From d04481e38802863e525aff8dca92979b40b56f9a Mon Sep 17 00:00:00 2001 From: Jason Heiss Date: Wed, 31 Aug 2016 13:00:12 -0400 Subject: [PATCH] Check PEM block type when reading token cert file closes #1909 Signed-off-by: Jason Heiss --- registry/auth/token/accesscontroller.go | 12 +++--- registry/auth/token/token_test.go | 53 +++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 5 deletions(-) diff --git a/registry/auth/token/accesscontroller.go b/registry/auth/token/accesscontroller.go index 5b1ff7ca..52b7f369 100644 --- a/registry/auth/token/accesscontroller.go +++ b/registry/auth/token/accesscontroller.go @@ -176,12 +176,14 @@ func newAccessController(options map[string]interface{}) (auth.AccessController, var rootCerts []*x509.Certificate pemBlock, rawCertBundle := pem.Decode(rawCertBundle) for pemBlock != nil { - cert, err := x509.ParseCertificate(pemBlock.Bytes) - if err != nil { - return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err) - } + if pemBlock.Type == "CERTIFICATE" { + cert, err := x509.ParseCertificate(pemBlock.Bytes) + if err != nil { + return nil, fmt.Errorf("unable to parse token auth root certificate: %s", err) + } - rootCerts = append(rootCerts, cert) + rootCerts = append(rootCerts, cert) + } pemBlock, rawCertBundle = pem.Decode(rawCertBundle) } diff --git a/registry/auth/token/token_test.go b/registry/auth/token/token_test.go index af862df7..27206f9b 100644 --- a/registry/auth/token/token_test.go +++ b/registry/auth/token/token_test.go @@ -455,3 +455,56 @@ func TestAccessController(t *testing.T) { t.Fatalf("expected user name %q, got %q", "foo", userInfo.Name) } } + +// This tests that newAccessController can handle PEM blocks in the certificate +// file other than certificates, for example a private key. +func TestNewAccessControllerPemBlock(t *testing.T) { + rootKeys, err := makeRootKeys(2) + if err != nil { + t.Fatal(err) + } + + rootCertBundleFilename, err := writeTempRootCerts(rootKeys) + if err != nil { + t.Fatal(err) + } + defer os.Remove(rootCertBundleFilename) + + // Add something other than a certificate to the rootcertbundle + file, err := os.OpenFile(rootCertBundleFilename, os.O_WRONLY|os.O_APPEND, 0666) + if err != nil { + t.Fatal(err) + } + keyBlock, err := rootKeys[0].PEMBlock() + if err != nil { + t.Fatal(err) + } + err = pem.Encode(file, keyBlock) + if err != nil { + t.Fatal(err) + } + err = file.Close() + if err != nil { + t.Fatal(err) + } + + realm := "https://auth.example.com/token/" + issuer := "test-issuer.example.com" + service := "test-service.example.com" + + options := map[string]interface{}{ + "realm": realm, + "issuer": issuer, + "service": service, + "rootcertbundle": rootCertBundleFilename, + } + + ac, err := newAccessController(options) + if err != nil { + t.Fatal(err) + } + + if len(ac.(*accessController).rootCerts.Subjects()) != 2 { + t.Fatal("accessController has the wrong number of certificates") + } +}