Commit 0da545d1 authored by Adam Langley's avatar Adam Langley

encoding/pem: be stricter about the ending line.

Previously the code didn't check the type and final five dashes of the
ending line of a PEM block.

Fixes #16335.

Change-Id: Ia544e8739ea738d767cfe56c8d46204214ec0b5a
Reviewed-on: https://go-review.googlesource.com/27391
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
parent a25a7ad7
......@@ -119,19 +119,36 @@ func Decode(data []byte) (p *Block, rest []byte) {
rest = next
}
var endIndex int
var endIndex, endTrailerIndex int
// If there were no headers, the END line might occur
// immediately, without a leading newline.
if len(p.Headers) == 0 && bytes.HasPrefix(rest, pemEnd[1:]) {
endIndex = 0
endTrailerIndex = len(pemEnd) - 1
} else {
endIndex = bytes.Index(rest, pemEnd)
endTrailerIndex = endIndex + len(pemEnd)
}
if endIndex < 0 {
return decodeError(data, rest)
}
// After the "-----" of the ending line should be the same type and a
// final five dashes.
endTrailer := rest[endTrailerIndex:]
endTrailerLen := len(typeLine) + len(pemEndOfLine)
if len(endTrailer) < endTrailerLen {
return decodeError(data, rest)
}
endTrailer = endTrailer[:endTrailerLen]
if !bytes.HasPrefix(endTrailer, typeLine) ||
!bytes.HasSuffix(endTrailer, pemEndOfLine) {
return decodeError(data, rest)
}
base64Data := removeWhitespace(rest[:endIndex])
p.Bytes = make([]byte, base64.StdEncoding.DecodedLen(len(base64Data)))
n, err := base64.StdEncoding.Decode(p.Bytes, base64Data)
......
......@@ -78,6 +78,48 @@ func TestDecode(t *testing.T) {
}
}
const pemTooFewEndingDashes = `
-----BEGIN FOO-----
dGVzdA==
-----END FOO----`
const pemWrongEndingType = `
-----BEGIN FOO-----
dGVzdA==
-----END BAR-----`
const pemMissingEndingSpace = `
-----BEGIN FOO-----
dGVzdA==
-----ENDBAR-----`
var badPEMTests = []struct {
name string
input string
}{
{
"too few trailing dashes",
pemTooFewEndingDashes,
},
{
"incorrect ending type",
pemWrongEndingType,
},
{
"missing ending space",
pemMissingEndingSpace,
},
}
func TestBadDecode(t *testing.T) {
for _, test := range badPEMTests {
result, _ := Decode([]byte(test.input))
if result != nil {
t.Errorf("unexpected success while parsing %q", test.name)
}
}
}
func TestEncode(t *testing.T) {
r := EncodeToMemory(privateKey2)
if string(r) != pemPrivateKey2 {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment