pemfile
pemfile copied to clipboard
rustls
Certificates in PEM files that starts "BEGIN TRUSTED CERTIFICATE" are ignored
Checklist
- [x] I've searched the issue tracker for similar bugs.
Describe the bug Hello, I am trying to load a certificate from a PEM file that follows Openssl rules: https://docs.openssl.org/master/man1/openssl-format-options/#format-option-arguments
In particular my cert.pem looks like so:
-----BEGIN TRUSTED CERTIFICATE-----
* valid x509 certificate *
-----END TRUSTED CERTIFICATE-----
(Note TRUSTED word).
Rustls does not parse the line -----BEGIN TRUSTED CERTIFICATE----- ignores the cert and reults in NoCertificatesPresented error.
To Reproduce Steps to reproduce the behavior:
cd rustls/examples
cargo run --bin simpleserver /tmp/cert.pem /tmp/key.pem
In rustls/src/server/builder.rs I added a print to see the CertifiedKey struct content:
pub fn with_single_cert(...)
...
let certified_key = CertifiedKey::new(cert_chain, private_key);
println!("DEBUG: cert key {certified_key:?}");
Gets following result:
DEBUG: cert key CertifiedKey { cert: [], key: EcdsaSigningKey { algorithm: ECDSA }, ocsp: None }
Applicable Version(s) main
Expected behavior rustls should accept and correctly parse certificates generated by OpenSSL
Additional context
Removing the TRUSTED infix solves the problem, handshake is possible.
To remove the TRUSTED:
openssl x509 -in cert.pem -clrtrust -out normal.pem
Attaching example cert and key cert.txt key.txt
Let me know what you guys think about it?
"BEGIN TRUSTED CERTIFICATE" is an OpenSSL-proprietary format, I don't think we want or need to support that.
And, since this is most commonly used for trust anchors in certificate form, it would be a mistake to give such a certificate to a TLS server.
Also, that example certificate has something really wild going on. It has a non-standard extension which contains PEM encodings of further certificates? Huh?
expand me
0:d=0 hl=4 l=5115 cons: SEQUENCE
4:d=1 hl=4 l=4994 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 1 prim: INTEGER :01
16:d=2 hl=2 l= 10 cons: SEQUENCE
18:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
28:d=2 hl=2 l= 57 cons: SEQUENCE
30:d=3 hl=2 l= 14 cons: SET
32:d=4 hl=2 l= 12 cons: SEQUENCE
34:d=5 hl=2 l= 3 prim: OBJECT :commonName
39:d=5 hl=2 l= 5 prim: UTF8STRING :RATLS
46:d=3 hl=2 l= 26 cons: SET
48:d=4 hl=2 l= 24 cons: SEQUENCE
50:d=5 hl=2 l= 3 prim: OBJECT :organizationName
55:d=5 hl=2 l= 17 prim: UTF8STRING :GramineDevelopers
74:d=3 hl=2 l= 11 cons: SET
76:d=4 hl=2 l= 9 cons: SEQUENCE
78:d=5 hl=2 l= 3 prim: OBJECT :countryName
83:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
87:d=2 hl=2 l= 30 cons: SEQUENCE
89:d=3 hl=2 l= 13 prim: UTCTIME :010101000000Z
104:d=3 hl=2 l= 13 prim: UTCTIME :301231235959Z
119:d=2 hl=2 l= 57 cons: SEQUENCE
121:d=3 hl=2 l= 14 cons: SET
123:d=4 hl=2 l= 12 cons: SEQUENCE
125:d=5 hl=2 l= 3 prim: OBJECT :commonName
130:d=5 hl=2 l= 5 prim: UTF8STRING :RATLS
137:d=3 hl=2 l= 26 cons: SET
139:d=4 hl=2 l= 24 cons: SEQUENCE
141:d=5 hl=2 l= 3 prim: OBJECT :organizationName
146:d=5 hl=2 l= 17 prim: UTF8STRING :GramineDevelopers
165:d=3 hl=2 l= 11 cons: SET
167:d=4 hl=2 l= 9 cons: SEQUENCE
169:d=5 hl=2 l= 3 prim: OBJECT :countryName
174:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
178:d=2 hl=2 l= 118 cons: SEQUENCE
180:d=3 hl=2 l= 16 cons: SEQUENCE
182:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
191:d=4 hl=2 l= 5 prim: OBJECT :secp384r1
198:d=3 hl=2 l= 98 prim: BIT STRING
298:d=2 hl=4 l=4700 cons: cont [ 3 ]
302:d=3 hl=4 l=4696 cons: SEQUENCE
306:d=4 hl=2 l= 9 cons: SEQUENCE
308:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
313:d=5 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
317:d=4 hl=2 l= 29 cons: SEQUENCE
319:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
324:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414D3959F33E36BEE3C1E747B70E06B2BD1505AB6E0
348:d=4 hl=2 l= 31 cons: SEQUENCE
350:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
355:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014D3959F33E36BEE3C1E747B70E06B2BD1505AB6E0
381:d=4 hl=4 l=4617 cons: SEQUENCE
385:d=5 hl=2 l= 11 prim: OBJECT :0.6.9.42.840.113741.1337.6
398:d=5 hl=4 l=4600 prim: OCTET STRING [HEX DUMP]:03000200000000000A000F00939A7233F79C4CA9940A0DB3957F0607FB223CBE473E5DF2671107B664A49325000000000709000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000700000000000000030000000000000002BE1A8D835ABE22290C408C48C7E39476CE8078931EEF34E6EB412A3CADE86A00000000000000000000000000000000000000000000000000000000000000009AB3690A70215763215319889045843F94BE3DACD1A578B51C42835FDD63FF2C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012FBA2921A1890B2DB41F4A28A298332AB4D80BCC53855C8B1A57C4CF2067E8D000000000000000000000000000000000000000000000000000000000000000044100000E489C1DFB71DCE10B703D775D13B40D1B2877A58B958F1A6B77014D3E4326285B829B9809FC8877D42666C01A8C85E1DEBEDA059D443EA191215B97F6A58D4BE6DCE8FF27C93E1892877937CE69F111ED30197359C63DEB06090212F9F01B83832BB75E11E8C59BB2C839C4B501491C5F57823A1DEB1876D12D0FCF2C536F8830709000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001500000000000000030000000000000096B347A64E5A045E27369C26E6DCDA51FD7C850E9B3A3A79E718F43261DEE1E400000000000000000000000000000000000000000000000000000000000000008C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000A000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005D3ECC0613E5B0830CDFF9D1D78D2F217F766E793961E83BD1F656947ACCAD650000000000000000000000000000000000000000000000000000000000000000E2D2DDFECD05FB1F5CA9D36780DC52F6F2CBF1E35ECEB07063929BA01CE698914C23E8868054C867C7D7C65E04F8C43310500ACE555594D3D8E26FBFFBD1F0912000000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F0500DC0D00002D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D4949456A54434342444B6741774942416749554B4D42686C617935696246516853436330476556476F4333384B3477436759494B6F5A497A6A3045417749770A6354456A4D4345474131554541777761535735305A577767553064594946424453794251636D396A5A584E7A6233496751304578476A415942674E5642416F4D0A45556C756447567349454E76636E4276636D4630615739754D5251774567594456515148444174545957353059534244624746795954454C4D416B47413155450A4341774351304578437A414A42674E5642415954416C56544D423458445449304D44637A4D4449784D6A67794D316F5844544D784D44637A4D4449784D6A67790A4D316F77634445694D434147413155454177775A535735305A5777675530645949464244537942445A584A3061575A70593246305A5445614D426747413155450A43677752535735305A577767513239796347397959585270623234784644415342674E564241634D43314E68626E526849454E7359584A684D517377435159440A5651514944414A445154454C4D416B474131554542684D4356564D775754415442676371686B6A4F5051494242676771686B6A4F50514D4242774E43414152410A49464E6A3567586435666E44487842345A53335161524E5562347A6C617338416C4E4F326963326F5654354C77306C58384C7243735643596E74336177634B4B0A4A77456C665864493963466A704D6F76786155486F344943707A434341714D77487759445652306A42426777466F4155304F6971326E58582B53354A463567380A6578526C304E587957553077624159445652306642475577597A42686F462B6758595A626148523063484D364C79396863476B7564484A316333526C5A484E6C0A636E5A705932567A4C6D6C75644756734C6D4E766253397A5A3367765932567964476C6D61574E6864476C76626939324E4339775932746A636D772F593245390A63484A765932567A633239794A6D56755932396B6157356E5057526C636A416442674E5648513445466751555546315971736851726F6F392F6D545A716B4C770A6C7566335066387744675944565230504151482F42415144416762414D41774741315564457745422F7751434D4141776767485442676B71686B69472B4530420A44514545676748454D4949427744416542676F71686B69472B45304244