|
|
018a91 |
From 670244adbca3ca5aa5e199b720061b9110c28abf Mon Sep 17 00:00:00 2001
|
|
|
018a91 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
018a91 |
Date: Wed, 13 Jan 2016 17:41:05 +1100
|
|
|
018a91 |
Subject: [PATCH] Use correct textual encoding for PKCS #7 objects
|
|
|
018a91 |
|
|
|
018a91 |
PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
|
|
|
018a91 |
which is invalid (RFC 7468) and unrecognised by many programs
|
|
|
018a91 |
(including OpenSSL). Use the correct "PKCS7" label instead.
|
|
|
018a91 |
|
|
|
018a91 |
Also do a drive-by refactor of the normalizeCertAndReq to remove
|
|
|
018a91 |
some redundant code.
|
|
|
018a91 |
|
|
|
018a91 |
Fixes: https://fedorahosted.org/pki/ticket/1699
|
|
|
018a91 |
---
|
|
|
018a91 |
.../webapps/ca/agent/ca/displayBySerial.template | 4 +--
|
|
|
018a91 |
.../webapps/ca/agent/ca/displayBySerial2.template | 4 +--
|
|
|
018a91 |
.../ca/agent/ca/displayCertFromRequest.template | 4 +--
|
|
|
018a91 |
.../webapps/ca/ee/ca/displayBySerial.template | 4 +--
|
|
|
018a91 |
.../shared/webapps/ca/ee/ca/displayCaCert.template | 6 ++--
|
|
|
018a91 |
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 35 ++--------------------
|
|
|
018a91 |
6 files changed, 13 insertions(+), 44 deletions(-)
|
|
|
018a91 |
|
|
|
018a91 |
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
|
|
|
018a91 |
index 2bb2bfab7c2e208555b69188f6f33dd536732e3f..f95434a1b61fcc2eba00537ef050d849160e65aa 100644
|
|
|
018a91 |
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
|
|
|
018a91 |
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
|
|
|
018a91 |
@@ -191,11 +191,11 @@ document.write(result.header.certChainBase64);
|
|
|
018a91 |
Base 64 encoded certificate with CA certificate chain in pkcs7 format
|
|
|
018a91 |
</font>
|
|
|
018a91 |
|
|
|
018a91 |
------BEGIN CERTIFICATE CHAIN-----
|
|
|
018a91 |
<SCRIPT type="text/javascript">
|
|
|
018a91 |
+document.writeln('-----BEGIN PKCS7-----');
|
|
|
018a91 |
document.write(result.header.pkcs7ChainBase64);
|
|
|
018a91 |
+document.writeln('-----END PKCS7-----');
|
|
|
018a91 |
</SCRIPT>
|
|
|
018a91 |
------END CERTIFICATE CHAIN-----
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
|
|
|
018a91 |
index 4a193e3243e79074feabd21e0094f4b5cea635b9..f0604ef7fc3a7a9ec4c1dd016f0652c507e204dd 100644
|
|
|
018a91 |
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
|
|
|
018a91 |
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
|
|
|
018a91 |
@@ -97,11 +97,11 @@ The following format can be used to install this certificate into a server.
|
|
|
018a91 |
Base 64 encoded certificate
|
|
|
018a91 |
</font>
|
|
|
018a91 |
|
|
|
018a91 |
------BEGIN CERTIFICATE CHAIN-----
|
|
|
018a91 |
<SCRIPT type="text/javascript">
|
|
|
018a91 |
+document.writeln('-----BEGIN PKCS7-----');
|
|
|
018a91 |
document.write(result.header.certChainBase64);
|
|
|
018a91 |
+document.writeln('-----END PKCS7-----');
|
|
|
018a91 |
</SCRIPT>
|
|
|
018a91 |
------END CERTIFICATE CHAIN-----
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
|
|
|
018a91 |
index f1148570c5e1cd3c251ee64008228da2e710b421..402154037790343061dc4a711de0d0fba738dbf2 100644
|
|
|
018a91 |
--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
|
|
|
018a91 |
+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
|
|
|
018a91 |
@@ -102,9 +102,9 @@ function displayCert(cert)
|
|
|
018a91 |
'Base 64 encoded certificate with CA certificate chain in pkcs7 format'+
|
|
|
018a91 |
'</font>'+
|
|
|
018a91 |
''+
|
|
|
018a91 |
- '-----BEGIN CERTIFICATE CHAIN-----');
|
|
|
018a91 |
+ '-----BEGIN PKCS7-----');
|
|
|
018a91 |
document.writeln(cert.pkcs7ChainBase64);
|
|
|
018a91 |
- document.writeln('-----END CERTIFICATE CHAIN-----'+
|
|
|
018a91 |
+ document.writeln('-----END PKCS7-----'+
|
|
|
018a91 |
'');
|
|
|
018a91 |
|
|
|
018a91 |
}
|
|
|
018a91 |
