From 46bb95a265de397c296c1950c7b1b66621aee87a Mon Sep 17 00:00:00 2001 From: terrafrost Date: Tue, 20 Oct 2015 10:20:58 -0500 Subject: [PATCH] X509: improve base64-encoded detection rules --- phpseclib/Crypt/RSA.php | 2 +- phpseclib/File/X509.php | 39 ++++++++++++++++++++++++++------ tests/Unit/File/X509/CSRTest.php | 25 ++++++++++++++++++++ 3 files changed, 58 insertions(+), 8 deletions(-) diff --git a/phpseclib/Crypt/RSA.php b/phpseclib/Crypt/RSA.php index d5e58538..9ae9f32d 100644 --- a/phpseclib/Crypt/RSA.php +++ b/phpseclib/Crypt/RSA.php @@ -3104,7 +3104,7 @@ class Crypt_RSA * subject=/O=organization/OU=org unit/CN=common name * issuer=/O=organization/CN=common name */ - $temp = preg_replace('#.*?^-+[^-]+-+#ms', '', $str, 1); + $temp = preg_replace('#.*?^-+[^-]+-+[\r\n ]*$#ms', '', $str, 1); // remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- stuff $temp = preg_replace('#-+[^-]+-+#', '', $temp); // remove new lines diff --git a/phpseclib/File/X509.php b/phpseclib/File/X509.php index 36c06019..63a8a231 100644 --- a/phpseclib/File/X509.php +++ b/phpseclib/File/X509.php @@ -110,6 +110,12 @@ define('FILE_X509_FORMAT_DER', 1); * Only works on CSRs. Not currently supported. */ define('FILE_X509_FORMAT_SPKAC', 2); +/** + * Auto-detect the format + * + * Used only by the load*() functions + */ +define('FILE_X509_FORMAT_AUTO_DETECT', 3); /**#@-*/ /** @@ -1423,10 +1429,11 @@ class File_X509 * Returns an associative array describing the X.509 cert or a false if the cert failed to load * * @param string $cert + * @param int $mode * @access public * @return mixed */ - function loadX509($cert) + function loadX509($cert, $mode = FILE_X509_FORMAT_AUTO_DETECT) { if (is_array($cert) && isset($cert['tbsCertificate'])) { unset($this->currentCert); @@ -1447,7 +1454,13 @@ class File_X509 $asn1 = new File_ASN1(); - $cert = $this->_extractBER($cert); + if ($mode != FILE_X509_FORMAT_DER) { + $newcert = $this->_extractBER($cert); + if ($mode == FILE_X509_FORMAT_PEM && $cert == $newcert) { + return false; + } + $cert = $newcert; + } if ($cert === false) { $this->currentCert = false; @@ -2846,7 +2859,7 @@ class File_X509 * @access public * @return mixed */ - function loadCSR($csr) + function loadCSR($csr, $mode = FILE_X509_FORMAT_AUTO_DETECT) { if (is_array($csr) && isset($csr['certificationRequestInfo'])) { unset($this->currentCert); @@ -2865,7 +2878,13 @@ class File_X509 $asn1 = new File_ASN1(); - $csr = $this->_extractBER($csr); + if ($mode != FILE_X509_FORMAT_DER) { + $newcsr = $this->_extractBER($csr); + if ($mode == FILE_X509_FORMAT_PEM && $csr == $newcsr) { + return false; + } + $csr = $newcsr; + } $orig = $csr; if ($csr === false) { @@ -3091,7 +3110,7 @@ class File_X509 * @access public * @return mixed */ - function loadCRL($crl) + function loadCRL($crl, $mode = FILE_X509_FORMAT_AUTO_DETECT) { if (is_array($crl) && isset($crl['tbsCertList'])) { $this->currentCert = $crl; @@ -3101,7 +3120,13 @@ class File_X509 $asn1 = new File_ASN1(); - $crl = $this->_extractBER($crl); + if ($mode != FILE_X509_FORMAT_DER) { + $newcrl = $this->_extractBER($crl); + if ($mode == FILE_X509_FORMAT_PEM && $crl == $newcrl) { + return false; + } + $crl = $newcrl; + } $orig = $crl; if ($crl === false) { @@ -4606,7 +4631,7 @@ class File_X509 * subject=/O=organization/OU=org unit/CN=common name * issuer=/O=organization/CN=common name */ - $temp = preg_replace('#.*?^-+[^-]+-+#ms', '', $str, 1); + $temp = preg_replace('#.*?^-+[^-]+-+[\r\n ]*$#ms', '', $str, 1); // remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- stuff $temp = preg_replace('#-+[^-]+-+#', '', $temp); // remove new lines diff --git a/tests/Unit/File/X509/CSRTest.php b/tests/Unit/File/X509/CSRTest.php index 26577c26..131237d5 100644 --- a/tests/Unit/File/X509/CSRTest.php +++ b/tests/Unit/File/X509/CSRTest.php @@ -68,4 +68,29 @@ draiRBZruwMPwPIP $this->assertInternalType('array', $csr); } + + public function testCSRDER() + { + $csr = 'MIICdzCCAV8CAQEwDDEKMAgGA1UEAwwBeDCCASIwDQYJKoZIhvcNAQEBBQADggEP' . + 'ADCCAQoCggEBALtcrFDD2AHe3x2bR00wPDsPH6FJLxr5uc1ybb+ldDB5xNVImC8P' . + 'LU6VXDZ5z68KjSovs1q0OWJWfCjlAuGLzqO35s86LI1CFuTFdkScVHMwh8zUVFoP' . + 'pG7/9rKaNxCgaHs4evxjxQP2+Ny7tBqPLb/KV0exm6Twocf963jC/Tyn57G5erRf' . + 'zpFrfK7DozhxY7znumJ4FuSn0TVkD6PPwZFn9VoTjv2ZoJmacGK+0r5yNKG799F5' . + 'K8EgDrOCfbzCZjX6GJctyn2SNPTeBuXS9piH21FGnJAryv80zG+zUqFdEyoLUGJt' . + '4Vy6+tDP9cW68fiwTZS1Oc1VeFdL1G/CrjkCAwEAAaAmMCQGCSqGSIb3DQEJDjEX' . + 'MBUwEwYKKwYBBAGCqlsBCQQFMAOCAQEwDQYJKoZIhvcNAQELBQADggEBAF4XOd+1' . + 'jkJOYRInNpHfhzSD/ktDY50gpLPuDvl4f/ZBlKrb1eDYQG5F3bnYzoZWHN4n+6Zs' . + 'CkljXs5ZPUZ5LuVpASumoG/aHXGz8c8NC3asJ1V73ljEPAfIXwqoIUoaP9jLL+Ee' . + 'zy/ZCi2NKWVo2D7ocnn79oblAem9ksSeQl4z3Gvhuug6MsMqn96NU/ZY/vjYzAjb' . + 'MAvJIVRY0rbCxbFa0K+XNJtF7GLyBxyPNFWCvADhvm9C4uPmoypYg7MY6EewJInN' . + 'xzMH7I4xDLjNu0VBa6lAxTvflp0joQHKlTYX0SDIKPbQivjZMuObPuxDtkVZ0rQl' . + 'AjmgMowaN5otTXM='; + $csr = base64_decode($csr); + + $x509 = new File_X509(); + + $csr = $x509->loadCSR($csr); + + $this->assertInternalType('array', $csr); + } }