aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Steinmetz <richard@steinmetz.cloud>2024-09-24 10:33:07 +0200
committerRichard Steinmetz <richard@steinmetz.cloud>2024-09-30 09:17:25 +0200
commit8752c3de794ae9cdcc9b4d3e2bcf8fc84ac10c86 (patch)
tree5c1c365376c4abc038d85e32a3ad976f391c1d60
parent07f914e7dfa8c440b712680435a5acdce1df19da (diff)
downloadnextcloud-server-8752c3de794ae9cdcc9b4d3e2bcf8fc84ac10c86.tar.gz
nextcloud-server-8752c3de794ae9cdcc9b4d3e2bcf8fc84ac10c86.zip
fix: gracefully parse non-standard trusted certificatesbackport/48307/stable28
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
-rw-r--r--lib/private/Security/Certificate.php10
-rw-r--r--tests/data/certificates/openSslTrustedCertificate.crt25
-rw-r--r--tests/lib/Security/CertificateTest.php9
3 files changed, 42 insertions, 2 deletions
diff --git a/lib/private/Security/Certificate.php b/lib/private/Security/Certificate.php
index 759c71b2eec..a198bdd886e 100644
--- a/lib/private/Security/Certificate.php
+++ b/lib/private/Security/Certificate.php
@@ -61,6 +61,16 @@ class Certificate implements ICertificate {
$info = openssl_x509_parse($data);
if (!is_array($info)) {
+ // There is a non-standardized certificate format only used by OpenSSL. Replace all
+ // separators and try again.
+ $data = str_replace(
+ ['-----BEGIN TRUSTED CERTIFICATE-----', '-----END TRUSTED CERTIFICATE-----'],
+ ['-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----'],
+ $data,
+ );
+ $info = openssl_x509_parse($data);
+ }
+ if (!is_array($info)) {
throw new \Exception('Certificate could not get parsed.');
}
diff --git a/tests/data/certificates/openSslTrustedCertificate.crt b/tests/data/certificates/openSslTrustedCertificate.crt
new file mode 100644
index 00000000000..21af3485995
--- /dev/null
+++ b/tests/data/certificates/openSslTrustedCertificate.crt
@@ -0,0 +1,25 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
+qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
+Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
+MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
+BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
+NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
+LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
+A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
+IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
+W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
+3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
+6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
+Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
+NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
+r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
+DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
+YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
+xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
+/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
+LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
+jVaMaDAMMAoGCCsGAQUFBwMB
+-----END TRUSTED CERTIFICATE-----
diff --git a/tests/lib/Security/CertificateTest.php b/tests/lib/Security/CertificateTest.php
index 2c430fc1273..7858c3accc4 100644
--- a/tests/lib/Security/CertificateTest.php
+++ b/tests/lib/Security/CertificateTest.php
@@ -45,7 +45,7 @@ class CertificateTest extends \Test\TestCase {
$this->expiredCertificate = new Certificate($expiredCertificate, 'ExpiredCertificate');
}
-
+
public function testBogusData() {
$this->expectException(\Exception::class);
$this->expectExceptionMessage('Certificate could not get parsed.');
@@ -54,7 +54,12 @@ class CertificateTest extends \Test\TestCase {
$certificate->getIssueDate();
}
-
+ public function testOpenSslTrustedCertificateFormat(): void {
+ $trustedCertificate = file_get_contents(__DIR__ . '/../../data/certificates/openSslTrustedCertificate.crt');
+ $certificate = new Certificate($trustedCertificate, 'TrustedCertificate');
+ $this->assertSame('thawte, Inc.', $certificate->getOrganization());
+ }
+
public function testCertificateStartingWithFileReference() {
$this->expectException(\Exception::class);
$this->expectExceptionMessage('Certificate could not get parsed.');