From 43e012afb2022bac4265c254dec9ab98cec993ba Mon Sep 17 00:00:00 2001
From: Dan Breslau <dbreslau@painless-security.com>
Date: Mon, 15 Aug 2016 20:12:19 -0400
Subject: [PATCH] Decode the CA Certificate from binary, not from PEM format.

---
 src/moonshot-crypto-utils.c       | 21 ++++++----------
 src/moonshot-id.vala              | 14 +++--------
 webprovisioning/complex-test.msht | 53 +++++++++++++++++++--------------------
 3 files changed, 38 insertions(+), 50 deletions(-)

diff --git a/src/moonshot-crypto-utils.c b/src/moonshot-crypto-utils.c
index c28e835..a14c610 100644
--- a/src/moonshot-crypto-utils.c
+++ b/src/moonshot-crypto-utils.c
@@ -2,33 +2,28 @@
 #include <openssl/bio.h>
 #include <openssl/pem.h>
 
+#include <stdio.h>
 
-char* get_cert_valid_before(const char* cert_string, int cert_string_len, char* datebuf, int len)
+char* get_cert_valid_before(const unsigned char* buf, int len, char* datebuf, int datebuf_len)
 {
-    datebuf[0]='\0';    
+    datebuf[0]='\0';
 
-    BIO* cert_bio = BIO_new_mem_buf(cert_string, cert_string_len);
-
-    if (cert_bio == NULL) {
-        return "Error calling PEM_new_mem_buf!";
-    }
-
-    X509 *x = PEM_read_bio_X509(cert_bio, NULL, 0, NULL);
+    unsigned char *p = (unsigned char*) buf;
+    X509* x = d2i_X509(NULL, &p, len);
     if (x == NULL) {
-        return "Error calling PEM_read_bio_X509!";
+        return "Error calling d2i_X509()!";
     }
 
     BIO* out_bio = BIO_new(BIO_s_mem());
     ASN1_TIME* time = X509_get_notAfter(x);
 
     if (ASN1_TIME_print(out_bio, time)) {
-        int write = BIO_read(out_bio, datebuf, len - 1);
+        int write = BIO_read(out_bio, datebuf, datebuf_len - 1);
         datebuf[write]='\0';
     }
 
-    datebuf[len - 1] = '\0';
+    datebuf[datebuf_len - 1] = '\0';
     BIO_free(out_bio);
-    BIO_free(cert_bio);
     X509_free(x);
     return "";
 }
diff --git a/src/moonshot-id.vala b/src/moonshot-id.vala
index 5b927c9..b1f0860 100644
--- a/src/moonshot-id.vala
+++ b/src/moonshot-id.vala
@@ -32,7 +32,7 @@
 
 using Gee;
 
-extern char* get_cert_valid_before(char* cert, int certlen, char* datebuf, int buflen);
+extern char* get_cert_valid_before(uchar* inbuf, int inlen, char* outbuf, int outlen);
 
 
 // A TrustAnchor object can be imported or installed via the API, but cannot
@@ -130,18 +130,12 @@ public class TrustAnchor : Object
 
         string cert = this.ca_cert;
         cert.chomp();
-        if (cert.substring(0, CERT_HEADER.length) != CERT_HEADER) {
-            cert = CERT_HEADER + "\n" + cert;
-        }
-        if (cert.substring(0, -CERT_FOOTER.length) != CERT_FOOTER) {
-            cert += "\n" + CERT_FOOTER;
-        }
-        cert += "\n";
 
-        IdCard.logger.trace(@"get_expiration_date: Sending " + cert);
+        uchar[] binary = Base64.decode(cert);
+        IdCard.logger.trace("get_expiration_date: encoded length=%d; decoded length=%d".printf(cert.length, binary.length));
 
