public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Thomas Ellmenreich <t.ellmenreich@proxmox.com>
Subject: [PATCH common/proxmox-acme v3 0/2] fix #5978: pem parser: relax parsing of chain entries
Date: Fri,  3 Jul 2026 12:51:31 +0200	[thread overview]
Message-ID: <20260703105133.77817-1-t.ellmenreich@proxmox.com> (raw)

According to RFC 8555, expected certchains should come
without whitespace or explanatory texts inbetween chain
entries. These two patches relax our parser to also
accept text or whitespaces inbetween chain entries.

To make sure that the acme changes work as expected I
setup the pebble acme server [1] locally, and worked
through the acme flow to get a new certificate. I then
manually modified the final certificate to contain
descriptive text which worked without issues.

changes since v2:
- cleaner implementation and correction of mistakes in
  check_pem in pve-common

- get_certificate in proxmox-acme now correctly calls
  check_pem with the 'multiple' option enabled

- removed ambiguity in the error messages of
  get_certificate

- correction of tests, to better compare returned value
  to expected value

- performed proper end-to-end test with pebble [1]

- proper formatting (hopefully)

changes since v1:
- Where in v1 check_pem was just a wrapper of split_pem,
  they now perform different functions

- split_pem now purely splits the PEM chain into separate
  entries and does no further validation. Returning each
  entry with its leading text.

- check_pem retains the original functionality, except
  when the multiple option is active, in which case it
  uses split_pem to get single entries and then calls
  itself recursively

- On the ACME side, errors are now captured, wrapped,
  and then rethrown.

[1] https://github.com/letsencrypt/pebble


pve-common:

Thomas Ellmenreich (1):
  fix #5978: pem parser: relax parsing of chain entries

 src/PVE/Certificate.pm |  37 ++++-
 test/Makefile          |   2 +
 test/check_pem_test.pl | 357 +++++++++++++++++++++++++++++++++++++++++
 test/split_pem_test.pl | 279 ++++++++++++++++++++++++++++++++
 4 files changed, 667 insertions(+), 8 deletions(-)
 create mode 100755 test/check_pem_test.pl
 create mode 100755 test/split_pem_test.pl


proxmox-acme:

Thomas Ellmenreich (1):
  fix #5978: pem parser: relax parsing of chain entries:

 src/PVE/ACME.pm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)


Summary over all repositories:
  5 files changed, 673 insertions(+), 13 deletions(-)

-- 
Generated by murpp 0.12.0




             reply	other threads:[~2026-07-03 10:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-03 10:51 Thomas Ellmenreich [this message]
2026-07-03 10:51 ` [PATCH common v3 1/2] fix #5978: pem parser: relax parsing of chain entries Thomas Ellmenreich
2026-07-03 10:51 ` [PATCH proxmox-acme v3 2/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260703105133.77817-1-t.ellmenreich@proxmox.com \
    --to=t.ellmenreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal