Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignore unhandled PEM sequences #220

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Ignore unhandled PEM sequences #220

wants to merge 1 commit into from

Conversation

chrisburr
Copy link
Contributor

I have a PEM file which contains a section denoted by a custom section. All other software I've tried happily ignores this section however GCT fails with:

Unable to read credential for import
globus_gsi_gssapi: Error with GSI credential
globus_credential: Error reading proxy credential: Unhandled PEM sequence: ...

RFC 7468, Section 2 doesn't explicitly state that parsers should ignore custom labels in PEM files, it does imply a level of flexibility in handling unrecognized or non-standard data, suggesting that well-designed parsers may indeed ignore custom labels and proceed with processing the rest of the file.

What do you think of removing this check so that unknown labels are ignored?

@fscheiner
Copy link
Member

Not sure. But if we can safely assume that ignoring it does no harm and that it really is not touched anywhere else, it could be a solution. Maybe a command line switch or environment variable to enable or disable the behaviour would be even better.

@fscheiner
Copy link
Member

I have a PEM file which contains a section denoted by a custom section. All other software I've tried happily ignores this section

What other software did you try?

@chrisburr
Copy link
Contributor Author

Not sure. But if we can safely assume that ignoring it does no harm and that it really is not touched anywhere else, it could be a solution. Maybe a command line switch or environment variable to enable or disable the behaviour would be even better.

This feels excessive. The RFC is clear that malformed data should be tollerated and the rest of the PEM data results in a valid chain that can be used like normal.

What other software did you try?

I know these have some overlap in implementation but:

curl, XRootD, davix, gfal2 (except for srm which fails due to gct), DIRAC, openssl

@maarten-litmaath
Copy link

Hi all,
I think it is OK to skip over any unexpected data and just parse what looks to be the PEM blob.

That is not going to open the door further for anything: the PEM blob still has to be valid.

@msalle
Copy link
Member

msalle commented Dec 17, 2023

Hi @chrisburr all,
could you send us the pem file, it would be good for testing and for future reference (I presume it's a certificate not a private key). If you prefer, you can also send it by email to tech(at)gridcf.org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@chrisburr @fscheiner @maarten-litmaath @msalle