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
|
|
|
018a91 |
index e9b4d72bfb2b23a67c15282ae521b513d7a5dbfd..d482644b768750b704461785fe39eb744db7cbe9 100644
|
|
|
018a91 |
--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
|
|
|
018a91 |
+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
|
|
|
018a91 |
@@ -116,11 +116,11 @@ document.write(result.header.certChainBase64);
|
|
|
018a91 |
Base 64 encoded certificate with CA certificate chain in pkcs7 format
|
|
|
018a91 |
</font>
|
|
|
018a91 |
|
|
|
018a91 |
------BEGIN CERTIFICATE-----
|
|
|
018a91 |
<SCRIPT LANGUAUGE="JavaScript">
|
|
|
018a91 |
+document.writeln('-----BEGIN PKCS7-----');
|
|
|
018a91 |
document.write(result.header.pkcs7ChainBase64);
|
|
|
018a91 |
+document.writeln('-----END PKCS7-----');
|
|
|
018a91 |
</SCRIPT>
|
|
|
018a91 |
------END CERTIFICATE-----
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
|
|
|
018a91 |
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
|
|
|
018a91 |
index 4e93919f53d553872ff9ee98356d81edda9a7640..4da0d74c8302329addf1ec1dd042f7ffe7ea18ae 100644
|
|
|
018a91 |
--- a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
|
|
|
018a91 |
+++ b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
|
|
|
018a91 |
@@ -43,9 +43,9 @@ if (result.header.displayFormat == "chain") {
|
|
|
018a91 |
document.writeln('<center>' + result.header.subjectdn);
|
|
|
018a91 |
document.writeln('</center></font> ');
|
|
|
018a91 |
document.writeln('');
|
|
|
018a91 |
- document.writeln('-----BEGIN CERTIFICATE-----');
|
|
|
018a91 |
- document.writeln(result.header.chainBase64);
|
|
|
018a91 |
- document.writeln('-----END CERTIFICATE-----');
|
|
|
018a91 |
+ document.writeln('-----BEGIN PKCS7-----');
|
|
|
018a91 |
+ document.write(result.header.chainBase64);
|
|
|
018a91 |
+ document.writeln('-----END PKCS7-----');
|
|
|
018a91 |
document.writeln('');
|
|
|
018a91 |
} else if (result.header.displayFormat == "individual") {
|
|
|
018a91 |
if (result.recordSet.length == 0) {
|
|
|
018a91 |
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
018a91 |
index 3b1041a74bb4b663dd9c5f4c9fa983da133f04a3..59883831afa5c9016594c54bbb25bf5f503f00b7 100644
|
|
|
018a91 |
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
018a91 |
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
018a91 |
@@ -822,46 +822,15 @@ public class CryptoUtil {
|
|
|
018a91 |
if (s == null) {
|
|
|
018a91 |
return s;
|
|
|
018a91 |
}
|
|
|
018a91 |
- s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----END CERTIFICATE REQUEST-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----BEGIN CERTIFICATE-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----END CERTIFICATE-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----BEGIN CERTIFICATE CHAIN-----", "");
|
|
|
018a91 |
- s = s.replaceAll("-----END CERTIFICATE CHAIN-----", "");
|
|
|
018a91 |
+ // grammar defined at https://tools.ietf.org/html/rfc7468#section-3
|
|
|
018a91 |
+ s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", "");
|
|
|
018a91 |
|
|
|
018a91 |
StringBuffer sb = new StringBuffer();
|
|
|
018a91 |
StringTokenizer st = new StringTokenizer(s, "\r\n ");
|
|
|
018a91 |
|
|
|
018a91 |
while (st.hasMoreTokens()) {
|
|
|
018a91 |
String nextLine = st.nextToken();
|
|
|
018a91 |
-
|
|
|
018a91 |
nextLine = nextLine.trim();
|
|
|
018a91 |
- if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----BEGIN CERTIFICATE-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----END CERTIFICATE-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----BEGIN CERTIFICATE CHAIN-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
- if (nextLine.equals("-----END CERTIFICATE CHAIN-----")) {
|
|
|
018a91 |
- continue;
|
|
|
018a91 |
- }
|
|
|
018a91 |
sb.append(nextLine);
|
|
|
018a91 |
}
|
|
|
018a91 |
return sb.toString();
|
|
|
018a91 |
--
|
|
|
018a91 |
2.4.3
|
|
|
018a91 |
|