globalsign · 61131 · Dec 18, 2023 · Dec 18, 2023 · Mar 7, 2024 · May 1, 2024
diff --git a/client.go b/client.go
@@ -256,14 +256,6 @@ func (c *Client) ServerKeyGen(ctx context.Context, r *x509.CertificateRequest) (
 			return nil, nil, fmt.Errorf("more than %d parts in HTTP response", numParts)
 		}
 
-		// Check content-transfer-encoding is as expected, and read the part
-		// body.
-		if ce := part.Header.Get(transferEncodingHeader); ce == "" {
-			return nil, nil, fmt.Errorf("missing %s header", transferEncodingHeader)
-		} else if strings.ToUpper(ce) != strings.ToUpper(encodingTypeBase64) {
-			return nil, nil, fmt.Errorf("unexpected %s: %s", transferEncodingHeader, ce)
-		}
-
 		// Process based on the part's content-type. Per RFC7030 4.4.2, if
 		// additional encryption is not being employed, the private key data
 		// must be placed in an application/pkcs8 part. Otherwise, it must

diff --git a/est_test.go b/est_test.go
@@ -727,31 +727,6 @@ func TestServerErrors(t *testing.T) {
 			status:  http.StatusUnsupportedMediaType,
 			errText: "415 malformed or missing Content-Type header\n",
 		},
-		{
-			name:   "Enroll/BadContentTransferEncoding",
-			path:   enrollEndpoint,
-			method: http.MethodPost,
-			headers: http.Header{
-				typeHeader:          []string{mimeTypePKCS10},
-				encodingHeader:      []string{encodingBinary},
-				authorizationHeader: []string{authorizationValue},
-				hostHeader:          []string{testDomain},
-			},
-			status:  http.StatusUnsupportedMediaType,
-			errText: "415 Content-Transfer-Encoding must be base64\n",
-		},
-		{
-			name:   "Enroll/MissingContentTransferEncoding",
-			path:   enrollEndpoint,
-			method: http.MethodPost,
-			headers: http.Header{
-				typeHeader:          []string{mimeTypePKCS10},
-				authorizationHeader: []string{authorizationValue},
-				hostHeader:          []string{testDomain},
-			},
-			status:  http.StatusUnsupportedMediaType,
-			errText: "415 missing Content-Transfer-Encoding header\n",
-		},
 		{
 			name:   "Enroll/BadBase64",
 			path:   enrollEndpoint,

diff --git a/http.go b/http.go
@@ -245,17 +245,6 @@ func verifyResponseType(r *http.Response, t, e string) error {
 		return fmt.Errorf("unexpected %s: %s", contentTypeHeader, ctype)
 	}
 
-	cenc := r.Header.Get(transferEncodingHeader)
-	if cenc == "" {
-		return fmt.Errorf("missing %s header", transferEncodingHeader)
-	}
-
-	// Content-Transfer-Encoding values are not case sensitive per RFC 2045
-	// section 6.
-	if strings.ToUpper(cenc) != strings.ToUpper(e) {
-		return fmt.Errorf("unexpected %s: %s", transferEncodingHeader, cenc)
-	}
-
 	return nil
 }
 
@@ -272,17 +261,6 @@ func verifyPartTypeResponse(part *multipart.Part, t, e string) error {
 		return fmt.Errorf("unexpected %s: %s", contentTypeHeader, ctype)
 	}
 
-	cenc := part.Header.Get(transferEncodingHeader)
-	if cenc == "" {
-		return fmt.Errorf("missing %s header", transferEncodingHeader)
-	}
-
-	// Content-Transfer-Encoding values are not case sensitive per RFC 2045
-	// section 6.
-	if strings.ToUpper(cenc) != strings.ToUpper(e) {
-		return fmt.Errorf("unexpected %s: %s", transferEncodingHeader, cenc)
-	}
-
 	return nil
 }
 
@@ -307,29 +285,6 @@ func verifyRequestType(have, want string) error {
 	return nil
 }
 
-// verifyRequestEncoding verifies if the content-transfer-encoding of an HTTP
-// request is as expected. It returns an error implementing Error and is
-// intended to be used by server code.
-func verifyRequestEncoding(have, want string) error {
-	if have == "" {
-		return &estError{
-			status: http.StatusUnsupportedMediaType,
-			desc:   fmt.Sprintf("missing %s header", transferEncodingHeader),
-		}
-	}
-
-	// Content-Transfer-Encoding values are not case sensitive per RFC 2045
-	// section 6.
-	if strings.ToUpper(have) != strings.ToUpper(want) {
-		return &estError{
-			status: http.StatusUnsupportedMediaType,
-			desc:   fmt.Sprintf("%s must be %s", transferEncodingHeader, want),
-		}
-	}
-
-	return nil
-}
-
 // writeResponse writes headers, a status code, and an object containing the
 // body to an HTTP response. If encode is true, the object is base64-encoded.
 // The appropriate encoding is chosen according to the object's type.

