On 01/28/2010 10:30 PM, Rob Crittenden wrote:
John Dennis wrote:
On 01/28/2010 04:15 PM, Rob Crittenden wrote:
Gah, got the description mixed up with the last patch :-(

Be a bit smarter about decoding certificates that might be base64
encoded. First see if it only contains those characters allowed before
trying to decode it. This reduces the number of false positives.

I'm not sure the test is doing what you want or even if it's the right

The test is saying "If there is one or more characters in the bas64
alphabet then try and decode. That means just about anything will
match, which doesn't seem like a very strong test.

Why not just try and decode it and let the decoder decide if it's
really base64, the decoder has much strong rules about the input,
including assuring the padding is correct.

The reason is I had a binary cert that was correctly decoded by the
base64 encoder. I don't know the why's and wherefores but there it is.

Then testing to see if each byte is in the base64 alphabet would not have prevented this error.

For a while now I've been feeling like we need to associate a format attribute to the certificate (e.g. DER, PEM, BASE64, etc.).

Or we need to adopt a convention that certs are always in one canonical format and the interface is responsible for assuring what it accepts as input is converted to the canonical form.

I see what you mean about my regex being a bit weak though, it really
should require that the entire string conform. I'll see what I can do.


John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to