From 670244adbca3ca5aa5e199b720061b9110c28abf Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Wed, 13 Jan 2016 17:41:05 +1100

Subject: [PATCH] Use correct textual encoding for PKCS #7 objects

PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label

which is invalid (RFC 7468) and unrecognised by many programs

(including OpenSSL).  Use the correct "PKCS7" label instead.

Also do a drive-by refactor of the normalizeCertAndReq to remove

some redundant code.

Fixes: https://fedorahosted.org/pki/ticket/1699

---

 .../webapps/ca/agent/ca/displayBySerial.template   |  4 +--

 .../webapps/ca/agent/ca/displayBySerial2.template  |  4 +--

 .../ca/agent/ca/displayCertFromRequest.template    |  4 +--

 .../webapps/ca/ee/ca/displayBySerial.template      |  4 +--

 .../shared/webapps/ca/ee/ca/displayCaCert.template |  6 ++--

 .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 35 ++--------------------

 6 files changed, 13 insertions(+), 44 deletions(-)

diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template

index 2bb2bfab7c2e208555b69188f6f33dd536732e3f..f95434a1b61fcc2eba00537ef050d849160e65aa 100644

--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template

+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template

@@ -191,11 +191,11 @@ document.write(result.header.certChainBase64);

 Base 64 encoded certificate with CA certificate chain in pkcs7 format

 </font>

------BEGIN CERTIFICATE CHAIN-----

 <SCRIPT type="text/javascript">

+document.writeln('-----BEGIN PKCS7-----');

 document.write(result.header.pkcs7ChainBase64);

+document.writeln('-----END PKCS7-----');

 </SCRIPT>

------END CERTIFICATE CHAIN-----

diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template

index 4a193e3243e79074feabd21e0094f4b5cea635b9..f0604ef7fc3a7a9ec4c1dd016f0652c507e204dd 100644

--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template

+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template

@@ -97,11 +97,11 @@ The following format can be used to install this certificate into a server.

 Base 64 encoded certificate

 </font>

------BEGIN CERTIFICATE CHAIN-----

 <SCRIPT type="text/javascript">

+document.writeln('-----BEGIN PKCS7-----');

 document.write(result.header.certChainBase64);

+document.writeln('-----END PKCS7-----');

 </SCRIPT>

------END CERTIFICATE CHAIN-----

diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template

index f1148570c5e1cd3c251ee64008228da2e710b421..402154037790343061dc4a711de0d0fba738dbf2 100644

--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template

+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template

@@ -102,9 +102,9 @@ function displayCert(cert)

 		'Base 64 encoded certificate with CA certificate chain in pkcs7 format'+

 		'</font>'+

 		'
'+

-		'-----BEGIN CERTIFICATE CHAIN-----');

+		'-----BEGIN PKCS7-----');

 		document.writeln(cert.pkcs7ChainBase64);

-		document.writeln('-----END CERTIFICATE CHAIN-----'+

+		document.writeln('-----END PKCS7-----'+

 		'');

 }

diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template

index e9b4d72bfb2b23a67c15282ae521b513d7a5dbfd..d482644b768750b704461785fe39eb744db7cbe9 100644

--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template

+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template

@@ -116,11 +116,11 @@ document.write(result.header.certChainBase64);

 Base 64 encoded certificate with CA certificate chain in pkcs7 format

 </font>

------BEGIN CERTIFICATE-----

 <SCRIPT LANGUAUGE="JavaScript">

+document.writeln('-----BEGIN PKCS7-----');

 document.write(result.header.pkcs7ChainBase64);

+document.writeln('-----END PKCS7-----');

 </SCRIPT>

------END CERTIFICATE-----

diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template

index 4e93919f53d553872ff9ee98356d81edda9a7640..4da0d74c8302329addf1ec1dd042f7ffe7ea18ae 100644

--- a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template

+++ b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template

@@ -43,9 +43,9 @@ if (result.header.displayFormat == "chain") {

     document.writeln('<center>' + result.header.subjectdn);

     document.writeln('</center>
</font>
');

     document.writeln('
');

-    document.writeln('-----BEGIN CERTIFICATE-----');

-    document.writeln(result.header.chainBase64);

-    document.writeln('-----END CERTIFICATE-----');

+    document.writeln('-----BEGIN PKCS7-----');

+    document.write(result.header.chainBase64);

+    document.writeln('-----END PKCS7-----');

     document.writeln('');

 } else if (result.header.displayFormat == "individual") {

     if (result.recordSet.length == 0) {

diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java

index 3b1041a74bb4b663dd9c5f4c9fa983da133f04a3..59883831afa5c9016594c54bbb25bf5f503f00b7 100644

--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java

+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java

@@ -822,46 +822,15 @@ public class CryptoUtil {

         if (s == null) {

             return s;

         }

-        s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "");

-        s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", "");

-        s = s.replaceAll("-----END CERTIFICATE REQUEST-----", "");

-        s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", "");

-        s = s.replaceAll("-----BEGIN CERTIFICATE-----", "");

-        s = s.replaceAll("-----END CERTIFICATE-----", "");

-        s = s.replaceAll("-----BEGIN CERTIFICATE CHAIN-----", "");

-        s = s.replaceAll("-----END CERTIFICATE CHAIN-----", "");

+        // grammar defined at https://tools.ietf.org/html/rfc7468#section-3

+        s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", "");

         StringBuffer sb = new StringBuffer();

         StringTokenizer st = new StringTokenizer(s, "\r\n ");

         while (st.hasMoreTokens()) {

             String nextLine = st.nextToken();

-

             nextLine = nextLine.trim();

-            if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----BEGIN CERTIFICATE-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----END CERTIFICATE-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----BEGIN CERTIFICATE CHAIN-----")) {

-                continue;

-            }

-            if (nextLine.equals("-----END CERTIFICATE CHAIN-----")) {

-                continue;

-            }

             sb.append(nextLine);

         }

         return sb.toString();

-- 

2.4.3