GUACAMOLE-839: Add sanity checks around parsed PEM data, which may indeed be null.

2025-09-06 05:07:41 +00:00 · 2023-03-08 09:34:52 -08:00
parent 6424b063f2
commit f98901f933
1 changed files with 14 additions and 1 deletions
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLClientAuthenticationResource.java
@@ -253,7 +253,20 @@ public class SSLClientAuthenticationResource extends SSOResource {
        try (Reader reader = new StringReader(new String(certificate, StandardCharsets.UTF_8))) {

            PEMParser parser = new PEMParser(reader);
-            cert = (X509CertificateHolder) parser.readObject();
+            Object object = parser.readObject();
+
+            // Verify received data is indeed an X.509 certificate
+            if (object == null || !(object instanceof X509CertificateHolder))
+                throw new GuacamoleClientException("Certificate did not "
+                        + "contain an X.509 certificate.");
+
+            // Verify sanity of received certificate (there should be only
+            // one object here)
+            if (parser.readObject() != null)
+                throw new GuacamoleClientException("Certificate contains "
+                        + "more than a single X.509 certificate.");
+
+            cert = (X509CertificateHolder) object;

            // Verify certificate is valid (it should be given pre-validation
            // from SSL termination, but it's worth rechecking for sanity)