Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

asn1parse inform pem is not RFC7468 compliant #7317

Open
tomato42 opened this issue Sep 25, 2018 · 11 comments · May be fixed by #7320
Open

asn1parse inform pem is not RFC7468 compliant #7317

tomato42 opened this issue Sep 25, 2018 · 11 comments · May be fixed by #7320

Comments

@tomato42
Copy link
Contributor

@tomato42 tomato42 commented Sep 25, 2018

running openssl-1.1.0h-3.fc27

openssl req -x509 -newkey rsa -pkeyopt rsa_keygen_bits:2048 -keyout /tmp/localhost.key -out /tmp/localhost.crt -subj /CN=localhost -nodes -batch
openssl x509 -in /tmp/localhost.crt -out /tmp/localhost.pem -text
openssl asn1parse -in /tmp/localhost.pem -inform pem

outputs:

Error: offset too large

This is despite RFC 7468 requirement:

   Data before the encapsulation boundaries are
   permitted, and parsers MUST NOT malfunction when processing such
   data.
@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 25, 2018

This was fixed 6b5c1d9 but requires the option -strictpem, see ASN1PARSE(1).

Loading

@mspncp mspncp closed this Sep 25, 2018
@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 25, 2018

@mattcaswell what was the reason why -strictpem was not made the default behaviour? Was it for compatibility reasons? Should we consider making it the default for the next major version?

Loading

@mspncp mspncp reopened this Sep 25, 2018
@tomato42
Copy link
Contributor Author

@tomato42 tomato42 commented Sep 25, 2018

+1 on that question, while I understand the usability of decoding pem-header-less base64 encoded data, shouldn't the default be the standard PEM?

Loading

@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 25, 2018

Give me a day or two and I can prepare a pull request which makes -strictpem the default (but keeping the option for compatibility reasons) and adds a new -nopem option to return to the old behaviour.

Loading

@mspncp mspncp linked a pull request that will close this issue Sep 26, 2018
2 tasks
@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 26, 2018

Please have a look at #7320.

Loading

@mspncp mspncp changed the title asn1parse inform pem is not RFC7462 compliant asn1parse inform pem is not RFC7468 compliant Sep 26, 2018
@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Sep 26, 2018

@mattcaswell what was the reason why -strictpem was not made the default behaviour? Was it for compatibility reasons?

I have absolutely no recollection of making that commit :-)
I have no problem with making this the default.

Loading

@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Sep 26, 2018

Although....is making it the default a breaking change in any way?

Loading

@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 26, 2018

Well, I wouldn't backport it to 1.1.1., at least not with the new default. Only keep it on master which (almost surely) will be scheduled as a major release.

Loading

@mspncp mspncp added the 1.2.0 label Sep 26, 2018
@mattcaswell
Copy link
Member

@mattcaswell mattcaswell commented Sep 26, 2018

Only keep it on master which (almost surely) will be scheduled as a major release.

Right - but we are likely to specify a policy around breaking changes. It won't be "open season".

Loading

@levitte
Copy link
Member

@levitte levitte commented Sep 26, 2018

This suggests that we need a roadmap where we specify things that go into a few major releases going forward. (this could potentially mean that we'll do major releases more frequently)

Loading

@mspncp
Copy link
Contributor

@mspncp mspncp commented Sep 26, 2018

we'll do major releases more frequently

Don't forget, we only have thirteen of them left ;-)

Loading

mspncp pushed a commit to mspncp/openssl that referenced this issue Jul 17, 2019
Fixes openssl#7317

The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete and
kept for compatibility reasons only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)
@mspncp mspncp removed the 3.0.0 label Oct 25, 2019
mspncp pushed a commit to mspncp/openssl that referenced this issue Mar 4, 2020
Fixes openssl#7317

The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete and
kept for compatibility reasons only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)
mspncp added a commit to mspncp/openssl that referenced this issue Apr 22, 2021
The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete and
kept for compatibility reasons only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)

Fixes openssl#7317
mspncp added a commit to mspncp/openssl that referenced this issue Apr 22, 2021
The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete
and kept for backward compatibility only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)

Fixes openssl#7317

fixup! apps/asn1parse: improve RFC7462 compliance
@t8m t8m added this to the Post 3.0.0 milestone Jul 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants