PEM consists of base64 inside a header and trailer line. OpenSSL crashes with embedded newlines. This was mentioned to me by the OpenXPKI project.
See RFC 7468 section 2: Data before the encapsulation boundaries are permitted, and parsers MUST NOT malfunction when processing such data. Furthermore, parsers SHOULD ignore whitespace and other non- base64 characters and MUST handle different newline conventions. Reproducible with the attached PEM certificate request and OpenSSL 1.02h (linux). openssl req -text -in t/csr1.pem unable to load X509 request 3086379164:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:809: This request is valid - although it (intentionally) also exceeds the standard line length. Note that OpenSSL will accept it if re-formatted: | perl -Mwarnings -Mstrict -MMIME::Base64 -e'local $/; my $x = <STDIN>; $x =~ s/.*^(-----BEGIN CERTIFICATE REQUEST-----\r?\n)(.*)^(-----END CERTIFICATE REQUEST-----).*/$1 . encode_base64(decode_base64( $2 )) . $3/ems; print $x' <t/csr1.pem | openssl req -text|| | OpenSSL should accept PEM with embedded whitespace and long lines. -- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4698 Please log in as guest with password guest if prompted
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=AU, ST=Some-State, L=my city, O=Internet Widgits Pty Ltd,
OU=Big org, OU=Smaller org, CN=My Name/[email protected],
DC=domainComponent
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a0:00:f3:58:dd:26:40:15:1b:67:8d:b6:3d:ab:
cb:c4:8a:86:52:cd:d1:99:b0:e8:4a:b3:1d:f0:20:
11:11:f1:66:75:a1:67:0c:f9:d8:f5:91:80:da:99:
bf:49:d2:d8:4d:57:cc:9b:5b:64:7a:c0:82:e7:09:
23:8f:6e:4c:c4:30:46:ec:68:28:e6:fe:60:28:a1:
d4:b0:3d:02:e3:e4:3e:15:fa:13:42:67:e8:e4:1d:
51:99:e7:99:30:74:cd:77:7f:b6:e2:84:85:f4:6c:
e9:a3:cb:1a:63:e4:61:d9:51:e2:e4:1c:c7:5d:e4:
f1:91:5c:56:b9:84:17:95:3b
Exponent: 65537 (0x10001)
Attributes:
challengePassword :unable to print attribute
unstructuredName :unable to print attribute
Requested Extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
E-mail Protection, TLS Web Server Authentication, TLS Web
Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP
Signing
X509v3 Subject Alternative Name:
email:[email protected], URI:https://fred.example.net,
email:[email protected], DNS:www.example.net, DNS:www.example.com,
DNS:example.net, DNS:example.com, IP Address:10.2.3.4, IP
Address:2001:DB8:741:0:0:0:0:0
X509v3 Subject Key Identifier:
00:12:45:9A
X509v3 Certificate Policies: critical
Policy: postOfficeBox
CPS: http://there.example.net
CPS: http://here.example.net
User Notice:
Organization: Suspicious minds
Numbers: 8, 11
Explicit Text: Trust but verify
User Notice:
Organization: Suspicious minds
Numbers: 8, 11
Explicit Text: Trust but verify
Policy: 1.5.88.103
Signature Algorithm: sha1WithRSAEncryption
9f:49:67:16:4d:d5:14:df:3f:32:ba:e9:02:4a:be:27:16:db:
45:e3:7d:52:d9:14:4b:75:11:0f:22:6d:56:c8:c1:ad:96:f1:
e7:8b:d4:9a:28:79:c4:a8:c3:3f:81:f5:88:b3:d1:7d:e8:f4:
ea:c2:61:ae:04:5e:34:21:a9:1a:79:dd:42:36:bf:a7:85:23:
82:9f:9c:91:eb:aa:5c:18:d6:d3:7a:55:09:97:3d:5f:3a:31:
a1:69:06:58:ed:62:fd:a9:31:73:4d:47:ea:fb:dc:96:b0:14:
85:1e:2a:6e:76:46:f8:b2:f0:fd:86:2f:61:4d:9a:d8:8b:ed:
83:ea
-----BEGIN CERTIFICATE REQUEST-----
MIIEbjCCA9cCAQAwgdQxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRl
MRAwDgYDVQQHDAdteSBjaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0
eSBMdGQxEDAOBgNVBAsMB0JpZyBvcmcxFDASBgNVBAsMC1NtYWxsZXIgb3JnMRAw
DgYDVQQDDAdNeSBOYW1lMSAwHgYJKoZIhvcNAQkBFhFub25lQG5vLWVtYWlsLmNv
bTEfMB0GCgmSJomT8ixkARkWD2RvbWFpbkNvbXBvbmVudDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAoADzWN0mQBUbZ422PavLxIqGUs3RmbDoSrMd8CAREfFm
daFnDPnY9ZGA2pm/SdLYTVfMm1tkesCC5wkjj25MxDBG7Ggo5v5gKKHUsD0C4+Q+
FfoTQmfo5B1RmeeZMHTNd3+24oSF9Gzpo8saY+Rh2VHi5BzHXeTxkVxWuYQXlTsC
AwEAAaCCAlcwFQYJKoZIhvcNAQkHMQgMBlNlY3JldDAXBgkqhkiG9w0BCQIxCgwI
TXlDb0ZvQ28wggIjBgkqhkiG9w0BCQ4xggIUMIICEDAPBgNVHRMBAf8EBTADAQH/
MA4GA1Ud DwEB/wQEAwIF4D BPBgNVHSUESDBGBggrBgEFBQcDBAYIKwYBBQUHAwEG
CCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIBggrBgEFBQcD
CTCBpgYDVR0RBIGeMIGbgQ5ub3dheUBub25lLmNvbYYYaHR0cHM6Ly9mcmVkLmV4
YW1wbGUubmV0gRtzb21lZGF5QG5vd2hlcmUuZXhhbXBsZS5jb22CD3d3dy5leGFt
cGxlLm5ldIIPd3d3LmV4YW1wbGUuY29tggtleGFtcGxlLm5ldIILZXhhbXBsZS5j
b22HBAoCAwSHECABDbgHQQAAAAAAAAAAAAAwDQYDVR0OBAYEBAASRZowgeMGA1Ud
IAEB/wSB2DCB1TCBywYDVQQSMIHDMCQGCCsGAQUFBwIBFhhodHRwOi8vdGhlcmUu
ZXhhbXBsZS5uZXQwIwYIKwYBBQUHAgEWF2h0dHA6Ly9oZXJlLmV4YW1wbGUubmV0
MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVz
dCBidXQgdmVyaWZ5MDoGCCsGAQUFBwICMC4wGhoQU3VzcGljaW91cyBtaW5kczAGAgEIAgELGhBUcnVzdCBidXQgdmVyaWZ5MAUGAy1YZzANBgkqhkiG9w0BAQUFAAOB
gQCfSWcWTdUU3z8yuukCSr4nFttF431S2RRLdREPIm1WyMGtlvHni9SaKHnEqMM/
gfWIs9F96PTqwmGuBF40Iakaed1CNr+nhSOCn5yR66pcGNbTelUJlz1fOjGhaQZY
7WL9qTFzTUfq+9yWsBSFHipudkb4svD9hi9hTZrYi+2D6g==
-----END CERTIFICATE REQUEST-----
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
