[v1.9.x] do not panic when loading a V2 CA certificate (#1282)

Co-authored-by: Jack Doan <jackdoan@rivian.com>
2025-11-22 08:24:25 +01:00 · 2024-12-03 09:49:54 -06:00
parent 9bfdfbafc1
commit 2e85d138cd
5 changed files with 64 additions and 39 deletions
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -28,6 +28,7 @@ const publicKeyLen = 32

 const (
 	CertBanner                       = "NEBULA CERTIFICATE"
+	CertificateV2Banner              = "NEBULA CERTIFICATE V2"
 	X25519PrivateKeyBanner           = "NEBULA X25519 PRIVATE KEY"
 	X25519PublicKeyBanner            = "NEBULA X25519 PUBLIC KEY"
 	EncryptedEd25519PrivateKeyBanner = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
@@ -163,6 +164,9 @@ func UnmarshalNebulaCertificateFromPEM(b []byte) (*NebulaCertificate, []byte, er
 	if p == nil {
 		return nil, r, fmt.Errorf("input did not contain a valid PEM encoded block")
 	}
+	if p.Type == CertificateV2Banner {
+		return nil, r, fmt.Errorf("%w: %s", ErrInvalidPEMCertificateUnsupported, p.Type)
+	}
 	if p.Type != CertBanner {
 		return nil, r, fmt.Errorf("bytes did not contain a proper nebula certificate banner")
 	}