code review request: 6973371: X509Factory should recognize PEM headers
sean.mullan at oracle.com
Mon Aug 2 14:10:57 PDT 2010
On 7/31/10 9:46 AM, Weijun Wang wrote:
> Yes, you're correct.
> I regard "not-working" -> "working" a fix, not a regression.
I think I would regard it as underspecified. There's nothing in
CertificateFactory.generateCertificate that says it skips non-Certificate
blocks. I suppose one could interpret it that way, but I would be wary of
changing the behavior after so many years.
Also, I'm wondering why the submitter could not have caught the exception and
continued to read the rest of the data?
> Thanks Max
> On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
>> Hi Max,
>> I'm not sure about this change. There's a definitely a change in behavior.
>> Before generateCertificate would only read one PEM block from the stream,
>> and throw an exception if it wasn't a certificate. But the current fix
>> ignores non certificate blocks until it finds a certificate or end of
>> stream, right?
>> On 7/30/10 2:39 AM, Weijun Wang wrote:
>>> Hi Sean
>>> 6973371: X509Factory should recognize PEM headers
>>> Please review the webrev:
>>> There is one place I haven't touched, generateCertPath. PKCS #7 PEM block
>>> should begin with -----BEGIN PKCS7-----, or as described in , with
>>> -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>>> Thanks Max
>>> === *Description*
>>> ============================================================ Currently,
>>> when X509Factory tries to read certificate or CRL from a PEM file, it
>>> simply finds a block starting with "-----BEGIN STH-----" and ending with
>>> "-----END STH-----", and does not care what this STH is at all.
>>> There are third-party tools that generates a PEM file containing
>>> different kinds of PEM blocks. For example, "openssl pkcs12" can read in
>>> a PKCS #12 file and output private key and certficates into a single PEM
>>> file. If we want Java to read certificates from this file, we must take
>>> care to remove any private key block first. This is quite troublesome.
>>> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>>>  http://www.openssl.org/docs/apps/pkcs7.html#NOTES
More information about the security-dev