From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/60453 Path: news.gmane.org!not-for-mail From: =?utf-8?Q?Arne_J=C3=B8rgensen?= Newsgroups: gmane.emacs.gnus.general Subject: Re: smime-cert-by-ldap-1 problem Date: Thu, 16 Jun 2005 11:05:07 +0200 Organization: Arne Joergensen -- http://arnested.dk/ Message-ID: <87zmtqoenw.fsf@seamus.arnested.dk> References: <877jgwfz01.fsf@seamus.arnested.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Trace: sea.gmane.org 1118912701 27027 80.91.229.2 (16 Jun 2005 09:05:01 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Thu, 16 Jun 2005 09:05:01 +0000 (UTC) Original-X-From: ding-owner+M8980@lists.math.uh.edu Thu Jun 16 11:04:58 2005 Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1DiqIx-0006Zm-Uy for ding-account@gmane.org; Thu, 16 Jun 2005 11:04:56 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1DiqKF-0003MI-00; Thu, 16 Jun 2005 04:06:15 -0500 Original-Received: from util2.math.uh.edu ([129.7.128.23]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1DiqJw-0003M2-00 for ding@lists.math.uh.edu; Thu, 16 Jun 2005 04:05:56 -0500 Original-Received: from quimby.gnus.org ([80.91.224.244]) by util2.math.uh.edu with esmtp (Exim 4.30) id 1DiqJu-00034t-Ez for ding@lists.math.uh.edu; Thu, 16 Jun 2005 04:05:54 -0500 Original-Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1DiqJt-00075y-00 for ; Thu, 16 Jun 2005 11:05:53 +0200 Original-Received: from list by ciao.gmane.org with local (Exim 4.43) id 1DiqEb-00065B-Nq for ding@gnus.org; Thu, 16 Jun 2005 11:00:25 +0200 Original-Received: from 213.237.94.152 ([213.237.94.152]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Jun 2005 11:00:25 +0200 Original-Received: from arne by 213.237.94.152 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 16 Jun 2005 11:00:25 +0200 X-Injected-Via-Gmane: http://gmane.org/ Original-To: ding@gnus.org Original-Lines: 154 Original-X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 213.237.94.152 X-Face: 5t,7/Y$&<1A_t.$vC2{pWZ{m@3_06;kcm]no{hgEL/}Uz(>XV6cl4}xO\v?-h3%>znNaZtq `~rf,GY1T%r=a.zH`hOb(-]'x)nI088Z&|e;V^h;/TShou User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) Cancel-Lock: sha1:3r5MclgLwd3JOec2iCZSwuyJYTc= X-Spam-Score: -4.9 (----) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:60453 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:60453 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Arne Jørgensen writes: > david.goldberg6@verizon.net (David S. Goldberg) writes: > >> According to this bit from smime.el: >> >> ;; Certificates on LDAP servers _should_ be in DER format, >> ;; but there are some servers out there that distributes the >> ;; certificates in PEM format (with or without >> ;; header/footer) so we try to handle them anyway. >> (if (or (string= (substring (cadaar ldapresult) 0 27) >> "-----BEGIN CERTIFICATE-----") >> (condition-case nil >> (base64-decode-string (cadaar ldapresult)) >> (error nil))) >> (setq cert >> (smime-replace-in-string >> (cadaar ldapresult) >> (concat "\\(\n\\|\r\\|-----BEGIN CERTIFICATE-----\\|" >> "-----END CERTIFICATE-----\\)") >> "" t)) >> (setq cert (base64-encode-string (cadaar ldapresult) t))) >> >> then the result of smime-cert-by-ldap should be a base64 encoded block >> surrounded by the BEGIN and END CERTIFICATE lines. > > Correct. > >> Instead, I get the DER with extra CRs inserted every 64 bytes, >> surrounded by the BEGIN and END lines. The problem is that >> base64-decode-string does not throw an error, and from what I can >> see in base64.el, it's not designed to. > > Is base64-decode-string on XEmacs different from the one in Emacs? It is. The doc string for `base64-decode-string' on XEmacs in addition says "Characters out of the base64 alphabet are ignored" and that makes XEmacs a success on string that Emacs will fail on. I still think it's quite surprising that your DER encoded certificate is able to be base64 decoded in XEmacs though. Well, one solution is to not rely on `base64-decode-string' only for detecting if the certificate is in PEM format and instead base64 encode the decode string an compare the before and after strings. That's what the first patch does. Another solution is to look for a magic string ("MII") at the beginning of the certificate. I have not been able to find any authoritative documentation stating that a certificate must begin with "MII" (in base64 encoding), but googling for "x509 certificate MII" is not against it. The second patch implements this (and is definitely more elegant). (Just for the record: the case in which the problem is when we try to detect if the retrieved certificate is in PEM format but without the "-----BEGIN CERTIFICATE-----" header). Kind regards, -- Arne Jørgensen --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=smime-1.patch Content-Transfer-Encoding: 8bit Content-Description: base64-encode-string after base64-decode-string Index: lisp/ChangeLog =================================================================== RCS file: /usr/local/cvsroot/gnus/lisp/ChangeLog,v retrieving revision 7.721 diff -u -p -r7.721 ChangeLog --- lisp/ChangeLog 16 Jun 2005 06:01:42 -0000 7.721 +++ lisp/ChangeLog 16 Jun 2005 08:19:23 -0000 @@ -1,3 +1,9 @@ +2005-06-16 Arne J,Ax(Brgensen + + * smime.el (smime-cert-by-ldap-1): Detect PEM format by doing a + `base64-encode-string' of the `base64-decode-string'ed string + because XEmacs doesn't always fail on `base64-decode-string'. + 2005-06-16 Miles Bader * gnus-xmas.el (gnus-xmas-group-startup-message): Index: lisp/smime.el =================================================================== RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v retrieving revision 7.14 diff -u -p -r7.14 smime.el --- lisp/smime.el 31 May 2005 13:01:59 -0000 7.14 +++ lisp/smime.el 16 Jun 2005 08:19:23 -0000 @@ -600,7 +600,10 @@ A string or a list of strings is returne (if (or (string= (substring (cadaar ldapresult) 0 27) "-----BEGIN CERTIFICATE-----") (condition-case nil - (base64-decode-string (cadaar ldapresult)) + (string= + (cadaar ldapresult) + (base64-encode-string + (base64-decode-string (cadaar ldapresult)))) (error nil))) (setq cert (smime-replace-in-string --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=smime-2.patch Content-Transfer-Encoding: 8bit Content-Description: look for magic MII in certificate Index: lisp/ChangeLog =================================================================== RCS file: /usr/local/cvsroot/gnus/lisp/ChangeLog,v retrieving revision 7.721 diff -u -p -r7.721 ChangeLog --- lisp/ChangeLog 16 Jun 2005 06:01:42 -0000 7.721 +++ lisp/ChangeLog 16 Jun 2005 08:27:12 -0000 @@ -1,3 +1,8 @@ +2005-06-16 Arne J,Ax(Brgensen + + * smime.el (smime-cert-by-ldap-1): Detect PEM format without + header by looking for magic "MII" at the beginnig. + 2005-06-16 Miles Bader * gnus-xmas.el (gnus-xmas-group-startup-message): Index: lisp/smime.el =================================================================== RCS file: /usr/local/cvsroot/gnus/lisp/smime.el,v retrieving revision 7.14 diff -u -p -r7.14 smime.el --- lisp/smime.el 31 May 2005 13:01:59 -0000 7.14 +++ lisp/smime.el 16 Jun 2005 08:27:13 -0000 @@ -599,9 +599,8 @@ A string or a list of strings is returne ;; header/footer) so we try to handle them anyway. (if (or (string= (substring (cadaar ldapresult) 0 27) "-----BEGIN CERTIFICATE-----") - (condition-case nil - (base64-decode-string (cadaar ldapresult)) - (error nil))) + (string= (substring (cadaar ldapresult) 0 3) + "MII")) (setq cert (smime-replace-in-string (cadaar ldapresult) --=-=-=--