Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

PEM reads entire file before failing

70 views
Skip to first unread message

Phillip Hellewell

unread,
Apr 15, 2010, 1:29:44 AM4/15/10
to
I've noticed when calling PEM_read_bio_X509() on a bogus file it has to read *the entire file* before it fails and returns NULL, whereas other functions like d2i_PKCS7_bio and d2i_PKCS12_bio() fail after reading just a small amount.

Can we fix the PEM functions to fail sooner?  Why can't they tell after reading the first line that it doesn't start with "-----BEGIN"?  Or after each line why can't it tell that it's not valid base64 data?

I'm writing a function that detects the cert type automatically by calling various OpenSSL read functions like the ones I've mentioned above, and it can be very slow to return "not a cert" on large non-cert files.

Thanks,
Phillip

Phillip Hellewell

unread,
Apr 15, 2010, 1:03:02 PM4/15/10
to
For now I'll just do my own check for "-----BEGIN" as well as a sanity check on the file size, before calling PEM_read_bio_X509().

Phillip

Dr. Stephen Henson

unread,
Apr 15, 2010, 1:10:17 PM4/15/10
to
On Wed, Apr 14, 2010, Phillip Hellewell wrote:

> I've noticed when calling PEM_read_bio_X509() on a bogus file it has to read
> *the entire file* before it fails and returns NULL, whereas other functions
> like d2i_PKCS7_bio and d2i_PKCS12_bio() fail after reading just a small
> amount.
>
> Can we fix the PEM functions to fail sooner? Why can't they tell after
> reading the first line that it doesn't start with "-----BEGIN"? Or after
> each line why can't it tell that it's not valid base64 data?
>
> I'm writing a function that detects the cert type automatically by calling
> various OpenSSL read functions like the ones I've mentioned above, and it
> can be very slow to return "not a cert" on large non-cert files.
>

DER files contain only one structure so as soon as there is an ASN1 error the
function fails.

PEM files however can contain multiple structures (more than one certificate,
private key or CRL for example) and can contain additional human readable
information outside the PEM headers. So you don't know the file doesn't
contain the relevant structure until you hit EOF.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

Phillip Hellewell

unread,
Apr 15, 2010, 2:02:02 PM4/15/10
to
On Thu, Apr 15, 2010 at 11:10 AM, Dr. Stephen Henson <st...@openssl.org> wrote:
PEM files however can contain multiple structures (more than one certificate,
private key or CRL for example) and can contain additional human readable
information outside the PEM headers. So you don't know the file doesn't
contain the relevant structure until you hit EOF.

Ah, thanks for the explanations.  I was unaware of this, as I have never seen PEM files with human-readable comments in them.  Hopefully that is not too common in practice.

Phillip

Adam Langley

unread,
Apr 15, 2010, 1:25:44 PM4/15/10
to
On Thu, Apr 15, 2010 at 1:03 PM, Phillip Hellewell <ssh...@gmail.com> wrote:
> For now I'll just do my own check for "-----BEGIN" as well as a sanity check
> on the file size, before calling PEM_read_bio_X509().

PEM files can have an arbitrary amount of comment before (and after)
the BEGIN/END block. The code has to check the whole file in order to
support that.


AGL

--
Adam Langley a...@imperialviolet.org http://www.imperialviolet.org

0 new messages