Strip base64-url padding from ACME CSR

This commit strips the padding from a base64-url encoded CSR
submitted by a client that doesn't use raw base64-url encoding.
This commit is contained in:
Herman Slatman 2022-05-25 22:46:26 +02:00
parent 9e05cc4d51
commit fd546287ac
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F
2 changed files with 14 additions and 1 deletions

View file

@ -54,7 +54,13 @@ type FinalizeRequest struct {
// Validate validates a finalize request body.
func (f *FinalizeRequest) Validate() error {
var err error
csrBytes, err := base64.RawURLEncoding.DecodeString(f.CSR)
// RFC 8555 isn't 100% conclusive about using raw base64-url encoding for the
// CSR specifically, instead of "normal" base64-url encoding (incl. padding).
// By trimming the padding from CSRs submitted by ACME clients that use
// base64-url encoding instead of raw base64-url encoding, these are also
// supported. This was reported in https://github.com/smallstep/certificates/issues/939
// to be the case for a Synology DSM NAS system.
csrBytes, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(f.CSR, "="))
if err != nil {
return acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding csr")
}

View file

@ -210,6 +210,13 @@ func TestFinalizeRequestValidate(t *testing.T) {
},
}
},
"ok/padding": func(t *testing.T) test {
return test{
fr: &FinalizeRequest{
CSR: base64.RawURLEncoding.EncodeToString(csr.Raw) + "==", // add intentional padding
},
}
},
}
for name, run := range tests {
tc := run(t)