[security-dev 00788]: Code review request: 6813340: X509Factory should not depend on is.available()==0

Weijun Wang Weijun.Wang at Sun.COM
Wed Apr 29 02:28:00 PDT 2009


Hi Sean and/or Andrew

Can any of you take a review at this bug fix:

  bug:
     http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6813340
  webrev:
     http://cr.openjdk.java.net/~weijun/6813340/webrev.02/

The bug is about too many is.available() usage in
X509Factory.generateXXX() methods. This means a slow stream might not be
consumed at all.

The fix introduces a new method readOneBlock() which reads a block of
data, either PEM or DER, in block mode. The method neither uses
available() nor performs any mark/reset actions.

There might be two drawbacks for this code change:

1. In order to avoid mark/reset, it uses a heuristic method to detect
the line ending of a PEM file: If the -----BEGIN----- line ends with
'\r' (or \n), it assumes the -----END---- line also ends with it. I
don't know if there are files which is hybrid. I might make another
change if you want more safety:

564  -               if (next == -1 || next == end) {
564  +               if (next == -1 || next == end || next == '\n') {

2. Since no buffering is made, the performance might hurt. However, I
simply browse the usage in JDK and find many callers actually use a
ByteArrayInputStream, so this is not a serious problem.

Thanks
Max



More information about the security-dev mailing list