Blob Blame History Raw
From f636d0f64fbcb978b06afe9f9576678afcee01c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Nov 2021 13:51:31 -0400
Subject: [PATCH] Add a PEM validity checker and validate SCEP CA files

If a non-PEM file was passed into add-scep-ca it would
accept it without question but later fail with:

status: CA_UNREACHABLE
ca-error: Error: failed to verify signature on server response.

Try to do basic validation of user-provided PEM files by:

- stripping BEGIN/END headers
- removing newlines and carriage returns
- using OpenSSL EVP library to base64 decode the block

This isn't fool-proof but it at least does some basic
sanity checking to ensure the file(s) exist and appear
to be PEM files.

The unit tests use some Let's Encrypt CA certificates.

https://bugzilla.redhat.com/show_bug.cgi?id=1492112

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
 src/Makefile.am                               |   2 +-
 src/getcert-add-scep-ca.1.in                  |   2 +
 src/getcert.c                                 |  39 ++++-
 src/util-o.c                                  | 144 ++++++++++++++++++
 src/util-o.h                                  |   7 +
 tests/040-pem/bad.empty                       |   0
 .../bad.isrg-root-x1-cross-signed.der.b64     |  25 +++
 tests/040-pem/expected.out                    |   7 +
 .../good.isrg-root-x1-cross-signed.pem        |  31 ++++
 .../good.isrg-root-x1-cross-signed_cr.pem     |  31 ++++
 tests/040-pem/good.lets_encrypt_chain.pem     |  93 +++++++++++
 tests/040-pem/run.sh                          |  21 +++
 tests/Makefile.am                             |   8 +-
 tests/tools/Makefile.am                       |   3 +-
 tests/tools/pem.c                             |  69 +++++++++
 15 files changed, 474 insertions(+), 8 deletions(-)
 create mode 100644 tests/040-pem/bad.empty
 create mode 100644 tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
 create mode 100644 tests/040-pem/expected.out
 create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed.pem
 create mode 100644 tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
 create mode 100644 tests/040-pem/good.lets_encrypt_chain.pem
 create mode 100755 tests/040-pem/run.sh
 create mode 100644 tests/tools/pem.c

diff --git a/src/Makefile.am b/src/Makefile.am
index 53571c5..d8e0a2e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -155,7 +155,7 @@ pkglibexecdir = $(libexecdir)/$(PACKAGE)
 getcert_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(UUID_CFLAGS)
 getcert_SOURCES = getcert.c tm.c tm.h
 getcert_LDADD = libcm.a $(GETCERT_LIBS) $(KRB5_LIBS) $(NSS_LIBS) $(UUID_LIBS) \
-			$(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
+			$(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS) $(OPENSSL_LIBS)
 if WITH_IPA
 bin_PROGRAMS += ipa-getcert
 ipa_getcert_CFLAGS = $(getcert_CFLAGS)
diff --git a/src/getcert-add-scep-ca.1.in b/src/getcert-add-scep-ca.1.in
index c2751ed..901791e 100644
--- a/src/getcert-add-scep-ca.1.in
+++ b/src/getcert-add-scep-ca.1.in
@@ -14,6 +14,8 @@ helper.  The \fIadd\-scep\-ca\fR command is more or less a wrapper for the
 
 .SH OPTIONS
 .TP
+All user\-provided certificate files must be in PEM format.
+.TP
 \fB\-c\fR \fINAME\fR, \fB\-\-ca\fR=\fINAME\fR
 The nickname to give to this CA configuration.  This same value can later be
 passed in to \fIgetcert\fR's \fIrequest\fR, \fIresubmit\fR, and
diff --git a/src/getcert.c b/src/getcert.c
index 4afafcb..ddcb739 100644
--- a/src/getcert.c
+++ b/src/getcert.c
@@ -49,6 +49,7 @@
 #include "submit-u.h"
 #include "tdbus.h"
 #include "tdbusm.h"
+#include "util-o.h"
 
