Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CertificateException due to PEM being decoded in CertUtils #3083

Closed
sonicloong opened this issue May 7, 2021 · 1 comment · Fixed by #3297
Closed

CertificateException due to PEM being decoded in CertUtils #3083

sonicloong opened this issue May 7, 2021 · 1 comment · Fixed by #3297
Assignees
@rohanKanojia

Comments

@sonicloong
Copy link

It looks like CertUtils#getInputStreamFromDataOrFile determines whether the certificate data is base64 encoded or not by checking if the data can be base64 decoded. However since okio considers the minus sign to be a valid character
(reference), even PEM data can be base64 decoded.

Observed the issue at OpenIDConnectionUtils#getOIDCProviderTokenEndpointAndRefreshToken, which calls getSSLContext, where the certificate data is decoded to PEM already; the PEM is then passed to SSLUtils#trustManagers, then CertUtils#createTrustStore, and eventually CertUtils#getInputStreamFromDataOrFile. ByteString.decodeBase64(data) returns non-null value, therefore the PEM is decoded again.

Also observed the same issue when passing PEM data to ConfigBuilder#withCaCertData

Reproduce

Use one of the DigiCert root CAs as an example

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

Pass it to ByteString#decodeBase64, get non-null result.
@rohanKanojia rohanKanojia self-assigned this Jul 5, 2021
@rohanKanojia
Copy link
Member

@sonicloong : Thanks a lot for reporting this issue. I tested with your PEM string and I can reproduce this issue. I think if java.util.Base64 instead of okio.ByteString, it will solve our issue:

    byte[] bytes;
    try {
      bytes = Base64.getDecoder().decode(data);
    } catch (IllegalArgumentException illegalArgumentException) {
      bytes = data.getBytes();
    }

    return new ByteArrayInputStream(bytes);

I will create a PR to replace okio.ByteString to java.util.Base64 here.

rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Jul 5, 2021
@rohanKanojia
Fix fabric8io#3083: CertificateException due to PEM being decoded in …
7f8c079 
…CertUtils

Use java.util.Base64 instead of okio.ByteString to decode base64 encoded
string since former one throws IllegalArgumentException in case input
string in invalid base64 encoded string.

okio.ByteString returns non-null value even for invalid base64 decoded
strings

Signed-off-by: Rohan Kumar <[email protected]>
@manusa manusa mentioned this issue Jul 5, 2021
Merged
11 tasks
rohanKanojia added a commit to rohanKanojia/kubernetes-client that referenced this issue Jul 5, 2021
@rohanKanojia
Fix fabric8io#3083: CertificateException due to PEM being decoded in …
04047ae 
…CertUtils

Use java.util.Base64 instead of okio.ByteString to decode base64 encoded
string since former one throws IllegalArgumentException in case input
string in invalid base64 encoded string.

okio.ByteString returns non-null value even for invalid base64 decoded
strings

Signed-off-by: Rohan Kumar <[email protected]>
manusa pushed a commit that referenced this issue Jul 5, 2021
@rohanKanojia @manusa
Fix #3083: CertificateException due to PEM being decoded in CertUtils
e580fe4 
Use java.util.Base64 instead of okio.ByteString to decode base64 encoded
string since former one throws IllegalArgumentException in case input
string in invalid base64 encoded string.

okio.ByteString returns non-null value even for invalid base64 decoded
strings

Signed-off-by: Rohan Kumar <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rohanKanojia rohanKanojia

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #3083: CertificateException due to PEM being decoded in CertUtils rohanKanojia/kubernetes-client
2 participants
@rohanKanojia @sonicloong