pem: Handle BER indefinite length encoding as binary ASN.1

While our ASN.1 parser can't handle BER indefinite length encoding, the OpenSSL
backend can. Some PKCS#12 containers get encoded this way, so we should
support loading such files in the pem plugin.

diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c
index 62780c3841f785fd332b108f9383eb3f2f7a8b01..f0e508abf905057bd8d69afec67b4f2dec0c532e 100644 (file)
--- a/src/libstrongswan/plugins/pem/pem_builder.c
+++ b/src/libstrongswan/plugins/pem/pem_builder.c
@@ -364,6 +364,29 @@ static status_t pem_to_bin(chunk_t *blob, bool *pgp)
        return status;
 }
 
+/**
+ * Check if a blob looks like an ASN1 SEQUENCE or SET with BER indefinite length
+ */
+static bool is_ber_indefinite_length(chunk_t blob)
+{
+       if (blob.len >= 4)
+       {
+               switch (blob.ptr[0])
+               {
+                       case ASN1_SEQUENCE:
+                       case ASN1_SET:
+                               /* BER indefinite length uses 0x80, and is terminated with
+                                * end-of-content using 0x00,0x00 */
+                               return blob.ptr[1] == 0x80 &&
+                                          blob.ptr[blob.len - 2] == 0 &&
+                                          blob.ptr[blob.len - 1] == 0;
+                       default:
+                               break;
+               }
+       }
+       return FALSE;
+}
+
 /**
  * load the credential from a blob
  */
@@ -374,7 +397,7 @@ static void *load_from_blob(chunk_t blob, credential_type_t type, int subtype,
        bool pgp = FALSE;
 
        blob = chunk_clone(blob);
-       if (!is_asn1(blob))
+       if (!is_ber_indefinite_length(blob) && !is_asn1(blob))
        {
                if (pem_to_bin(&blob, &pgp) != SUCCESS)
                {