diff --git a/http_test.go b/http_test.go
@@ -66,29 +66,6 @@ func TestVerifyResponseType(t *testing.T) {
 			e:   "base64",
 			err: errors.New("missing or malformed Content-Type header: mime: no media type"),
 		},
-		{
-			name: "WrongEncoding",
-			r: &http.Response{
-				Header: http.Header{
-					"Content-Type":              []string{"application/pkcs7; smime-type=certs-only"},
-					"Content-Transfer-Encoding": []string{"base64"},
-				},
-			},
-			t:   "application/pkcs7",
-			e:   "binary",
-			err: errors.New("unexpected Content-Transfer-Encoding: base64"),
-		},
-		{
-			name: "MissingEncoding",
-			r: &http.Response{
-				Header: http.Header{
-					"Content-Type": []string{"application/pkcs7; smime-type=certs-only"},
-				},
-			},
-			t:   "application/pkcs7",
-			e:   "base64",
-			err: errors.New("missing Content-Transfer-Encoding header"),
-		},
 		{
 			name: "BadTypeParameter",
 			r: &http.Response{

diff --git a/server.go b/server.go
@@ -170,16 +170,12 @@ func NewRouter(cfg *ServerConfig) (http.Handler, error) {
 
 		r.With(
 			requireContentType(mimeTypePKCS10),
-		).With(
-			requireTransferEncoding(encodingTypeBase64),
 		).With(
 			requireBasicAuth(cfg.CheckBasicAuth, true),
 		).Post(enrollEndpoint, enroll)
 
 		r.With(
 			requireContentType(mimeTypePKCS10),
-		).With(
-			requireTransferEncoding(encodingTypeBase64),
 		).With(
 			requireBasicAuth(cfg.CheckBasicAuth, true),
 		).With(
@@ -188,8 +184,6 @@ func NewRouter(cfg *ServerConfig) (http.Handler, error) {
 
 		r.With(
 			requireContentType(mimeTypePKCS10),
-		).With(
-			requireTransferEncoding(encodingTypeBase64),
 		).With(
 			requireBasicAuth(cfg.CheckBasicAuth, true),
 		).Post(serverkeygenEndpoint, serverkeygen)
@@ -207,16 +201,12 @@ func NewRouter(cfg *ServerConfig) (http.Handler, error) {
 
 			r.With(
 				requireContentType(mimeTypePKCS10),
-			).With(
-				requireTransferEncoding(encodingTypeBase64),
 			).With(
 				requireBasicAuth(cfg.CheckBasicAuth, true),
 			).Post(enrollEndpoint, enroll)
 
 			r.With(
 				requireContentType(mimeTypePKCS10),
-			).With(
-				requireTransferEncoding(encodingTypeBase64),
 			).With(
 				requireBasicAuth(cfg.CheckBasicAuth, true),
 			).With(
@@ -225,8 +215,6 @@ func NewRouter(cfg *ServerConfig) (http.Handler, error) {
 
 			r.With(
 				requireContentType(mimeTypePKCS10),
-			).With(
-				requireTransferEncoding(encodingTypeBase64),
 			).With(
 				requireBasicAuth(cfg.CheckBasicAuth, true),
 			).Post(serverkeygenEndpoint, serverkeygen)
@@ -615,20 +603,6 @@ func requireContentType(t string) func(next http.Handler) http.Handler {
 	}
 }
 
-// requireTransferEncoding is middleware which rejects a request if the content
-// transfer encoding is not as stated.
-func requireTransferEncoding(e string) func(next http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if err := verifyRequestEncoding(r.Header.Get(transferEncodingHeader), e); err != nil {
-				writeOnError(r.Context(), w, logMsgTransferEncodingInvalid, err)
-				return
-			}
-			next.ServeHTTP(w, r)
-		})
-	}
-}
-
 // addServerHeader is middleware which writes to an HTTP response a Server HTTP
 // header. Including too much detail (such as an operating system version) in
 // this header can be a security risk, but including enough detail can sometimes