514542424242342B73526858514B5442677468342B4844755564574D4949425977594B0A4B6F5A496876684E41513042416A434341564D774541594C4B6F5A496876684E4151304241674543415163774541594C4B6F5A496876684E41513042416749430A415163774541594C4B6F5A496876684E4151304241674D43415141774541594C4B6F5A496876684E4151304241675143415141774541594C4B6F5A496876684E0A4151304241675543415141774541594C4B6F5A496876684E4151304241675943415141774541594C4B6F5A496876684E4151304241676343415141774541594C0A4B6F5A496876684E4151304241676743415141774541594C4B6F5A496876684E4151304241676B43415141774541594C4B6F5A496876684E4151304241676F430A415141774541594C4B6F5A496876684E4151304241677343415141774541594C4B6F5A496876684E4151304241677743415141774541594C4B6F5A496876684E0A4151304241673043415141774541594C4B6F5A496876684E4151304241673443415141774541594C4B6F5A496876684E4151304241673843415141774541594C0A4B6F5A496876684E4151304241684143415141774541594C4B6F5A496876684E4151304241684543415130774877594C4B6F5A496876684E41513042416849450A4541634841414141414141414141414141414141414141774541594B4B6F5A496876684E4151304241775143414141774641594B4B6F5A496876684E415130420A4241514741484271454141414D41384743697147534962345451454E4151554B41514177436759494B6F5A497A6A30454177494453514177526749684149452F0A4B6A53514B2F505746315448585743426245336F6771376E31485172434D3066624B44526A5A49774169454130546B3849644F564A7A46445A5752384C3641540A385A77714C7143473839682B43536C474234636C5232303D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D4949436D444343416A36674177494241674956414E446F71747031312F6B7553526559504873555A644456386C6C4E4D416F4743437147534D343942414D430A4D476778476A415942674E5642414D4D45556C756447567349464E48574342536232393049454E424D526F77474159445651514B4442464A626E526C624342440A62334A7762334A6864476C76626A45554D424947413155454277774C553246756447456751327868636D4578437A414A42674E564241674D416B4E424D5173770A435159445651514745774A56557A4165467730784F4441314D6A45784D4455774D5442614677307A4D7A41314D6A45784D4455774D5442614D484578497A41680A42674E5642414D4D476B6C756447567349464E48574342515130736755484A765932567A6332397949454E424D526F77474159445651514B4442464A626E526C0A6243424462334A7762334A6864476C76626A45554D424947413155454277774C553246756447456751327868636D4578437A414A42674E564241674D416B4E420A4D517377435159445651514745774A56557A425A4D424D4742797147534D34394167454743437147534D34394177454841304941424C39712B4E4D7032494F670A74646C31626B2F75575A352B5447516D38614369387A373866732B664B435133642B75447A586E56544154325A68444369667949754A77764E33774E427039690A484253534D4A4D4A72424F6A6762737767626777487759445652306A42426777466F4155496D554D316C71644E496E7A6737535655723951477A6B6E427177770A556759445652306642457377535442486F45576751345A426148523063484D364C79396A5A584A3061575A70593246305A584D7564484A316333526C5A484E6C0A636E5A705932567A4C6D6C75644756734C6D4E766253394A626E526C62464E4857464A76623352445153356B5A584977485159445652304F42425945464E446F0A71747031312F6B7553526559504873555A644456386C6C4E4D41344741315564447745422F77514541774942426A415342674E5648524D4241663845434441470A4151482F416745414D416F4743437147534D343942414D43413067414D4555434951434A6754627456714F795A316D336A716941584D365159613672357357530A34792F4737793875494A4778647749675271507642534B7A7A516167424C517135733541373070646F6961524A387A2F3075447A344E675639316B3D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D4949436A7A4343416A53674177494241674955496D554D316C71644E496E7A6737535655723951477A6B6E42717777436759494B6F5A497A6A3045417749770A614445614D4267474131554541777752535735305A5777675530645949464A766233516751304578476A415942674E5642416F4D45556C756447567349454E760A636E4276636D4630615739754D5251774567594456515148444174545957353059534244624746795954454C4D416B47413155454341774351304578437A414A0A42674E5642415954416C56544D423458445445344D4455