Fix ReadCertificateBundleData

* Terminate for-loop when PEM blocks can no longer be parsed (pem.Decode returns nil). * Add test case for parsing PEM file with comments.
aws · Sep 6, 2023 · 50120ab · 50120ab
1 parent bd1863b
commit 50120ab
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 8 deletions.
diff --git a/Makefile b/Makefile
@@ -105,13 +105,20 @@ $(ECKEYS):
 $(certsdir)/cert-bundle.pem: $(RSACERTS) $(ECCERTS)
 	cat $^ > $@
 
-test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem tst/softhsm2.conf
+$(certsdir)/cert-bundle-with-comments.pem: $(RSACERTS) $(ECCERTS)
+	for dep in $^; do \
+		cat $$dep >> $@; \
+		echo "Comment in bundle\n" >> $@; \
+	done
+
+test-certs: $(PKCS8KEYS) $(RSAKEYS) $(ECKEYS) $(RSACERTS) $(ECCERTS) $(PKCS12CERTS) $(certsdir)/cert-bundle.pem $(certsdir)/cert-bundle-with-comments.pem tst/softhsm2.conf
 
 test-clean:
 	rm -f $(RSAKEYS) $(ECKEYS)
 	rm -f $(PKCS8KEYS)
 	rm -f $(RSACERTS) $(ECCERTS)
 	rm -f $(PKCS12CERTS)
 	rm -f $(certsdir)/cert-bundle.pem
+	rm -f $(certsdir)/cert-with-comments.pem
 	rm -f tst/softhsm2.conf
 	rm -rf tst/softhsm/*
diff --git a/aws_signing_helper/signer.go b/aws_signing_helper/signer.go
@@ -528,7 +528,7 @@ func ReadCertificateBundleData(certificateBundleId string) ([]*x509.Certificate,
 	for len(bytes) > 0 {
 		block, bytes = pem.Decode(bytes)
 		if block == nil {
-			return nil, errors.New("unable to parse PEM data")
+			break
 		}
 		if block.Type != "CERTIFICATE" {
 			return nil, errors.New("invalid certificate chain")
@@ -594,8 +594,8 @@ func readPKCS8PrivateKey(privateKeyId string) (crypto.PrivateKey, error) {
 
 // Reads and parses a PKCS#12 file (which should contain an end-entity
 // certificate, (optional) certificate chain, and the key associated with the
-// end-entity certificate). The end-entity certificate will be returned as the
-// first certificate in the returned chain.
+// end-entity certificate). The end-entity certificate will be the first
+// certificate in the returned chain.
 func ReadPKCS12Data(certificateId string) (certChain []*x509.Certificate, privateKey crypto.PrivateKey, err error) {
 	var (
 		bytes     []byte

diff --git a/aws_signing_helper/signer_test.go b/aws_signing_helper/signer_test.go
@@ -79,10 +79,17 @@ func TestReadInvalidCertificateData(t *testing.T) {
 }
 
 func TestReadCertificateBundleData(t *testing.T) {
-	_, err := ReadCertificateBundleData("../tst/certs/cert-bundle.pem")
-	if err != nil {
-		t.Log("Failed to read certificate bundle data")
-		t.Fail()
+	fixtures := []string{
+		"../tst/certs/cert-bundle.pem",
+		"../tst/certs/cert-bundle-with-comments.pem",
+	}
+
+	for _, fixture := range fixtures {
+		_, err := ReadCertificateBundleData(fixture)
+		if err != nil {
+			t.Log("Failed to read certificate bundle data")
+			t.Fail()
+		}
 	}
 }