 #ifdef ENABLE_NLS
 #include <libintl.h>
@@ -4544,15 +4545,16 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
 	int c, prefer_non_renewal = 0, verbose = 0;
 	dbus_bool_t b;
 	static DBusMessage *req, *rep;
+	const char *poptarg;
 	poptContext pctx;
 	struct poptOption popts[] = {
 		{"ca", 'c', POPT_ARG_STRING, &caname, 0, _("nickname to give to the new CA configuration"), HELP_TYPE_NAME},
 		{"url", 'u', POPT_ARG_STRING, &url, 0, _("location of SCEP server"), HELP_TYPE_URL},
 		{"id", 'i', POPT_ARG_STRING, &id, 0, _("CA identifier"), HELP_TYPE_ID},
-		{"ca-cert", 'R', POPT_ARG_STRING, &root, 0, _("file containing CA's certificate"), HELP_TYPE_FILENAME},
-		{"ra-cert", 'r', POPT_ARG_STRING, &racert, 0, _("file containing RA's certificate"), HELP_TYPE_FILENAME},
-		{"other-certs", 'I', POPT_ARG_STRING, &certs, 0, _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
-		{"signingca", 'N', POPT_ARG_STRING, &signingca, 0, _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
+		{"ca-cert", 'R', POPT_ARG_STRING, NULL, 'R', _("file containing CA's certificate"), HELP_TYPE_FILENAME},
+		{"ra-cert", 'r', POPT_ARG_STRING, NULL, 'r', _("file containing RA's certificate"), HELP_TYPE_FILENAME},
+		{"other-certs", 'I', POPT_ARG_STRING, NULL, 'I', _("file containing certificates in RA's certifying chain"), HELP_TYPE_FILENAME},
+		{"signingca", 'N', POPT_ARG_STRING, NULL, 'N', _("the CA certificate which signed the RA certificate"), HELP_TYPE_FILENAME},
 		{"non-renewal", 'n', POPT_ARG_NONE, &prefer_non_renewal, 0, _("prefer to not use the SCEP Renewal feature"), NULL},
 		{"session", 's', POPT_ARG_NONE, NULL, 's', _("connect to the certmonger service on the session bus"), NULL},
 		{"system", 'S', POPT_ARG_NONE, NULL, 'S', _("connect to the certmonger service on the system bus"), NULL},
@@ -4572,6 +4574,7 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
 		return 1;
 	}
 	while ((c = poptGetNextOpt(pctx)) > 0) {
+		poptarg = poptGetOptArg(pctx);
 		switch (c) {
 		case 's':
 			bus = cm_tdbus_session;
@@ -4586,6 +4589,34 @@ add_scep_ca(const char *argv0, int argc, const char **argv)
 			poptPrintHelp(pctx, stdout, 0);
 			return 1;
 			break;
+		case 'R':
+            if (validate_pem(globals.tctx, poptarg) != 0) {
+				printf("The root certificate(s) in %s is not valid PEM\n", poptarg);
+				return 1;
+			}
+			root = talloc_strdup(globals.tctx, poptarg);
+			break;
+		case 'r':
+            if (validate_pem(globals.tctx, poptarg) != 0) {
+				printf("The RA certificate(s) in %s is not valid PEM\n", poptarg);
+				return 1;
+			}
+			racert = talloc_strdup(globals.tctx, poptarg);
+			break;
+		case 'I':
+            if (validate_pem(globals.tctx, poptarg) != 0) {
+				printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+				return 1;
+			}
+			certs = talloc_strdup(globals.tctx, poptarg);
+			break;
+		case 'N':
+            if (validate_pem(globals.tctx, poptarg) != 0) {
+				printf("The certificate(s) in %s is not valid PEM\n", poptarg);
+				return 1;
+			}
+			signingca = talloc_strdup(globals.tctx, poptarg);
+			break;
 		}
 	}
 	if (c != -1) {
diff --git a/src/util-o.c b/src/util-o.c
index db45964..c05872c 100644
--- a/src/util-o.c
+++ b/src/util-o.c
@@ -598,3 +598,147 @@ util_private_EVP_PKEY_dup(EVP_PKEY *pkey)
 {
 	return util_EVP_PKEY_dup(pkey, i2d_PrivateKey, d2i_PrivateKey);
 }
+
+static unsigned char *
+decode_base64(const unsigned char *input, int length, int *outlength) {
+	int expected_len;
+	unsigned char *output;
+	int output_len;
+
+	expected_len = 3 * length / 4;
+	output = calloc(expected_len + 1, 1);
+	output_len = EVP_DecodeBlock(output, input, length);
+
+	if (output_len < 0) {
+		*outlength = -1;
+		free(output);
+		return NULL;
+	}
+	if (output_len % 3 != 0) {
+		*outlength = -1;
+		free(output);
+		return NULL;
+	}
+	if (expected_len != output_len) {
+		*outlength = -1;
+		free(output);
+		return NULL;
+	}
+	*outlength = output_len;
+	return output;
+}
+
+int
+validate_pem(void *parent, const char *path)
+{
+	char *p;
+	char *s = NULL, *sp, *sq;
+	int ret = 0;
+	FILE *fp;
+	struct stat st;
+	char *tmp1 = NULL;
+	unsigned char *tmp2 = NULL;
+	char *buffer;
+	int n, i, length;
+	int found = 0;
+
+	fp = fopen(path, "r");
+	if (fp == NULL) {
+		printf("Unable to open %s for reading: %s\n",
+				path, strerror(errno));
+		return -1;
+	}
+	if (fstat(fileno(fp), &st) == -1) {
+		printf("Error opening %s for reading: %s\n",
+				path, strerror(errno));
+		fclose(fp);
+		return -1;
+	}
+	if (st.st_size == 0) {
+		printf("%s is an empty file.\n", path);
+		fclose(fp);
+		return -1;
+	}
+	
+	buffer = malloc(st.st_size + 1);
+	if (buffer == NULL) {
+		printf("Error allocating memory.\n");
+		fclose(fp);
+		return -1;
+	}
+
+	n = 0;
+	while (n < st.st_size) {
+		i = fread(buffer + n, 1, st.st_size - n, fp);
+		if (i <= 0) {
+			printf("Error reading %s: %s.\n",
+				   path, strerror(errno));
+			fclose(fp);
+			ret = -1;
+			goto done;
+		}
+		n += i;
+	}
+	fclose(fp);
+	buffer[st.st_size] = '\0';
+	length = st.st_size;
+	s = malloc(length + 1);
+	if (s == NULL) {
+		printf("Error allocating memory.\n");
+		ret = -1;
+		goto done;
+	}
+	memcpy(s, buffer, length);
+	s[length] = '\0';
+	sp = s;
+	tmp1 = NULL;
+	tmp2 = NULL;
+	while ((sp = strstr(sp, "-----BEGIN")) != NULL) {
+		sq = strstr(sp, "-----END");
+		if (sq != NULL) {
+			found++;
+			sq += strcspn(sq, "\r\n");
+			sq += strspn(sq, "\r\n");
+
+			/* Strip down to pure base64 so no headers, new lines or cr */
+			tmp1 = strndup(sp, sq - sp);
+			p = strstr(tmp1, "-----BEGIN");
+			if (p != NULL) {
+				p += strcspn(p, "\n");
+				if (*p == '\n') {
+   				 p++;
+				}
+				memmove(tmp1, p, strlen(p) + 1);
+			}
+			p = strstr(tmp1, "\n-----END");
+			if (p != NULL) {
+				*p = '\0';
+			}
+			while ((p = strchr(tmp1, '\r')) != NULL) {
+				memmove(p, p + 1, strlen(p));
+			}
+			while ((p = strchr(tmp1, '\n')) != NULL) {
+				memmove(p, p + 1, strlen(p));
+			}
+			length = 0;
+			tmp2 = decode_base64((unsigned char *)tmp1, strlen(tmp1), &length);
+			if (length < 0) {
+				ret = -1;
+				goto done;
+			}
+			sp = sq;
+		}
+	}
+
+	if (found == 0) {
+		ret = -1;
+	}
+
+done:
+	free(buffer);
+	free(s);
+	free(tmp1);
+	free(tmp2);
+
+	return ret;
+}
diff --git a/src/util-o.h b/src/util-o.h
index 916777b..8550e07 100644
--- a/src/util-o.h
+++ b/src/util-o.h
@@ -16,6 +16,12 @@
  */
 
