code review request: 6973371: X509Factory should recognize PEM headers

Weijun Wang Weijun.Wang at Sun.COM
Sun Aug 1 18:29:57 PDT 2010


Re-send mail. Probably lost during in a mail server outage.

On 07/31/2010 09:46 PM, Weijun Wang wrote:
> Yes, you're correct.
>
> I regard "not-working" ->  "working" a fix, not a regression.
>
> Thanks
> Max
>
>
>
> On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
>
>> Hi Max,
>>
>> I'm not sure about this change. There's a definitely a change in behavior. Before generateCertificate would only read one PEM block from the stream, and throw an exception if it wasn't a certificate. But the current fix ignores non certificate blocks until it finds a certificate or end of stream, right?
>>
>> --Sean
>>
>> On 7/30/10 2:39 AM, Weijun Wang wrote:
>>> Hi Sean
>>>
>>> 6973371: X509Factory should recognize PEM headers
>>>
>>> Please review the webrev:
>>> http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
>>>
>>> There is one place I haven't touched, generateCertPath. PKCS #7 PEM
>>> block should begin with -----BEGIN PKCS7-----, or as described in [1],
>>> with -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>>>
>>> Thanks
>>> Max
>>>
>>>
>>> === *Description*
>>> ============================================================
>>> Currently, when X509Factory tries to read certificate or CRL from a PEM
>>> file, it simply finds a block starting with "-----BEGIN STH-----" and
>>> ending with "-----END STH-----", and does not care what this STH is at all.
>>>
>>> There are third-party tools that generates a PEM file containing
>>> different kinds of PEM blocks. For example, "openssl pkcs12" can read in
>>> a PKCS #12 file and output private key and certficates into a single PEM
>>> file. If we want Java to read certificates from this file, we must take
>>> care to remove any private key block first. This is quite troublesome.
>>>
>>> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>>>
>>> [1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES
>



More information about the security-dev mailing list