ioquatix
Copy link
Member Author

Okay, all your feedback was addressed as you requested.

@ioquatix ioquatix merged commit 05e1c01 into master May 21, 2021
@ioquatix ioquatix deleted the sikuan-gsoc2020-ruby-sikuan-288 branch May 21, 2021 20:47
@rhenium
Copy link
Member

rhenium commented May 23, 2021

Okay, all your feedback was addressed as you requested.

Yes, it was already ready for merge. Thank you for working on this!

@ioquatix
Copy link
Member Author

@rhenium thanks for your multiple detailed reviews and feedback, the PR was much better because of your time and effort.

This was referenced Jun 9, 2021
Merged
Closed
rhenium pushed a commit to rhenium/ruby that referenced this pull request Jul 18, 2021
@ioquatix @sikuan @rhenium
[ruby/openssl] Implement Certificate.load to load certificate chain. (
1146a94 
ruby/openssl#441)

* Add feature for loading the chained certificate into Certificate array.

ruby/openssl@05e1c015d6

Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
@rhenium rhenium mentioned this pull request Feb 19, 2022
Closed
@rhenium rhenium mentioned this pull request Sep 8, 2022
Closed
@ekohl ekohl mentioned this pull request Sep 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tadman tadman tadman left review comments

@rhenium rhenium Awaiting requested review from rhenium

Assignees

@ioquatix ioquatix

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenSSL::X509::Certificate load entire certificate chain
4 participants
@ioquatix @rhenium @tadman @sikuan