s2n-tls icon indicating copy to clipboard operation
s2n-tls copied to clipboard

Published 20 hours ago verified publisher icon aws

Decide if we should be as lenient as OpenSSL's PEM Parser

Open alexw91 opened this issue 7 years ago • 3 comments

Related to: https://github.com/awslabs/s2n/pull/647

Both s2n and OpenSSL accept everything that follows RFC 7468.

This issue is tracking how strict s2n should be at enforcing the RFC, and how it should handle messy PEM files that are invalid according to the RFC. Currently s2n essentially follows the RFC, but is lenient towards most whitespace/newline issues since those don't affect the base64 encoding of the PEM contents. The above fuzz tests are currently able to generate PEM files that s2n rejects, but that OpenSSL accepts.

Example PEM that OpenSSL accepts, but s2n rejects:

s2n currently rejects the following example PEM due to the incomplete BEGIN line at the start, but OpenSSL skips the line, keeps going, and is able to parse the valid Certificate that comes after it. There are probably many other examples, but this is one of the easier ones to demonstrate.

-----BEGIN
-----BEGIN CERTIFICATE-----
...valid PEM contents here...
-----END CERTIFICATE-----

Example PEM that OpenSSL rejects, but s2n accepts:

s2n is lenient towards:

  1. The number of dashes required (RFC says exactly 5, but we allow between 1 and 64),
  2. Whitespace and newlines in the PEM contents. (RFC says exactly 64 Base64 chars per line except last line, but we allow any number of non-dash chars per line)
---BEGIN CERTIFICATE---
...valid PEM contents here...
---END CERTIFICATE---

alexw91 avatar Jan 30 '18 20:01 alexw91

From https://github.com/awslabs/s2n/pull/647, one idea I had is to try a full handshake with the certificate. If Openssl successfully completes a handshake with the certificate but s2n fails to parse/load/handshake the same cert, that is an interesting input.

raycoll avatar Jan 30 '18 23:01 raycoll

Centos 7 includes comments in it's default trust store. These comments can include dashes which causes s2n's PEM parser to fail.

# CA name with spaces-and-dashes
-----BEGIN CERTIFICATE-----
...valid PEM contents here...
-----END CERTIFICATE-----

# CA with ----BEGIN CERTIFICATE----? 
-----BEGIN CERTIFICATE-----
...valid PEM contents here...
-----END CERTIFICATE-----

andrewhop avatar Aug 12 '19 23:08 andrewhop

There is a useful online version of the PEM parser https://8gwifi.org/PemParserFunctions.jsp with different configuration usefull

anishnath avatar Feb 14 '24 08:02 anishnath