forked from TrueCloudLab/certificates
Merge pull request #946 from smallstep/herman/acme-csr-padding
Strip base64-url padding from ACME CSR
This commit is contained in:
commit
abfbbc8d49
2 changed files with 14 additions and 1 deletions
|
@ -54,7 +54,13 @@ type FinalizeRequest struct {
|
||||||
// Validate validates a finalize request body.
|
// Validate validates a finalize request body.
|
||||||
func (f *FinalizeRequest) Validate() error {
|
func (f *FinalizeRequest) Validate() error {
|
||||||
var err error
|
var err error
|
||||||
csrBytes, err := base64.RawURLEncoding.DecodeString(f.CSR)
|
// RFC 8555 isn't 100% conclusive about using raw base64-url encoding for the
|
||||||
|
// CSR specifically, instead of "normal" base64-url encoding (incl. padding).
|
||||||
|
// By trimming the padding from CSRs submitted by ACME clients that use
|
||||||
|
// base64-url encoding instead of raw base64-url encoding, these are also
|
||||||
|
// supported. This was reported in https://github.com/smallstep/certificates/issues/939
|
||||||
|
// to be the case for a Synology DSM NAS system.
|
||||||
|
csrBytes, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(f.CSR, "="))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding csr")
|
return acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding csr")
|
||||||
}
|
}
|
||||||
|
|
|
@ -210,6 +210,13 @@ func TestFinalizeRequestValidate(t *testing.T) {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ok/padding": func(t *testing.T) test {
|
||||||
|
return test{
|
||||||
|
fr: &FinalizeRequest{
|
||||||
|
CSR: base64.RawURLEncoding.EncodeToString(csr.Raw) + "==", // add intentional padding
|
||||||
|
},
|
||||||
|
}
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for name, run := range tests {
|
for name, run := range tests {
|
||||||
tc := run(t)
|
tc := run(t)
|
||||||
|
|
Loading…
Reference in a new issue