794D5445774E4455784D466F58445451354D54497A4D54497A4E546B314F566F77614445614D4267470A4131554541777752535735305A5777675530645949464A766233516751304578476A415942674E5642416F4D45556C756447567349454E76636E4276636D46300A615739754D5251774567594456515148444174545957353059534244624746795954454C4D416B47413155454341774351304578437A414A42674E56424159540A416C56544D466B77457759484B6F5A497A6A3043415159494B6F5A497A6A3044415163445167414543366E45774D4449595A4F6A2F69505773437A61454B69370A314F694F534C52466857476A626E42564A66566E6B59347533496A6B4459594C304D784F346D717379596A6C42616C54565978465032734A424B357A6C4B4F420A757A43427544416642674E5648534D4547444157674251695A517A575770303069664F44744A5653763141624F5363477244425342674E5648523845537A424A0A4D45656752614244686B466F64485277637A6F764C324E6C636E52705A6D6C6A5958526C63793530636E567A6447566B63325679646D6C6A5A584D75615735300A5A577775593239744C306C756447567355306459556D397664454E424C6D526C636A416442674E564851344546675155496D554D316C71644E496E7A673753560A55723951477A6B6E4271777744675944565230504151482F42415144416745474D42494741315564457745422F7751494D4159424166384341514577436759490A4B6F5A497A6A3045417749445351417752674968414F572F35516B522B533943695344634E6F6F774C7550524C735747662F59693747535839344267775477670A41694541344A306C72486F4D732B586F356F2F7358364F39515778485241765A55474F6452513763767152586171493D0A2D2D2D2D2D454E442043455254494649434154452D2D2D2D2D0A00
5002:d=1 hl=2 l= 10 cons: SEQUENCE
5004:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
5014:d=1 hl=2 l= 103 prim: BIT STRING
$ xxd cert.der
( --- snip --- )
00000590: 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 ................
000005a0: 1819 1a1b 1c1d 1e1f 0500 dc0d 0000 2d2d ..............--
000005b0: 2d2d 2d42 4547 494e 2043 4552 5449 4649 ---BEGIN CERTIFI
000005c0: 4341 5445 2d2d 2d2d 2d0a 4d49 4945 6a54 CATE-----.MIIEjT
000005d0: 4343 4244 4b67 4177 4942 4167 4955 4b4d CCBDKgAwIBAgIUKM
000005e0: 4268 6c61 7935 6962 4651 6853 4363 3047 Bhlay5ibFQhSCc0G
000005f0: 6556 476f 4333 384b 3477 4367 5949 4b6f eVGoC38K4wCgYIKo
00000600: 5a49 7a6a 3045 4177 4977 0a63 5445 6a4d ZIzj0EAwIw.cTEjM
00000610: 4345 4741 3155 4541 7777 6153 5735 305a CEGA1UEAwwaSW50Z
00000620: 5777 6755 3064 5949 4642 4453 7942 5163 WwgU0dYIFBDSyBQc
00000630: 6d39 6a5a 584e 7a62 3349 6751 3045 7847 m9jZXNzb3IgQ0ExG
00000640: 6a41 5942 674e 5642 416f 4d0a 4555 6c75 jAYBgNVBAoM.EUlu
00000650: 6447 5673 4945 4e76 636e 4276 636d 4630 dGVsIENvcnBvcmF0
00000660: 6157 3975 4d52 5177 4567 5944 5651 5148 aW9uMRQwEgYDVQQH
00000670: 4441 7454 5957 3530 5953 4244 6247 4679 DAtTYW50YSBDbGFy
00000680: 5954 454c 4d41 6b47 4131 5545 0a43 4177 YTELMAkGA1UE.CAw
00000690: 4351 3045 7843 7a41 4a42 674e 5642 4159 CQ0ExCzAJBgNVBAY
(...)
transferred this issue from rustls/rustls now
I think this would be a rustls/pemfile discussion.
It has a non-standard extension which contains PEM encodings of further certificates? Huh?
I've seen something like that before in a proprietary root from the SGX ecosystem. It's bonkers but I think that ecosystem is full of bad ideas :grimacing:
Indeed this is a certificate used in remote attestation of the SGX enclave. Certificate is generated with embedded quote (measurement) from the enclave (the non-standard extension). The web service that runs in the enclave uses privkey and cert during TLS handshake. Clients verify the quote from the cert, and if valid, they are assured connection is established with software that runs in legit SGX enclave. The internal certificates comes from Intel, they contain a signature over the generated quote.
"BEGIN TRUSTED CERTIFICATE" is an OpenSSL-proprietary format, I don't think we want or need to support that.
I think this is my opinion as well. Let's close this for now pending any new input.