 #ifndef utilo_h
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
 #define utilo_h
 
 struct cm_store_entry;
@@ -71,5 +77,6 @@ int util_X509_set1_version(X509 *x, ASN1_INTEGER *version);
 void util_NETSCAPE_SPKI_set_sig_alg(NETSCAPE_SPKI *spki, const X509_ALGOR *sig_alg);
 EVP_PKEY *util_public_EVP_PKEY_dup(EVP_PKEY *pkey);
 EVP_PKEY *util_private_EVP_PKEY_dup(EVP_PKEY *pkey);
+int validate_pem(void *parent, const char *path);
 
 #endif
diff --git a/tests/040-pem/bad.empty b/tests/040-pem/bad.empty
new file mode 100644
index 0000000..e69de29
diff --git a/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64 b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
new file mode 100644
index 0000000..f9d7e5b
--- /dev/null
+++ b/tests/040-pem/bad.isrg-root-x1-cross-signed.der.b64
@@ -0,0 +1,25 @@
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
+ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
+DTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1owTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIElu
+dGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B4
+93XCov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpLwYqGcWlK
+ZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+DLtFJV4yAdLbaL9A4jXsD
+cCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/
+iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeY
+jzYIlefiN5YNNnWe+w5ysR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHdu
+Rze6zqxZXmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4FQsD
+j43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBcSLeCO5imfWCKoqMp
+gsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2qlPRmP6zjzZN7IKw0KKP/32+IVQtQi
+0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TNDTwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBw
+cy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsG
+AQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAv
+oC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYE
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oG
+rS+o44+/yQoDFVDC5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMr
+AdSW9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuGWCLKTVXk
+cGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9Ohe8Y4IWS6wY7bCkjCWDc
+RQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFCDfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr
+6GtPAQw4dy753ec5
diff --git a/tests/040-pem/expected.out b/tests/040-pem/expected.out
new file mode 100644
index 0000000..0459fd2
--- /dev/null
+++ b/tests/040-pem/expected.out
@@ -0,0 +1,7 @@
+OK
+OK
+OK
+got expected error with bad.empty
+got expected error with bad.isrg-root-x1-cross-signed.der
+got expected error with bad.notfound
+OK
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed.pem b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE----- 
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
new file mode 100644
index 0000000..239794a
--- /dev/null
+++ b/tests/040-pem/good.isrg-root-x1-cross-signed_cr.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE----- 
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/good.lets_encrypt_chain.pem b/tests/040-pem/good.lets_encrypt_chain.pem
new file mode 100644
index 0000000..29a16ff
--- /dev/null
+++ b/tests/040-pem/good.lets_encrypt_chain.pem
@@ -0,0 +1,93 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
+WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
+NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
+89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
+Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
+Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
+uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
+AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
+BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
+FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
+SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
+LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
+BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
+AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
+VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
+ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
+A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
+UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
+DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
+eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
+OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
+p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
+2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
+ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
+PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
+rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
diff --git a/tests/040-pem/run.sh b/tests/040-pem/run.sh
new file mode 100755
index 0000000..1d4d1f4
--- /dev/null
+++ b/tests/040-pem/run.sh
@@ -0,0 +1,21 @@
+#!/bin/bash -e
+
+cd "$tmpdir"
+cp -p "$srcdir"/040-pem/bad.* $tmpdir
+base64 -d < "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64 > "$tmpdir"/bad.isrg-root-x1-cross-signed.der
+rm -f "$tmpdir"/bad.isrg-root-x1-cross-signed.der.b64
+
+for good in "$srcdir"/040-pem/good.* ; do
+	if ! "$toolsdir"/pem "$good" ; then
+		exit 1
+	fi
+done
+for bad in "$tmpdir"/bad.* bad.notfound; do
+	if "$toolsdir"/pem "$bad" > /dev/null; then
+		echo unexpected success with `basename "$bad"`
+		exit 1
+	else
+		echo got expected error with `basename "$bad"`
+	fi
+done
+echo OK
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 013d34b..e20b6d8 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -132,6 +132,8 @@ CLEANFILES = \
 	038-ms-v2-template/actual.err \
 	039-fromfile/actual.out \
 	039-fromfile/actual.err
+	040-pem/actual.out \
+	040-pem/actual.err
 EXTRA_DIST = \
 	run-tests.sh functions certmonger.conf tools/cachain.sh \
 	001-keyiread/run.sh \
@@ -353,7 +355,8 @@ EXTRA_DIST = \
 	038-ms-v2-template/expected.out \
 	038-ms-v2-template/extract-extdata.py \
 	038-ms-v2-template/run.sh \
-	039-fromfile/run.sh
+	039-fromfile/run.sh \
+	040-pem/run.sh
 
