From fd546287acf41504075dcb851df013f3ab0dad82 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Wed, 25 May 2022 22:46:26 +0200 Subject: [PATCH] Strip base64-url padding from ACME CSR This commit strips the padding from a base64-url encoded CSR submitted by a client that doesn't use raw base64-url encoding. --- acme/api/order.go | 8 +++++++- acme/api/order_test.go | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/acme/api/order.go b/acme/api/order.go index c37285d2..5ca1e014 100644 --- a/acme/api/order.go +++ b/acme/api/order.go @@ -54,7 +54,13 @@ type FinalizeRequest struct { // Validate validates a finalize request body. func (f *FinalizeRequest) Validate() error { var err error - csrBytes, err := base64.RawURLEncoding.DecodeString(f.CSR) + // RFC 8555 isn't 100% conclusive about using raw base64-url encoding for the + // CSR specifically, instead of "normal" base64-url encoding (incl. padding). + // By trimming the padding from CSRs submitted by ACME clients that use + // base64-url encoding instead of raw base64-url encoding, these are also + // supported. This was reported in https://github.com/smallstep/certificates/issues/939 + // to be the case for a Synology DSM NAS system. + csrBytes, err := base64.RawURLEncoding.DecodeString(strings.TrimRight(f.CSR, "=")) if err != nil { return acme.WrapError(acme.ErrorMalformedType, err, "error base64url decoding csr") } diff --git a/acme/api/order_test.go b/acme/api/order_test.go index 35abab65..088ebf6e 100644 --- a/acme/api/order_test.go +++ b/acme/api/order_test.go @@ -210,6 +210,13 @@ func TestFinalizeRequestValidate(t *testing.T) { }, } }, + "ok/padding": func(t *testing.T) test { + return test{ + fr: &FinalizeRequest{ + CSR: base64.RawURLEncoding.EncodeToString(csr.Raw) + "==", // add intentional padding + }, + } + }, } for name, run := range tests { tc := run(t)