PEM canonicalization assures that the message text is represented with the ASCII character set and "<CR><LF>" line delimiters ... Two encapsulation boundaries (EB's) are defined for delimiting encapsulated PEM messages and for distinguishing encapsulated PEM messages from interspersed (non-PEM) text. The pre-EB is the string "-----BEGIN PRIVACY-ENHANCED MESSAGE-----", indicating that an encapsulated PEM message follows. The post-EB is either (1) another pre-EB indicating that another encapsulated PEM message follows, or (2) the string "-----END PRIVACY-ENHANCED MESSAGE-----" indicating that any text that immediately follows is non-PEM text.
And the code in crypto/pem/pem_lib.c does not honor these agreements:
=== cut1 ===
if (strncmp(buf,"-----BEGIN ",11) == 0)
{
i=strlen(&(buf[11])); if (strncmp(&(buf[11+i-6]),"-----\n",6) != 0)
continue;
=== cut ====== cut2 ===
i=strlen(nameB->data);
if ( (strncmp(buf,"-----END ",9) != 0) ||
(strncmp(nameB->data,&(buf[9]),i) != 0) ||
(strncmp(&(buf[9+i]),"-----\n",6) != 0))
{
PEMerr(PEM_F_PEM_READ_BIO,PEM_R_BAD_END_LINE);
goto err;
}
=== cut ===This code is written with expectations that the line is terminated by <LF> in Unix-style, and effectively prohibits this code to be used in DOS/MAC, unless some external entity pre-processes the input data to strip/replace <CR>'s with <LF>'s.
If I am reading it correctly, the PEM encoding must work even in the following case (ignore double quotes):
"-----BEGIN SOMETHING-----abcd=-----END SOMETHING-----"
and the PEM code in OpenSSL prohibits such form.
-- Lev Walkin [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
