Allow additionally parsing \r newlines in PEM files #30
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I was thinking this might be a regression from ff11ce1, but actually std's |
|
That was my conclusion as well. You have to go out of your way to support other line endings in most functions, with the exception of str::lines which supports |
ctz
approved these changes
Nov 8, 2023
cpu
approved these changes
Nov 8, 2023
djc
approved these changes
Nov 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We (1Password) encountered some users on Linux who were encountering issues using custom certificate roots on their devices, which had been added to the "main" system CA bundle. The root cause of the issue turned out to be
rustls-pemfileonly supporting UNIX newline endings in parsed files (\n). The certificate bundles sent to us by users though contained one or more PEM objects with\rendings interspersed with ones using\n.This PR proposes fixing the incompatibility described above by switching to a more lenient line parser function.
BufReader::read_untilwas insufficient for this purpose because it only supports looking for a single needle. Instead, I ported the implementation ofread_untilout of the standard library and slightly tweaked it to look for more characters. While this uses the more low-levelBufReaderfunctions, its been well-tested already and has correct error handling. Thanks to @Ralith for helping point me in the right direction.Additionally, I believe this is technically more correct based on RFC 7468 (assuming this is the right one 😓) as they call out support for multiple line endings:
A full regression test is included as well. It can be confirmed by undoing the changes to
src/pemfile.rsand runningcargo test. It should panic with a bogus error. The data file consists of the same Amazon root CA repeated 4 times, but with 2 LF and 2 \r objects.AFAICT, the only downside of this change is that it has a performance impact, even if almost imperceptible:
mainA user would need to parse an absurd number of PEM objects to notice the difference, and the only no_std compatible way of regaining it is adding a dependency on the
memchrcrate, which does not seem to be worthwhile.