Apply URL encoding/unencoding to OCSP Get requests #18938
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
stevendpclark
commented
Feb 1, 2023
stevendpclark
commented
- Missed this during development and sadly the unit tests were written at a level that did not expose this issue originally, there are certain combinations of issuer cert + serial that lead to base64 data containing a '/' which will lead to the OCSP handler not getting the full parameter value.
- When this happens we return a 400 error with a malformed request static OCSP response.
- Do as the spec says, this should be treated as url-encoded data.
- Missed this during development and sadly the unit tests were written at a level that did not expose this issue originally, there are certain combinations of issuer cert + serial that lead to base64 data containing a '/' which will lead to the OCSP handler not getting the full parameter. - Do as the spec says, this should be treated as url-encoded data.
cipherboy
approved these changes
Feb 1, 2023
|
@stevendpclark Did you want to write more tests that expose this behavior by any chance? |
Yeah, I was gonna rely on the ENT tests, but it makes sense to add them here. Done. |
stevendpclark
deleted the
stevendpclark/vault-13105-ocsp-unescaping-get-requests
branch
stevendpclark
added a commit
that referenced
this pull request
Feb 1, 2023
* Apply URL encoding/unencoding to OCSP Get requests - Missed this during development and sadly the unit tests were written at a level that did not expose this issue originally, there are certain combinations of issuer cert + serial that lead to base64 data containing a '/' which will lead to the OCSP handler not getting the full parameter. - Do as the spec says, this should be treated as url-encoded data. * Add cl * Add higher level PKI OCSP GET/POST tests * Rename PKI ocsp files to path_ocsp to follow naming conventions * make fmt
stevendpclark
added a commit
that referenced
this pull request
Feb 1, 2023
* Apply URL encoding/unencoding to OCSP Get requests - Missed this during development and sadly the unit tests were written at a level that did not expose this issue originally, there are certain combinations of issuer cert + serial that lead to base64 data containing a '/' which will lead to the OCSP handler not getting the full parameter. - Do as the spec says, this should be treated as url-encoded data. * Add cl * Add higher level PKI OCSP GET/POST tests * Rename PKI ocsp files to path_ocsp to follow naming conventions * make fmt Co-authored-by: Steven Clark <[email protected]>
stevendpclark
added a commit
that referenced
this pull request
Feb 7, 2023
- This fix was incorrect as now the tests and program are double URL encoding the OCSP GET requests, so the base64 + characters when using Vault proper are becoming space characters.
stevendpclark
added a commit
that referenced
this pull request
Feb 8, 2023
stevendpclark
added a commit
that referenced
this pull request
Feb 8, 2023
stevendpclark
added a commit
that referenced
this pull request
Feb 8, 2023
- This fix was incorrect as now the tests and program are double URL encoding the OCSP GET requests, so the base64 + characters when using Vault proper are becoming space characters. Co-authored-by: Steven Clark <[email protected]>
awnumar
reviewed
Apr 11, 2023
| return nil, fmt.Errorf("failed to unescape base64 string: %w", err) | ||
| } | ||
|
|
||
| return base64.StdEncoding.DecodeString(unescapedBase64) |
There was a problem hiding this comment.
StdEncoding is not URL-safe, should this have been base64.URLEncoding instead?
There was a problem hiding this comment.
@awnumar No, that is the problem. See RFC 6960, Appendix A:
GET {url}/{url-encoding of base-64 encoding of the DER encoding of the OCSPRequest}
Note that is not:
base64.URLEncoding.EncodeString(...)
That is:
url.QueryEscape(base64.StdEncoding.EncodeString(...))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.