[Pki-devel] [PATCH] 0070 Use correct textual encoding for PKCS #7 objects
Fraser Tweedale
ftweedal at redhat.com
Wed Jan 13 07:37:05 UTC 2016
Hi all,
Pursuant to RFC 7468 the attached patch replaces instances of
'CERTIFICATE CHAIN' in PEM headers with 'PKCS7'.
Fixes ticket https://fedorahosted.org/pki/ticket/1699. I could not
reproduce any problems with `keytool' as mentioned in the ticket,
nor find cases online of programs supporting 'CERTIFICATE CHAIN' but
not 'PKCS7', so I think this is a good change to make. We can
address counterexamples if/when we have hard evidence of them :)
Cheers,
Fraser
-------------- next part --------------
From 2e43f93d0727acdcc68f8c42809723fb099072be Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 13 Jan 2016 17:41:05 +1100
Subject: [PATCH] Use correct textual encoding for PKCS #7 objects
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL). Use the correct "PKCS7" label instead.
Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.
Fixes: https://fedorahosted.org/pki/ticket/1699
---
.../webapps/ca/agent/ca/displayBySerial.template | 4 +--
.../webapps/ca/agent/ca/displayBySerial2.template | 4 +--
.../ca/agent/ca/displayCertFromRequest.template | 4 +--
.../webapps/ca/ee/ca/displayBySerial.template | 4 +--
.../shared/webapps/ca/ee/ca/displayCaCert.template | 4 +--
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 35 ++--------------------
6 files changed, 12 insertions(+), 43 deletions(-)
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
index 3b58a47790dd9e99dbcdeb5fc520d5c3dd0eeec6..e02fe30ebb7fe29f68bf4032d026be2c4ddac02e 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
@@ -192,9 +192,9 @@ Base 64 encoded certificate with CA certificate chain in pkcs7 format
</font>
<p><pre>
<SCRIPT type="text/javascript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
document.write(result.header.pkcs7ChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
</SCRIPT>
</pre>
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
index 7923f415326325acfc02b99e6c4caad60cbd7c01..f0604ef7fc3a7a9ec4c1dd016f0652c507e204dd 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
@@ -98,9 +98,9 @@ Base 64 encoded certificate
</font>
<p><pre>
<SCRIPT type="text/javascript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
document.write(result.header.certChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
</SCRIPT>
</pre>
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
index f1148570c5e1cd3c251ee64008228da2e710b421..402154037790343061dc4a711de0d0fba738dbf2 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
@@ -102,9 +102,9 @@ function displayCert(cert)
'Base 64 encoded certificate with CA certificate chain in pkcs7 format'+
'</font>'+
'<p><pre>'+
- '-----BEGIN CERTIFICATE CHAIN-----');
+ '-----BEGIN PKCS7-----');
document.writeln(cert.pkcs7ChainBase64);
- document.writeln('-----END CERTIFICATE CHAIN-----'+
+ document.writeln('-----END PKCS7-----'+
'</pre>');
}
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
index d1e65fa631e0107297cf8b5383197bb9e6f5c160..33bc45f22273a3fe537df81ce12d79b119e72991 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
@@ -117,9 +117,9 @@ Base 64 encoded certificate with CA certificate chain in pkcs7 format
</font>
<p><pre>
<SCRIPT LANGUAUGE="JavaScript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
document.write(result.header.pkcs7ChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
</SCRIPT>
</pre>
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
index 49a91af11500daef2a5e7fbc042aba12595bf874..3e6a44da73f8d84286d37965096ff9dc8c8fbb1b 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
@@ -43,9 +43,9 @@ if (result.header.displayFormat == "chain") {
document.writeln('<center><b>' + result.header.subjectdn);
document.writeln('</b></center><p></font><br>');
document.writeln('<pre>');
- document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+ document.writeln('-----BEGIN PKCS7-----');
document.write(result.header.chainBase64);
- document.writeln('-----END CERTIFICATE CHAIN-----');
+ document.writeln('-----END PKCS7-----');
document.writeln('</pre>');
} else if (result.header.displayFormat == "individual") {
if (result.recordSet.length == 0) {
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 2a3f95528251a326d8e66e44fa10e527d0c87f7f..e98027dcee49c0abf0176b6a932223ac74dbaeb1 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -1116,46 +1116,15 @@ public class CryptoUtil {
if (s == null) {
return s;
}
- s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "");
- s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", "");
- s = s.replaceAll("-----END CERTIFICATE REQUEST-----", "");
- s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", "");
- s = s.replaceAll("-----BEGIN CERTIFICATE-----", "");
- s = s.replaceAll("-----END CERTIFICATE-----", "");
- s = s.replaceAll("-----BEGIN CERTIFICATE CHAIN-----", "");
- s = s.replaceAll("-----END CERTIFICATE CHAIN-----", "");
+ // grammar defined at https://tools.ietf.org/html/rfc7468#section-3
+ s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", "");
StringBuffer sb = new StringBuffer();
StringTokenizer st = new StringTokenizer(s, "\r\n ");
while (st.hasMoreTokens()) {
String nextLine = st.nextToken();
-
nextLine = nextLine.trim();
- if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) {
- continue;
- }
- if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) {
- continue;
- }
- if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) {
- continue;
- }
- if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) {
- continue;
- }
- if (nextLine.equals("-----BEGIN CERTIFICATE-----")) {
- continue;
- }
- if (nextLine.equals("-----END CERTIFICATE-----")) {
- continue;
- }
- if (nextLine.equals("-----BEGIN CERTIFICATE CHAIN-----")) {
- continue;
- }
- if (nextLine.equals("-----END CERTIFICATE CHAIN-----")) {
- continue;
- }
sb.append(nextLine);
}
return sb.toString();
--
2.5.0
More information about the Pki-devel
mailing list