Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4071

A base64 decoder exception is thrown when inspecting a specially-crafted CSR

    Details

    • Issue discovered during:
      Customer

      Description

      When inspecting a specially-crafted CSR, it is possible to produce a base64 decoder exception that will show a rather long stack trace to the user.

      Reproduction steps:
      1. Create a new CSR using the OpenSSL CLI utils, output format should be PEM (the OpenSSL-style base64-encoded CSR).
      2. Corrupt the CSR by appending some random garbage to the lines forming the base64 encoding in the file (don't touch the header/footer delimiter).
      3. Open page Inspect -> Inspect certificate/CSR.
      4. Click on the browser button and select the hand-corrupted CSR file.
      5. Click on the OK button.

      Expected results:
      1. An error message is shown stating that the uploaded file is not a valid CSR/certificate (or something in those lines).

      Actual results:
      1. A stack trace is shown to the user.

      Additional details:
      I've uploaded a sample file provided by the customer that triggers the error, and HTML page with stack trace. A similar scenario might be even applicable for certificates in PEM format?

      Relevant part of the stack-trace:
      java.io.IOException: invalid characters encountered in base64 data
      org.bouncycastle.util.encoders.Base64Encoder.decode(Unknown Source)
      org.bouncycastle.util.encoders.Base64.decode(Unknown Source)
      org.cesecore.util.Base64.decode(Base64.java:67)
      org.cesecore.util.FileTools.getBytesFromPEM(FileTools.java:87)
      org.cesecore.certificates.certificate.request.RequestMessageUtils.getRequestBytes(RequestMessageUtils.java:174)
      org.cesecore.certificates.certificate.request.RequestMessageUtils.getDecodedBytes(RequestMessageUtils.java:155)
      org.ejbca.ui.web.pub.inspect.CertAndRequestDumpBean.getDump(CertAndRequestDumpBean.java:73)
      org.ejbca.ui.web.pub.inspect.CertAndRequestDumpBean.setBytes(CertAndRequestDumpBean.java:58)
      org.apache.jsp.inspect.request_005fresult_jsp._jspService(request_005fresult_jsp.java:278)
      ...

        Attachments

          Activity

            People

            • Assignee:
              johan Johan Eklund
              Reporter:
              branko Branko Majic (Inactive)
              Verified by:
              Mike Agrenius Kushner
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: