forked from TrueCloudLab/certificates
Merge pull request #946 from smallstep/herman/acme-csr-padding
Strip base64-url padding from ACME CSR
This commit is contained in:
commit
abfbbc8d49
2 changed files with 14 additions and 1 deletions
|
@ -54,7 +54,13 @@ type FinalizeRequest struct {
|
|||
// Validate validates a finalize request body.
|
||||
func (f *FinalizeRequest) Validate() error {
|
||||
var err error
|
||||
csrBytes, err := base64.RawURLEncoding.DecodeString(f.CSR)
|
||||
// RFC 8555 isn't 100% conclusive about using raw base64-url encoding for the
|
||||
// CSR specifically, instead of "normal" base64-url encoding (incl. padding).
|
||||
// By trimming the padding from CSRs submitted by ACME clients that use
|
||||
// base64-url encoding instead of raw base64-url encoding, these are also
|
||||
// supported. This was reported in https://github.com/smallstep/certificates/issues/939
|
||||
// to be the case for a Synology DSM NAS system.
|
||||
csrBytes, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(f.CSR, "="))
|
||||
if err != nil {
|
||||
return acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding csr")
|
||||
}
|
||||
|
|
|
@ -210,6 +210,13 @@ func TestFinalizeRequestValidate(t *testing.T) {
|
|||
},
|
||||
}
|
||||
},
|
||||
"ok/padding": func(t *testing.T) test {
|
||||
return test{
|
||||
fr: &FinalizeRequest{
|
||||
CSR: base64.RawURLEncoding.EncodeToString(csr.Raw) + "==", // add intentional padding
|
||||
},
|
||||
}
|
||||
},
|
||||
}
|
||||
for name, run := range tests {
|
||||
tc := run(t)
|
||||
|
|
Loading…
Reference in a new issue