Allow formatting of certificates that contain \r

id4ho · id4ho · commit 508816fc6585 · 2018-01-26T14:58:44.000-08:00
If an idp_cert contains a '\r' it can blow up upon response validation
with `OpenSSL::X509::CertificateError: nested asn1 error` even if the
cert is otherwise valid (or would have been post-formatting).

From the way `OneLogin::RubySaml::Utils.format_cert` is implemented it
would appear that it *is* expected for '\r's to be present since it
tries to strip them appropriately during the formatting below the guard
statement. Unfortunately, the guard statement at the top short circuits
the formatter when certificates contain '\r' since:
```
irb:0&gt; "asldfkj\r".match(/\x0d/)
=&gt; #&lt;MatchData "\r"&gt;
```

Removing the `cert.match(/\x0d/)` doesn't actually break any specs but
from the comment it seems that it may have been intended to ensure
that encoded certs (i.e. .der) are not run through the formatter. I've
added a `.der` cert to `tests/certificates` and asserted that it isn't
changed when run through `format_cert` by checking for `ascii_only?`.
diff --git a/lib/onelogin/ruby-saml/utils.rb b/lib/onelogin/ruby-saml/utils.rb
@@ -22,7 +22,7 @@ class Utils
       #
       def self.format_cert(cert)
         # don't try to format an encoded certificate or if is empty or nil
-        return cert if cert.nil? || cert.empty? || cert.match(/\x0d/)
+        return cert if cert.nil? || cert.empty? || !cert.ascii_only?
 
         if cert.scan(/BEGIN CERTIFICATE/).length > 1
           formatted_cert = []
diff --git a/test/certificates/certificate.der b/test/certificates/certificate.der
diff --git a/test/utils_test.rb b/test/utils_test.rb
@@ -29,6 +29,11 @@ class UtilsTest < Minitest::Test
       assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate2)
     end
 
+    it "returns the cert when it's encoded" do
+      encoded_certificate = read_certificate("certificate.der")
+      assert_equal encoded_certificate, OneLogin::RubySaml::Utils.format_cert(encoded_certificate)
+    end
+
     it "reformats the certificate when there line breaks and no headers" do
       invalid_certificate3 = read_certificate("invalid_certificate3")
       assert_equal formatted_certificate, OneLogin::RubySaml::Utils.format_cert(invalid_certificate3)

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class Utils`
`22`	`22`	`#`
`23`	`23`	`def self.format_cert(cert)`
`24`	`24`	`# don't try to format an encoded certificate or if is empty or nil`
`25`		`- return cert if cert.nil? \|\| cert.empty? \|\| cert.match(/\x0d/)`
	`25`	`+ return cert if cert.nil? \|\| cert.empty? \|\| !cert.ascii_only?`
`26`	`26`
`27`	`27`	`if cert.scan(/BEGIN CERTIFICATE/).length > 1`
`28`	`28`	`formatted_cert = []`