when using ottca enrollment er->cert is null and segfaults on strlen

.github/workflows/build-release.yml

@@ -20,8 +20,8 @@ jobs:
           - { name: 'Linux x86_64', runner: 'ubuntu-20.04', target: 'linux-x64', builder: 'openziti/ziti-builder:1.0.7' }
           - { name: 'Linux ARM', runner: 'ubuntu-20.04', target: 'linux-arm', builder: 'openziti/ziti-builder:1.0.7' }
           - { name: 'Linux ARM64', runner: 'ubuntu-20.04', target: 'linux-arm64', builder: 'openziti/ziti-builder:1.0.7' }
-          - { name: 'MacOS x86_64', runner: 'macOS-11', target: 'macOS-x64' }
-          - { name: 'MacOS arm64', runner: 'macOS-11', target: 'macOS-arm64' }
+          - { name: 'MacOS x86_64', runner: 'macOS-13', target: 'macOS-x64' }
+          - { name: 'MacOS arm64', runner: 'macOS-13', target: 'macOS-arm64' }
           - { name: 'Windows x86_64', runner: 'windows-2022', target: 'windows-x64' }
           - { name: 'Windows ARM64', runner: 'windows-2022', target: 'windows-arm64' }
 

.github/workflows/cmake.yml

@@ -22,8 +22,8 @@ jobs:
           - { name: 'Linux x86_64', runner: 'ubuntu-20.04', target: 'linux-x64', builder: 'openziti/ziti-builder:1.0.11', test: 'true' }
           - { name: 'Linux ARM', runner: 'ubuntu-20.04', target: 'linux-arm', builder: 'openziti/ziti-builder:1.0.11' }
           - { name: 'Linux ARM64', runner: 'ubuntu-20.04', target: 'linux-arm64', builder: 'openziti/ziti-builder:1.0.11' }
-          - { name: 'MacOS x86_64', runner: 'macOS-11', target: 'macOS-x64', test: 'true' }
-          - { name: 'MacOS arm64', runner: 'macOS-11', target: 'macOS-arm64' }
+          - { name: 'MacOS x86_64', runner: 'macOS-13', target: 'macOS-x64', test: 'true' }
+          - { name: 'MacOS arm64', runner: 'macOS-13', target: 'macOS-arm64' }
           - { name: 'Windows x86_64', runner: 'windows-2022', target: 'windows-x64', test: 'true' }
           - { name: 'Windows ARM64', runner: 'windows-2022', target: 'windows-arm64' }
     steps:

library/ziti.c

@@ -104,8 +104,11 @@
     if (val != NULL) {
         if (strncmp("file:", val, 5) == 0) {
             // load file
-            *res = val + strlen("file://");
-            len = strlen(*res) + 1;
+            struct tlsuv_url_s url;
+            tlsuv_parse_url(&url, val);
+            size_t start = strlen(val) - strlen(url.path);
+            *res = url.path;
+            len = url.path_len;
         } else if (strncmp("pem:", val, 4) == 0) {
             // load inline PEM
             *res = val + 4;
@@ -212,14 +215,14 @@
     ziti_context ctx = NULL;
     PREPF(ziti, ziti_errorstr);
 
     if (options->config == NULL) {
         ZITI_LOG(ERROR, "config or controller/tls has to be set");
         return ZITI_INVALID_CONFIG;
     }
     ctx = calloc(1, sizeof(*ctx));
 
     if (options->config != NULL) {
         TRY(ziti, ziti_load_config(&ctx->config, options->config));
     }
 
     if (ctx->config.id.ca && strncmp(ctx->config.id.ca, "file://", strlen("file://")) == 0) {

library/ziti_enroll.c

@@ -104,7 +104,7 @@
     if (opts->jwt) {
         TRY(ziti, load_jwt(opts->jwt, ecfg, &ecfg->zejh, &ecfg->zej));
     } else {
         ecfg->raw_jwt = opts->jwt_content;
         TRY(ziti, load_jwt_content(ecfg, &ecfg->zejh, &ecfg->zej));
     }
     TRY(ziti, check_cert_required(ecfg));
@@ -237,8 +237,7 @@
         if (enroll_req->enroll_cb) {
             enroll_req->enroll_cb(NULL, ZITI_JWT_INVALID, err->code, enroll_req->external_enroll_ctx);
         }
-    }
-    else {
+    } else {
         ZITI_LOG(DEBUG, "successfully enrolled with controller %s", ctrl->url);
 
         ziti_config cfg = {0};
@@ -247,12 +246,11 @@
         cfg.id.key = strdup(enroll_req->ecfg->private_key);
 
         tls_cert c = NULL;
-        if (enroll_req->ecfg->tls->load_cert(&c, er->cert, strlen(er->cert)) == 0 &&
+        if (er->cert != NULL && enroll_req->ecfg->tls->load_cert(&c, er->cert, strlen(er->cert)) == 0 &&
             enroll_req->ecfg->pk->store_certificate != NULL &&
             enroll_req->ecfg->pk->store_certificate(enroll_req->ecfg->pk, c) == 0) {
             ZITI_LOG(INFO, "stored certificate to PKCS#11 token");
-        }
-        else {
+        } else {
             cfg.id.cert = er->cert ? strdup(er->cert) : strdup(enroll_req->ecfg->own_cert);
         }