PEM consists of base64 inside a header and trailer line. OpenSSL crashes with embedded newlines. This was mentioned to me by the OpenXPKI project.
See RFC 7468 section 2: Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. Furthermore, parsers SHOULD ignore whitespace and other non- base64 characters and MUST handle different newline conventions. Reproducible with the attached PEM certificate request and OpenSSL 1.02h (linux). openssl req -text -in t/csr1.pem unable to load X509 request 3086379164:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809: This request is valid - although it (intentionally) also exceeds the standard line length. Note that OpenSSL will accept it if re-formatted: | perl -Mwarnings -Mstrict -MMIME::Base64 -e'local $/; my $x = <STDIN>; $x =~ s/.*^(-----BEGIN CERTIFICATE REQUEST-----\r?\n)(.*)^(-----END CERTIFICATE REQUEST-----).*/$1 . encode_base64(decode_base64( $2 )) . $3/ems; print $x' <t/csr1.pem | openssl req -text|| | OpenSSL should accept PEM with embedded whitespace and long lines. -- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4698 Please log in as guest with password guest if prompted
Certificate Request: Data: Version: 0 (0x0) Subject: C=AU, ST=Some-State, L=my city, O=Internet Widgits Pty Ltd, OU=Big org, OU=Smaller org, CN=My Name/emailAddress=n...@no-email.com, DC=domainComponent Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:a0:00:f3:58:dd:26:40:15:1b:67:8d:b6:3d:ab: cb:c4:8a:86:52:cd:d1:99:b0:e8:4a:b3:1d:f0:20: 11:11:f1:66:75:a1:67:0c:f9:d8:f5:91:80:da:99: bf:49:d2:d8:4d:57:cc:9b:5b:64:7a:c0:82:e7:09: 23:8f:6e:4c:c4:30:46:ec:68:28:e6:fe:60:28:a1: d4:b0:3d:02:e3:e4:3e:15:fa:13:42:67:e8:e4:1d: 51:99:e7:99:30:74:cd:77:7f:b6:e2:84:85:f4:6c: e9:a3:cb:1a:63:e4:61:d9:51:e2:e4:1c:c7:5d:e4: f1:91:5c:56:b9:84:17:95:3b Exponent: 65537 (0x10001) Attributes: challengePassword :unable to print attribute unstructuredName :unable to print attribute Requested Extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: E-mail Protection, TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing X509v3 Subject Alternative Name: email:no...@none.com, URI:https://fred.example.net, email:some...@nowhere.example.com, DNS:www.example.net, DNS:www.example.com, DNS:example.net, DNS:example.com, IP Address:10.2.3.4, IP Address:2001:DB8:741:0:0:0:0:0 X509v3 Subject Key Identifier: 00:12:45:9A X509v3 Certificate Policies: critical Policy: postOfficeBox CPS: http://there.example.net CPS: http://here.example.net User Notice: Organization: Suspicious minds Numbers: 8, 11 Explicit Text: Trust but verify User Notice: Organization: Suspicious minds Numbers: 8, 11 Explicit Text: Trust but verify Policy: 1.5.88.103 Signature Algorithm: sha1WithRSAEncryption 9f:49:67:16:4d:d5:14:df:3f:32:ba:e9:02:4a:be:27:16:db: 45:e3:7d:52:d9:14:4b:75:11:0f:22:6d:56:c8:c1:ad:96:f1: e7:8b:d4:9a:28:79:c4:a8:c3:3f:81:f5:88:b3:d1:7d:e8:f4: ea:c2:61:ae:04:5e:34:21:a9:1a:79:dd:42:36:bf:a7:85:23: 82:9f:9c:91:eb:aa:5c:18:d6:d3:7a:55:09:97:3d:5f:3a:31: a1:69:06:58:ed:62:fd:a9:31:73:4d:47:ea:fb:dc:96:b0:14: 85:1e:2a:6e:76:46:f8:b2:f0:fd:86:2f:61:4d:9a:d8:8b:ed: 83:ea -----BEGIN CERTIFICATE REQUEST----- MIIEbjCCA9cCAQAwgdQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRl MRAwDgYDVQQHDAdteSBjaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0 eSBMdGQxEDAOBgNVBAsMB0JpZyBvcmcxFDASBgNVBAsMC1NtYWxsZXIgb3JnMRAw DgYDVQQDDAdNeSBOYW1lMSAwHgYJKoZIhvcNAQkBFhFub25lQG5vLWVtYWlsLmNv bTEfMB0GCgmSJomT8ixkARkWD2RvbWFpbkNvbXBvbmVudDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAoADzWN0mQBUbZ422PavLxIqGUs3RmbDoSrMd8CAREfFm daFnDPnY9ZGA2pm/SdLYTVfMm1tkesCC5wkjj25MxDBG7Ggo5v5gKKHUsD0C4+Q+ FfoTQmfo5B1RmeeZMHTNd3+24oSF9Gzpo8saY+Rh2VHi5BzHXeTxkVxWuYQXlTsC AwEAAaCCAlcwFQYJKoZIhvcNAQkHMQgMBlNlY3JldDAXBgkqhkiG9w0BCQIxCgwI TXlDb0ZvQ28wggIjBgkqhkiG9w0BCQ4xggIUMIICEDAPBgNVHRMBAf8EBTADAQH/ MA4GA1Ud DwEB/wQEAwIF4D BPBgNVHSUESDBGBggrBgEFBQcDBAYIKwYBBQUHAwEG CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcD CTCBpgYDVR0RBIGeMIGbgQ5ub3dheUBub25lLmNvbYYYaHR0cHM6Ly9mcmVkLmV4 YW1wbGUubmV0gRtzb21lZGF5QG5vd2hlcmUuZXhhbXBsZS5jb22CD3d3dy5leGFt cGxlLm5ldIIPd3d3LmV4YW1wbGUuY29tggtleGFtcGxlLm5ldIILZXhhbXBsZS5j b22HBAoCAwSHECABDbgHQQAAAAAAAAAAAAAwDQYDVR0OBAYEBAASRZowgeMGA1Ud IAEB/wSB2DCB1TCBywYDVQQSMIHDMCQGCCsGAQUFBwIBFhhodHRwOi8vdGhlcmUu ZXhhbXBsZS5uZXQwIwYIKwYBBQUHAgEWF2h0dHA6Ly9oZXJlLmV4YW1wbGUubmV0 MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVz dCBidXQgdmVyaWZ5MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVzdCBidXQgdmVyaWZ5MAUGAy1YZzANBgkqhkiG9w0BAQUFAAOB gQCfSWcWTdUU3z8yuukCSr4nFttF431S2RRLdREPIm1WyMGtlvHni9SaKHnEqMM/ gfWIs9F96PTqwmGuBF40Iakaed1CNr+nhSOCn5yR66pcGNbTelUJlz1fOjGhaQZY 7WL9qTFzTUfq+9yWsBSFHipudkb4svD9hi9hTZrYi+2D6g== -----END CERTIFICATE REQUEST-----
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev