I have an application in which I read all certificate information at startup before switching to a very restricted user which doesn't have access to the files. I do this with IO::Socket::SSL::Utils::PEM_file2cert, then use the value later for the SSL_cert / SSL_ca / SSL_client_ca attributes.
Unfortunately, the helper only reads the first certificate from the file. In many cases, e.g. for certificate chains, it will actually contain multiple concatenated certificates though. I didn't find any builtin way to read all certificates from a file/string, so I came up with this modified version:
use constant PEM_R_NO_START_LINE => 0x0906D06C;
sub PEM_file2certs {
my $file = shift;
my $bio = Net::SSLeay::BIO_new_file($file,'r') or
croak "cannot read $file: $!";
my @certs;
while (1) {
if (my $cert = Net::SSLeay::PEM_read_bio_X509($bio)) {
push @certs, $cert;
} else {
Net::SSLeay::BIO_free($bio);
my $error = Net::SSLeay::ERR_get_error();
last if $error == PEM_R_NO_START_LINE && @certs;
croak "cannot parse $file as PEM X509 cert: " . Net::SSLeay::ERR_error_string($error);
}
}
return \@certs;
}
The same algorithm is used in OpenSSL and it's working fine for me.
Could you please consider adding such variants of PEM_file2cert and PEM_string2cert upstream? Obviously, the constant shouldn't be hardcoded. I also don't know your preferences on returning an array reference vs. a list, separate functions vs.
wantarray detection and code style in general, that's why I just paste my code rather than trying to open a PR.
I have an application in which I read all certificate information at startup before switching to a very restricted user which doesn't have access to the files. I do this with
IO::Socket::SSL::Utils::PEM_file2cert
, then use the value later for theSSL_cert
/SSL_ca
/SSL_client_ca
attributes.Unfortunately, the helper only reads the first certificate from the file. In many cases, e.g. for certificate chains, it will actually contain multiple concatenated certificates though. I didn't find any builtin way to read all certificates from a file/string, so I came up with this modified version:
The same algorithm is used in OpenSSL and it's working fine for me.
Could you please consider adding such variants of
PEM_file2cert
andPEM_string2cert
upstream? Obviously, the constant shouldn't be hardcoded. I also don't know your preferences on returning an array reference vs. a list, separate functions vs.wantarray
detection and code style in general, that's why I just paste my code rather than trying to open a PR.