Merge pull request #87 from zitadel/parse-cert-pem

feat: parse x509 certs in pem format when base64 encoded
zitadel · Aug 21, 2024 · f4e2332 · f4e2332
2 parents db2977a + b5338bf
commit f4e2332
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/pkg/provider/signature/certificates.go b/pkg/provider/signature/certificates.go
@@ -14,22 +14,29 @@ import (
 	dsig "github.com/russellhaering/goxmldsig"
 )
 
+var (
+	spaceRegex = regexp.MustCompile(`\s+`)
+)
+
 func ParseCertificates(certStrs []string) ([]*x509.Certificate, error) {
-	var certs []*x509.Certificate
+	certs := make([]*x509.Certificate, len(certStrs))
 
-	regex := regexp.MustCompile(`\s+`)
-	for _, certStr := range certStrs {
-		certStr = regex.ReplaceAllString(certStr, "")
+	for i, certStr := range certStrs {
+		certStr = spaceRegex.ReplaceAllString(certStr, "")
 		certStr = strings.TrimPrefix(strings.TrimSuffix(certStr, "-----ENDCERTIFICATE-----"), "-----BEGINCERTIFICATE-----")
 		certBytes, err := base64.StdEncoding.DecodeString(certStr)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse PEM block containing the public key")
+			return nil, fmt.Errorf("failed to decode certificate:" + err.Error())
+		}
+		block, _ := pem.Decode(certBytes)
+		if block != nil {
+			certBytes = block.Bytes
 		}
 		parsedCert, err := x509.ParseCertificate(certBytes)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse certificate: " + err.Error())
 		}
-		certs = append(certs, parsedCert)
+		certs[i] = parsedCert
 	}
 
