public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH common/proxmox-acme v3 0/2] fix #5978: pem parser: relax parsing of chain entries
@ 2026-07-03 10:51 Thomas Ellmenreich
  2026-07-03 10:51 ` [PATCH common v3 1/2] " Thomas Ellmenreich
  2026-07-03 10:51 ` [PATCH proxmox-acme v3 2/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Ellmenreich @ 2026-07-03 10:51 UTC (permalink / raw)
  To: pve-devel; +Cc: Thomas Ellmenreich

According to RFC 8555, expected certchains should come
without whitespace or explanatory texts inbetween chain
entries. These two patches relax our parser to also
accept text or whitespaces inbetween chain entries.

To make sure that the acme changes work as expected I
setup the pebble acme server [1] locally, and worked
through the acme flow to get a new certificate. I then
manually modified the final certificate to contain
descriptive text which worked without issues.

changes since v2:
- cleaner implementation and correction of mistakes in
  check_pem in pve-common

- get_certificate in proxmox-acme now correctly calls
  check_pem with the 'multiple' option enabled

- removed ambiguity in the error messages of
  get_certificate

- correction of tests, to better compare returned value
  to expected value

- performed proper end-to-end test with pebble [1]

- proper formatting (hopefully)

changes since v1:
- Where in v1 check_pem was just a wrapper of split_pem,
  they now perform different functions

- split_pem now purely splits the PEM chain into separate
  entries and does no further validation. Returning each
  entry with its leading text.

- check_pem retains the original functionality, except
  when the multiple option is active, in which case it
  uses split_pem to get single entries and then calls
  itself recursively

- On the ACME side, errors are now captured, wrapped,
  and then rethrown.

[1] https://github.com/letsencrypt/pebble


pve-common:

Thomas Ellmenreich (1):
  fix #5978: pem parser: relax parsing of chain entries

 src/PVE/Certificate.pm |  37 ++++-
 test/Makefile          |   2 +
 test/check_pem_test.pl | 357 +++++++++++++++++++++++++++++++++++++++++
 test/split_pem_test.pl | 279 ++++++++++++++++++++++++++++++++
 4 files changed, 667 insertions(+), 8 deletions(-)
 create mode 100755 test/check_pem_test.pl
 create mode 100755 test/split_pem_test.pl


proxmox-acme:

Thomas Ellmenreich (1):
  fix #5978: pem parser: relax parsing of chain entries:

 src/PVE/ACME.pm | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)


Summary over all repositories:
  5 files changed, 673 insertions(+), 13 deletions(-)

-- 
Generated by murpp 0.12.0




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-07-03 10:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 10:51 [PATCH common/proxmox-acme v3 0/2] fix #5978: pem parser: relax parsing of chain entries Thomas Ellmenreich
2026-07-03 10:51 ` [PATCH common v3 1/2] " Thomas Ellmenreich
2026-07-03 10:51 ` [PATCH proxmox-acme v3 2/2] fix #5978: pem parser: relax parsing of chain entries: Thomas Ellmenreich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal