[Freeipa-devel] [PATCH] 360 be smarter about decoding certs
John Dennis
jdennis at redhat.com
Fri Jan 29 05:13:19 UTC 2010
On 01/28/2010 10:30 PM, Rob Crittenden wrote:
> John Dennis wrote:
>> On 01/28/2010 04:15 PM, Rob Crittenden wrote:
>>> Gah, got the description mixed up with the last patch :-(
>>>
>>> Be a bit smarter about decoding certificates that might be base64
>>> encoded. First see if it only contains those characters allowed before
>>> trying to decode it. This reduces the number of false positives.
>>
>> I'm not sure the test is doing what you want or even if it's the right
>> test.
>>
>> The test is saying "If there is one or more characters in the bas64
>> alphabet then try and decode. That means just about anything will
>> match, which doesn't seem like a very strong test.
>>
>> Why not just try and decode it and let the decoder decide if it's
>> really base64, the decoder has much strong rules about the input,
>> including assuring the padding is correct.
>>
>
> The reason is I had a binary cert that was correctly decoded by the
> base64 encoder. I don't know the why's and wherefores but there it is.
Then testing to see if each byte is in the base64 alphabet would not
have prevented this error.
For a while now I've been feeling like we need to associate a format
attribute to the certificate (e.g. DER, PEM, BASE64, etc.).
Or we need to adopt a convention that certs are always in one canonical
format and the interface is responsible for assuring what it accepts as
input is converted to the canonical form.
> I see what you mean about my regex being a bit weak though, it really
> should require that the entire string conform. I'll see what I can do.
>
> rob
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list