 	return certs, nil

diff --git a/pkg/provider/signature/certificates_test.go b/pkg/provider/signature/certificates_test.go
@@ -43,6 +43,14 @@ func TestCertificates_ParseCertificates(t *testing.T) {
 				false,
 			},
 		},
+		{
+			"certificate out of metadata (PEM)",
+			[]string{"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZHVENDQXdHZ0F3SUJBZ0lVSmdXK1d2dTVGUkdQc2xIWnR2bzdja2p1NnVzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hERWFNQmdHQTFVRUF3d1JaMmwwYUhWaVgyVnVkR1Z5Y0hKcGMyVXdIaGNOTWpRd05URTRNVGswTURBMwpXaGNOTXpRd05URTJNVGswTURBM1dqQWNNUm93R0FZRFZRUUREQkZuYVhSb2RXSmZaVzUwWlhKd2NtbHpaVENDCkFpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTUtmTUNSbVlWUkxqeC9zQlRqSXBIckkKT3R0RElXd1Z4ZWtaZUN2YnJoR2RJeDdkNi9GbDZwOWwrWVNnQm9WVm00L0U0c2F3YVBBSEhTVWFKU3gwcGlicgo1TUFUcko5STVLVUNRRzRQSEdMN1MyQWVVQ3Nxbmo5NzlsbnRLaytyYTBqSkVFSlNJdGNvSEN2MlFCelFPelU5CmZUV0UyazRMQSs5ZlBjeHd2VFFLQTBwenNvZE81dGs5WitrR09mclVnUUVDK091Z0V1dHgwUTN6azJLdG9qVkcKWk5GWktkOGVVcm5YWHBhc2RmYXVMZUMwWUdBV21pUnh6TmhCUlNreFowVWNNRkpreWNFb1hEZHNXT0tCMCt1WQpMVHE2OEI5RUtBOEp1Q0pNTmRTQ3Z6Rm5mNGlVOWpxQ2syOEMzTW5ldWtJSzlpN0U2RVJrdHFJY2M3OTdlaWhKClZaQlIzRUhVanRpTjBsZVNGVnkwM3g0a1Z6RzM1dEJGcjMrek1BUTkwOHJCVjduY3J1czV3RXE3TWJyNE5PUXYKVGRqZUpZSitJczBEak9YQW5oejdIbGFmd3Y4N0lpWkU1SDZDTHI2ak5pazFreFpRbVRRbjhkR1BDZTRtVjdrdQpuV0ZNLzVMbEhBU2kwSVpCZlEzcDV0ZGdHaDNwTlNaRzFCQkg3dXVIdy9uUHdNRXhNSFVPZWp3RUVzN0kySlBQCkNWaGF4Nkl6UDJWVWYyZ1FHNmlzOUFVQm5Qc2MzMzUyZzE0VVlBRU5iSnhzeTNJdUptaDg4L2duZkhhNXZHaEwKZHkxa1J4TlVFYlpJeFI1V2JHSTl4cmx1K3Q3WVdIY0gzWjdzQ1NNbCt4a3VTeHpzQ0dxNURERzlHeEZDKzdJQgpDa2ZGOC9hTmNQSnZpdEFYS2xMbEFnTUJBQUdqVXpCUk1CMEdBMVVkRGdRV0JCUmIyd1ZCVzlzOXkzR0dUQk1QCm9zMkJJMFgvY0RBZkJnTlZIU01FR0RBV2dCUmIyd1ZCVzlzOXkzR0dUQk1Qb3MyQkkwWC9jREFQQmdOVkhSTUIKQWY4RUJUQURBUUgvTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFCV2dQSFFvVGZkU1l4cHJtVStzQXV1UnNKZwpTL1ZrSlczN2xrMVhYV1lUUktXMHc5UU1wSFNob083TEIxaXFRQjRMVXFEYjJid3Bac0ppQ2d3WWpvZlljaUNjClY1dC9zMGxhVW02VjB4ZUR0SzdPN2RZQU5iZUc5eXhhSWxEVTVzQTZJZkpSOVdoQWhLVy9uVUZ2LzdjWkNYWUYKRVpXTHJCcytkMk42NFAwOTdnNENzOFJ5V3pQZHMrTE14UmhXU3hoY3RFQ011dWlLNys4Z2k2dnpxYVh1cmV1RQp5Rko0L0kwR3FZOEF1NmdoQTVzSm9sTWxBU2tWUzIvb2xzVllHOStad0tvWEcyUWxnWFpaMVhWeTNaVkdKSC9BCndneXZkTWtneUVGMncybjRUc0lkd3ZTM2thbzUzc0t3aXRpNlVYOHZoMEtvY2Q1WkRHeS81WHBpamFPbmpIejMKSTNGeGxNS3JmUWlJMWp4NmdTcUFLb2x1UlpmZ1RmQ2FjUkFRMUZvTWhZOXdnaFY2bEZFR2xXeHdqUUVJYlJXUQpuajIybXNGcFhPY283MCs4VGp5Q3BCWjl2SFpSZ0ZGSHBEM1dPSWxvdjBYeTdzLzMrTlMvZDlpc3ZwVzJyLzViCjRIYUV0bTdFYlpyck5WS014aEprSnByT3owRjMva2QxMnRrRFY4aDZuazBuVi8wTm13V2dDRjRFVDVpK2ZWYXAKNlcrNCtaZTA1dzZRVkY3Tnl0TFFjNGdMZi8rRk51NWFPMVBwUSt0ZXlRV01VUzJ2N05Id0ZDcEQ0UnNPVHNvbgp5cU5tejRSWTM5dnliSC9VRk5WZFlTMVVOdGF5eTdONWJPS1JwSnBLLzU0QlBuYnJaOS9CcWx6S25HSWQ3Q0V1Ckxxb2ZCOGN4dTVBM2RQc0ViQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"},
+			res{
+				1,
+				false,
+			},
+		},
 		{
 			"certificate out of metadata base64 error",
 			[]string{"MIICvDCCAaQCCQD6E8sQ2usjANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDDBVt\neXNlcnZpY2UuZXhhbXBsZS5jb20wHhcNMjIwMjE3MTQwNjM5WhcNMjMwMjE3MTQw\nNjM5WjAgMR4wHAYDVQQDDBVteXNlcnZpY2UuZXhhbXBsZS5jb20wggEiMA0GCSqG\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7XKdCRxUZXjdqVqwwwOJqc1Ch0nOSmk+U\nerkUqlviWHdeLR+FolHKjqLzCBloAz4xVc0DFfR76gWcWAHJloqZ7GBS7NpDhzV8\nG+cXQ+bTU0Lu2e73zCQb30XUdKhWiGfDKaU+1xg9CD/2gIfsYPs3TTq1sq7oCs5q\nLdUHaVL5kcRaHKdnTi7cs5i9xzs3TsUnXcrJPwydjp+aEkyRh07oMpXBEobGisfF\n2p1MA6pVW2gjmywf7D5iYEFELQhM7poqPN3/kfBvU1n7Lfgq7oxmv/8LFi4Zopr5\nnyqsz26XPtUy1WqTzgznAmP+nN0oBTERFVbXXdRa3k2v4cxTNPn/AgMBAAEwDQYJ\nKoZIhvcNAQELBQADggEBAJYxROWSOZbOzXzafdGjQKsMgN948G/hHwVuZneyAcVo\nLMFTs1Weya9Z+snMp1u0AdDGmQTS9zGnD7syDYGOmgigOLcMvLMoWf5tCQBbEukW\n8O7DPjRR0XypChGSsHsqLGO0B0HaTel0HdP9Si827OCkc9Q+WbsFG/8/4ToGWL+u\nla1WuLawozoj8umPi9D8iXCoW35y2STU+WFQG7W+Kfdu+2CYz/0tGdwVqNG4Wsfa\nwWchrS00vGFKjm/fJc876gAfxiMH1I9fZvYSAxAZ3sVI//Ml2sUdgf067ywQ75oa\nLSS2NImmz5aos3vuWmOXhILd7iTU+BD8Uv6vWbI7I1M=\n"},