         char buf[64];
-        string err = (string) get_cert_valid_before(cert, cert.length, buf, 64);
+        string err = (string) get_cert_valid_before(binary, binary.length, buf, 64);
         if (err != "") {
             IdCard.logger.error(@"get_expiration_date: get_cert_valid_before returned '$err'");
             if (&err_out != null) {
diff --git a/webprovisioning/complex-test.msht b/webprovisioning/complex-test.msht
index b09b1d0..66d65d1 100644
--- a/webprovisioning/complex-test.msht
+++ b/webprovisioning/complex-test.msht
@@ -19,6 +19,7 @@
       </rule>
     </selection-rules>
     <trust-anchor>
+     <!-- PEM encoded, minus header and footer -->
       <ca-cert>MIIE9jCCA96gAwIBAgIJAJ6SVDCP6o2nMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
 VQQGEwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcTBk1hbGRlbjEaMBgGA1UEChMR
 UGFpbmxlc3MgU2VjdXJpdHkxLzAtBgkqhkiG9w0BCQEWIHBvc3RtYXN0ZXJAcGFp
@@ -67,33 +68,31 @@ musuCxXeWkqDtw0clWg6vkf5Tb9v/JQ2PW0=</ca-cert>
       </rule>
     </selection-rules>
     <trust-anchor>
-      <ca-cert>MIIE9jCCA96gAwIBAgIJAJ6SVDCP6o2nMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcTBk1hbGRlbjEaMBgGA1UEChMR
-UGFpbmxlc3MgU2VjdXJpdHkxLzAtBgkqhkiG9w0BCQEWIHBvc3RtYXN0ZXJAcGFp
-bmxlc3Mtc2VjdXJpdHkuY29tMSAwHgYDVQQDExdQYWlubGVzcyBTZWN1cml0eSwg
-SW5jLjAeFw0xNjA4MDExNjIxMDVaFw0xOTExMTQxNjIxMDVaMIGaMQswCQYDVQQG
-EwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcTBk1hbGRlbjEaMBgGA1UEChMRUGFp
-bmxlc3MgU2VjdXJpdHkxLzAtBgkqhkiG9w0BCQEWIHBvc3RtYXN0ZXJAcGFpbmxl
-c3Mtc2VjdXJpdHkuY29tMSAwHgYDVQQDExdQYWlubGVzcyBTZWN1cml0eSwgSW5j
-LjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPiSkw1y6zMJFjnoPjd
-5Bh9EA1NhQcoNxJAtgYEJtpH9a2tfjnXXncXpbIMIfMgv2VKRAxvKb+knCfSCRtU
-PM9i998+ZhJY9o6SSFomlMvdaClauPvBhQvQMmJmp1WINgMUHPpzsGlj04kkl7jw
-iK/oDxp1becikKc10Gr9W03aEJtOaiSqC45zeIgnz9GoQ2tJvz2DDBcddaaT1mSV
-n/lk4ahPC4XaJ08Jn1L6XkVVyDGD38Rwg7r1SFI7ByBFvvQh93Fa48Z7ik0I8s48
-U1euHak2gSJ4zfzLndvGy05qMjhRTlxQu+Rt1g7CS3CLcJqqYzWNrEJWpD8Wn7iA
-MIUCAwEAAaOCATswggE3MB0GA1UdDgQWBBR1qlvY7r2DqhHu5s+sCUPeqBcQuzCB
-zwYDVR0jBIHHMIHEgBR1qlvY7r2DqhHu5s+sCUPeqBcQu6GBoKSBnTCBmjELMAkG
-A1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ8wDQYDVQQHEwZNYWxkZW4xGjAYBgNVBAoT
-EVBhaW5sZXNzIFNlY3VyaXR5MS8wLQYJKoZIhvcNAQkBFiBwb3N0bWFzdGVyQHBh
-aW5sZXNzLXNlY3VyaXR5LmNvbTEgMB4GA1UEAxMXUGFpbmxlc3MgU2VjdXJpdHks
-IEluYy6CCQCeklQwj+qNpzAMBgNVHRMEBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeG
-JWh0dHA6Ly93d3cuZXhhbXBsZS5jb20vZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcN
-AQEFBQADggEBAB6J5Zxvq96SdIsfEajqU+pANBiA2VTZCpxfIMAKz8KfyzWzFvCM
-8epvYDliyOjw1zR9cYxhQqOcbPHrjLXheVvCePd3jCUOv+tt1Nw2gS2DiMuq37DO
-BZOTlPJ3m2NnvJVO3NjB2I+Pk9v3YlG6mkiVc9dNWgO20SqT2Y+KvHqA5Of8Cb/s
-uIBftctvGpIyEnqSmU7KB0nhIWe65Bsu60hjHHfX1qhJE7qGKbqNaHujssQ/SBXJ
-g7HUhtywv8z3TFoYW0MoBpKGM2Ojc9kQ8f0rYvUKTiD1UfjQoll/Io5xwKy7FXtn
-musuCxXeWkqDtw0clWg6vkf5Tb9v/JQ2PW0=</ca-cert>
+      <ca-cert>
+      <!-- DER format, base64-encoded -->MIIE9jCCA96gAwIBAgIJAJ6SVDCP6o2nMA0GCSqGSIb3DQEBBQUAMIGaMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCTUExDzANBgNVBAcTBk1hbGRlbjEaMBgGA1UEChMRUGFpbmxlc3MgU2VjdXJpdHkx
+LzAtBgkqhkiG9w0BCQEWIHBvc3RtYXN0ZXJAcGFpbmxlc3Mtc2VjdXJpdHkuY29tMSAwHgYDVQQD
+ExdQYWlubGVzcyBTZWN1cml0eSwgSW5jLjAeFw0xNjA4MDExNjIxMDVaFw0xOTExMTQxNjIxMDVa
+MIGaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExDzANBgNVBAcTBk1hbGRlbjEaMBgGA1UEChMR
+UGFpbmxlc3MgU2VjdXJpdHkxLzAtBgkqhkiG9w0BCQEWIHBvc3RtYXN0ZXJAcGFpbmxlc3Mtc2Vj
+dXJpdHkuY29tMSAwHgYDVQQDExdQYWlubGVzcyBTZWN1cml0eSwgSW5jLjCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAKPiSkw1y6zMJFjnoPjd5Bh9EA1NhQcoNxJAtgYEJtpH9a2tfjnX
+XncXpbIMIfMgv2VKRAxvKb+knCfSCRtUPM9i998+ZhJY9o6SSFomlMvdaClauPvBhQvQMmJmp1WI
+NgMUHPpzsGlj04kkl7jwiK/oDxp1becikKc10Gr9W03aEJtOaiSqC45zeIgnz9GoQ2tJvz2DDBcd
+daaT1mSVn/lk4ahPC4XaJ08Jn1L6XkVVyDGD38Rwg7r1SFI7ByBFvvQh93Fa48Z7ik0I8s48U1eu
+Hak2gSJ4zfzLndvGy05qMjhRTlxQu+Rt1g7CS3CLcJqqYzWNrEJWpD8Wn7iAMIUCAwEAAaOCATsw
+ggE3MB0GA1UdDgQWBBR1qlvY7r2DqhHu5s+sCUPeqBcQuzCBzwYDVR0jBIHHMIHEgBR1qlvY7r2D
+qhHu5s+sCUPeqBcQu6GBoKSBnTCBmjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1BMQ8wDQYDVQQH
+EwZNYWxkZW4xGjAYBgNVBAoTEVBhaW5sZXNzIFNlY3VyaXR5MS8wLQYJKoZIhvcNAQkBFiBwb3N0
+bWFzdGVyQHBhaW5sZXNzLXNlY3VyaXR5LmNvbTEgMB4GA1UEAxMXUGFpbmxlc3MgU2VjdXJpdHks
+IEluYy6CCQCeklQwj+qNpzAMBgNVHRMEBTADAQH/MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly93
+d3cuZXhhbXBsZS5jb20vZXhhbXBsZV9jYS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAB6J5Zxvq96S
+dIsfEajqU+pANBiA2VTZCpxfIMAKz8KfyzWzFvCM8epvYDliyOjw1zR9cYxhQqOcbPHrjLXheVvC
+ePd3jCUOv+tt1Nw2gS2DiMuq37DOBZOTlPJ3m2NnvJVO3NjB2I+Pk9v3YlG6mkiVc9dNWgO20SqT
+2Y+KvHqA5Of8Cb/suIBftctvGpIyEnqSmU7KB0nhIWe65Bsu60hjHHfX1qhJE7qGKbqNaHujssQ/
+SBXJg7HUhtywv8z3TFoYW0MoBpKGM2Ojc9kQ8f0rYvUKTiD1UfjQoll/Io5xwKy7FXtnmusuCxXe
+WkqDtw0clWg6vkf5Tb9v/JQ2PW0=
+</ca-cert>
       <subject>Painless Security Server Certificate</subject>
     </trust-anchor>
   </identity>
-- 
2.1.4