Implement Certificate.load to load certificate chain.#441
Conversation
8936b3b to
d5b5ccf
Compare
|
I'm not sure error handling is right. If we have a broken DER certificate, do we get to EOF? |
|
There is no easy result from the PEM or DER parser which seems to indicate: "I reached the end of file there are no more certificates." |
|
Do we need to support concatenated DER? I've never seen it's used somewhere. |
|
@rhenium I agree, so I'm changing it. |
d6be10d to
3464ab9
Compare
|
In order to parse DER first, we have to ignore some error of DER when trying to parse PEM format, specifically: /* If we cannot read one certificate because we could not read the DER encoding: */
if (ERR_GET_REASON(ERR_peek_last_error()) == ERR_R_NESTED_ASN1_ERROR) {
ossl_clear_error();
}Is this acceptable? |
3464ab9 to
7ad5653
Compare
|
@rhenium do you know why this fails on Windows with the pure Ruby |
Argh. No, this will not work because parsing random data (PEM-encoding) as DER-encoding can fail in other ways, too. I don't think there is a direct way to check that the failure is from DER parsing (and not from malloc() or somewhere else). I'm not sure if there is another way except for falling back to PEM parsing on any kind of error. |
I guess it's CRLF conversion... I think it should've used |
a03ccd5 to
8591a4d
Compare
6bf5670 to
390964b
Compare
rhenium
left a comment
There was a problem hiding this comment.
I disagree with the change in ext/openssl/ossl_bio.c, but apart from that and two fix-ups I commented in-line, it looks good to me.
This reverts commit 61b4355.
|
Okay, all your feedback was addressed as you requested. |
Yes, it was already ready for merge. Thank you for working on this! |
|
@rhenium thanks for your multiple detailed reviews and feedback, the PR was much better because of your time and effort. |
ruby/openssl#441) * Add feature for loading the chained certificate into Certificate array. ruby/openssl@05e1c015d6 Co-authored-by: Sao I Kuan <saoikuan@gmail.com>
Follow up to #361