Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address issue with embedded certificates in JWT x5c #6440

Merged
merged 6 commits into from
Aug 15, 2024
Merged

Address issue with embedded certificates in JWT x5c #6440

merged 6 commits into from
Aug 15, 2024

Conversation

achamayou
Copy link
Member

@achamayou achamayou commented Aug 14, 2024
edited
Loading

There is an issue with the way the Verifier_OpenSSL::Verifier_OpenSSL handles being constructed from either a DER or a PEM.

The code initially tries to construct and X509 type with Unique_X509(certbio, true /* pem */) before retrying with Unique_X509(certbio, false /* pem */) in case the value is DER. Unique_X509() calls PEM_read_bio_X509() internally, which ignores all input prior to -----BEGIN CERTIFICATE-----, and parses from there.

If a certificate embeds other certificates, and is provided in DER form, this results in mis-parsing as the nested certificate.

Longer term, we should avoid calls that take DER|PEM and have a static distinction. For the time being, this adds a validation check to the content before handing it to PEM_read_bio_X509().

@ad-l ad-l self-requested a review August 14, 2024 15:59
@achamayou achamayou changed the title Workaround issue with embedded certificates in JWT x5c Address issue with embedded certificates in JWT x5c Aug 15, 2024
@achamayou achamayou marked this pull request as ready for review August 15, 2024 09:50
@achamayou achamayou requested a review from a team as a code owner August 15, 2024 09:50
@achamayou achamayou added auto-backport Automatically backport this PR to LTS branch 5.x-todo PRs which should be backported to 5.x labels Aug 15, 2024
maxtropets
maxtropets reviewed Aug 15, 2024
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@achamayou @maxtropets
Update CHANGELOG.md
005c96c 
Co-authored-by: Max <maxtropets@gmail.com>
@achamayou achamayou added this pull request to the merge queue Aug 15, 2024
Merged via the queue into microsoft:main with commit 4bb3c1e Aug 15, 2024
7 checks passed
@achamayou achamayou deleted the fix_x5c_handling_with_nested_certs branch August 15, 2024 14:40
ccf-bot pushed a commit that referenced this pull request Aug 15, 2024
@achamayou
Address issue with embedded certificates in JWT x5c (#6440)
a2b684c 
Co-authored-by: Max <maxtropets@gmail.com>
(cherry picked from commit 4bb3c1e)
@ccf-bot ccf-bot mentioned this pull request Aug 15, 2024
Merged
@ccf-bot ccf-bot added the backported This PR was successfully backported to LTS branch label Aug 15, 2024
achamayou pushed a commit that referenced this pull request Aug 15, 2024
@ccf-bot
[release/5.x] Cherry pick: Address issue with embedded certificates i…
bb25588 
…n JWT x5c (#6440) (#6442)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxtropets maxtropets maxtropets approved these changes

@ad-l ad-l Awaiting requested review from ad-l

Assignees
No one assigned
Labels
5.x-todo PRs which should be backported to 5.x auto-backport Automatically backport this PR to LTS branch backported This PR was successfully backported to LTS branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@achamayou @maxtropets @ccf-bot