PEM file line size

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

PEM file line size

Frank Liu
Hi,

I noticed openssl 1.0.1 and 1.0.2 can't read a certificate PEM file with base64 line size of multiples of 1265. Any other line size seems to be fine, even though rfc7468 says "exactly 64 characters except for the final line".

The same pem file can be read fine with latest openssl 1.1.1j. Does anybody know the bug or PR when that was fixed?

Thanks!
Frank
Reply | Threaded
Open this post in threaded view
|

Re: PEM file line size

Matthias Bühlmann
„Parsers MAYhandle other line sizes.These requirements are consistent with PEM [RFC1421].“

It‘s not a bug, it‘s undefined behaviour.

On Wed, 24 Feb 2021 at 20:20 Frank Liu <[hidden email]> wrote:
Hi,

I noticed openssl 1.0.1 and 1.0.2 can't read a certificate PEM file with base64 line size of multiples of 1265. Any other line size seems to be fine, even though rfc7468 says "exactly 64 characters except for the final line".

The same pem file can be read fine with latest openssl 1.1.1j. Does anybody know the bug or PR when that was fixed?

Thanks!
Frank
Reply | Threaded
Open this post in threaded view
|

Re: PEM file line size

Frank Liu
Hi,

Since this is undefined behavior, I guess it was accidentally fixed without a bug or being noticed.

BTW, I found this openssl bug and pull request fix, but that only fixed PEM line length of 254 (or a multiple), not 1265.



On Thu, Feb 25, 2021 at 2:57 AM Matthias Buehlmann <[hidden email]> wrote:
„Parsers MAYhandle other line sizes.These requirements are consistent with PEM [RFC1421].“

It‘s not a bug, it‘s undefined behaviour.

On Wed, 24 Feb 2021 at 20:20 Frank Liu <[hidden email]> wrote:
Hi,

I noticed openssl 1.0.1 and 1.0.2 can't read a certificate PEM file with base64 line size of multiples of 1265. Any other line size seems to be fine, even though rfc7468 says "exactly 64 characters except for the final line".

The same pem file can be read fine with latest openssl 1.1.1j. Does anybody know the bug or PR when that was fixed?

Thanks!
Frank
Reply | Threaded
Open this post in threaded view
|

Re: PEM file line size

Frank Liu
In reply to this post by Matthias Bühlmann
Looking at test cases https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/test/recipes/04-test_pem.t , openssl indeed is a parser that can handle other line sizes than 64 chars. If we were to strictly follow RFC, shouldn't we error out none 64 line size (except last line which could be equal or less than 64)? Leaving it "undefined behavior" would invite issues.

On Thu, Feb 25, 2021 at 2:57 AM Matthias Buehlmann <[hidden email]> wrote:
„Parsers MAYhandle other line sizes.These requirements are consistent with PEM [RFC1421].“

It‘s not a bug, it‘s undefined behaviour.

On Wed, 24 Feb 2021 at 20:20 Frank Liu <[hidden email]> wrote:
Hi,

I noticed openssl 1.0.1 and 1.0.2 can't read a certificate PEM file with base64 line size of multiples of 1265. Any other line size seems to be fine, even though rfc7468 says "exactly 64 characters except for the final line".

The same pem file can be read fine with latest openssl 1.1.1j. Does anybody know the bug or PR when that was fixed?

Thanks!
Frank
Reply | Threaded
Open this post in threaded view
|

Re: PEM file line size

OpenSSL - User mailing list
On Thu, Feb 25, 2021 at 03:30:43PM -0800, Frank Liu wrote:
> Looking at test cases
> https://urldefense.com/v3/__https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/test/recipes/04-test_pem.t__;!!GjvTz_vk!A42D2c2brOwptas6T1iBt9i7pMWhwehkKAmeCuILgR-6iv5n0TQPQ6tkkVgG9A$ 
> , openssl indeed is a parser that can handle other line sizes than 64
> chars. If we were to strictly follow RFC, shouldn't we error out none 64
> line size (except last line which could be equal or less than 64)? Leaving
> it "undefined behavior" would invite issues.

If you read RFC 1421 carefully (the ABNF, and the first line of Section
4.3.2.4), the 64 characters per line limitation only applies for encrypted (or
MIC-ONLY) messages.  Other messages can use arbitrary length lines for base64
content.

-Ben