 subdirs = \
 	001-keyiread \
@@ -388,7 +391,8 @@ subdirs = \
 	036-getcert \
 	037-rekey2 \
 	038-ms-v2-template \
-	039-fromfile
+	039-fromfile \
+	040-pem
 
 if HAVE_DBM_NSSDB
 subdirs += \
diff --git a/tests/tools/Makefile.am b/tests/tools/Makefile.am
index 53f658e..1a01ee6 100644
--- a/tests/tools/Makefile.am
+++ b/tests/tools/Makefile.am
@@ -16,7 +16,8 @@ endif
 noinst_PROGRAMS = keyiread keygen csrgen submit certread certsave oid2name \
 		  name2oid iterate prefs dates listnicks pem2base base2pem \
 		  dparse payload checksig base64 cadata citerate casave hooks \
-		  libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile
+		  libexecdir canon srv addcinfo ls json json-utf8 printenv fromfile \
+		  pem
 noinst_LIBRARIES = libtools.a
 if HAVE_OPENSSL
 noinst_PROGRAMS += pk7parse pk7env scepgen pk7verify pk7decrypt
diff --git a/tests/tools/pem.c b/tests/tools/pem.c
new file mode 100644
index 0000000..4fdd4f4
--- /dev/null
+++ b/tests/tools/pem.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 Red Hat, Inc.
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "../../src/config.h"
+
+#include <sys/types.h>
+#include <errno.h>
+#include <fcntl.h>
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <popt.h>
+
+#include <talloc.h>
+
+#include "../../src/util-o.h"
+
+int
+main(int argc, const char **argv)
+{
+	const char *filename;
+	void *parent;
+	int i, ret = 0;
+	poptContext pctx;
+	struct poptOption popts[] = {
+		POPT_AUTOHELP
+		POPT_TABLEEND
+	};
+
+	parent = talloc_new(NULL);
+	pctx = poptGetContext("pem", argc, argv, popts, 0);
+	while ((i = poptGetNextOpt(pctx)) > 0) {
+		continue;
+	}
+	if (i != -1) {
+		poptPrintUsage(pctx, stdout, 0);
+		return 1;
+	}
+	while ((filename = poptGetArg(pctx)) != NULL) {
+        if (validate_pem(parent, (char *)filename) == 0) {
+			printf("OK\n");
+		} else {
+			ret = 1;
+		}
+	}
+	talloc_free(parent);
+	poptFreeContext(pctx);
+	return ret;
+}
-- 
2.31.1