From 6424b063f28c7de7526b792b3ea1a0ae946ef9b2 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Wed, 8 Mar 2023 09:34:26 -0800
Subject: [PATCH 1/2] GUACAMOLE-839: Correct WildcardURIGuacamoleProperty to
 correctly handle missing (null) properties.

---
 .../guacamole/auth/ssl/conf/WildcardURIGuacamoleProperty.java  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/conf/WildcardURIGuacamoleProperty.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/conf/WildcardURIGuacamoleProperty.java
index d237d8031..ab08ee308 100644
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/conf/WildcardURIGuacamoleProperty.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/conf/WildcardURIGuacamoleProperty.java
@@ -45,6 +45,9 @@ public abstract class WildcardURIGuacamoleProperty extends URIGuacamoleProperty
     @Override
     public URI parseValue(String value) throws GuacamoleException {
 
+        if (value == null)
+            return null;
+
         // Verify wildcard prefix is present
         Matcher matcher = WILDCARD_URI_PATTERN.matcher(value);
         if (matcher.matches()) {

From f98901f933a6601dc9865d61e8423cd0cebaed02 Mon Sep 17 00:00:00 2001
From: Michael Jumper <mjumper@apache.org>
Date: Wed, 8 Mar 2023 09:34:52 -0800
Subject: [PATCH 2/2] GUACAMOLE-839: Add sanity checks around parsed PEM data,
 which may indeed be null.

---
 .../auth/ssl/SSLClientAuthenticationResource.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
index 787bf3e52..984a68f34 100644
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
@@ -253,7 +253,20 @@ public class SSLClientAuthenticationResource extends SSOResource {
         try (Reader reader = new StringReader(new String(certificate, StandardCharsets.UTF_8))) {
 
             PEMParser parser = new PEMParser(reader);
-            cert = (X509CertificateHolder) parser.readObject();
+            Object object = parser.readObject();
+
+            // Verify received data is indeed an X.509 certificate
+            if (object == null || !(object instanceof X509CertificateHolder))
+                throw new GuacamoleClientException("Certificate did not "
+                        + "contain an X.509 certificate.");
+
+            // Verify sanity of received certificate (there should be only
+            // one object here)
+            if (parser.readObject() != null)
+                throw new GuacamoleClientException("Certificate contains "
+                        + "more than a single X.509 certificate.");
+
+            cert = (X509CertificateHolder) object;
 
             // Verify certificate is valid (it should be given pre-validation
             // from SSL termination, but it's worth rechecking for sanity)