[Freeipa-devel] [PATCH] 360 be smarter about decoding certs

Rob Crittenden rcritten at redhat.com
Fri Jan 29 14:28:33 UTC 2010 

John Dennis wrote:
> On 01/28/2010 10:30 PM, Rob Crittenden wrote:
>> John Dennis wrote:
>>> On 01/28/2010 04:15 PM, Rob Crittenden wrote:
>>>> Gah, got the description mixed up with the last patch :-(
>>>>
>>>> Be a bit smarter about decoding certificates that might be base64
>>>> encoded. First see if it only contains those characters allowed before
>>>> trying to decode it. This reduces the number of false positives.
>>>
>>> I'm not sure the test is doing what you want or even if it's the right
>>> test.
>>>
>>> The test is saying "If there is one or more characters in the bas64
>>> alphabet then try and decode. That means just about anything will
>>> match, which doesn't seem like a very strong test.
>>>
>>> Why not just try and decode it and let the decoder decide if it's
>>> really base64, the decoder has much strong rules about the input,
>>> including assuring the padding is correct.
>>>
>>
>> The reason is I had a binary cert that was correctly decoded by the
>> base64 encoder. I don't know the why's and wherefores but there it is.
> 
> Then testing to see if each byte is in the base64 alphabet would not 
> have prevented this error.

And yet it did in practice. I think you're assuming too much about the 
input testing in base64.b64decode(). It gladly takes binary data, as 
long as it fits the expected padding.

> 
> For a while now I've been feeling like we need to associate a format 
> attribute to the certificate (e.g. DER, PEM, BASE64, etc.).

There is simply no good way to carry that extra data when all you have 
is a blob of data. We'd still need some mechanism to look at it and ask 
"what are you?" That or we simply reject some types of input.

> Or we need to adopt a convention that certs are always in one canonical 
> format and the interface is responsible for assuring what it accepts as 
> input is converted to the canonical form.

Again, something would need to do that and base64.b64decode() is not 
sufficient.

I know this seems rather hacky, I thought as much when I coded it, just 
trying to make it robust.

rob

> 
>> I see what you mean about my regex being a bit weak though, it really
>> should require that the entire string conform. I'll see what I can do.
>>
>> rob
> 
>

More information about the Freeipa-devel mailing list