code review request: 6973371: X509Factory should recognize PEM headers

Weijun Wang Weijun.Wang at Sun.COM
Mon Aug 2 17:38:37 PDT 2010



On 08/03/2010 05:10 AM, Sean Mullan wrote:
> On 7/31/10 9:46 AM, Weijun Wang wrote:
>> Yes, you're correct.
>>
>> I regard "not-working" -> "working" a fix, not a regression.
>
> I think I would regard it as underspecified. There's nothing in
> CertificateFactory.generateCertificate that says it skips non-Certificate
> blocks. I suppose one could interpret it that way, but I would be wary
> of changing the behavior after so many years.
>
> Also, I'm wondering why the submitter could not have caught the
> exception and
> continued to read the rest of the data?

Yes, this works. I'll close the bug now.

Thanks
Max

>
> --Sean
>
>>
>> Thanks Max
>>
>>
>>
>> On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
>>
>>> Hi Max,
>>>
>>> I'm not sure about this change. There's a definitely a change in
>>> behavior.
>>> Before generateCertificate would only read one PEM block from the
>>> stream,
>>> and throw an exception if it wasn't a certificate. But the current fix
>>> ignores non certificate blocks until it finds a certificate or end of
>>> stream, right?
>>>
>>> --Sean
>>>
>>> On 7/30/10 2:39 AM, Weijun Wang wrote:
>>>> Hi Sean
>>>>
>>>> 6973371: X509Factory should recognize PEM headers
>>>>
>>>> Please review the webrev:
>>>> http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
>>>>
>>>> There is one place I haven't touched, generateCertPath. PKCS #7 PEM
>>>> block
>>>> should begin with -----BEGIN PKCS7-----, or as described in [1], with
>>>> -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>>>>
>>>> Thanks Max
>>>>
>>>>
>>>> === *Description*
>>>> ============================================================ Currently,
>>>> when X509Factory tries to read certificate or CRL from a PEM file, it
>>>> simply finds a block starting with "-----BEGIN STH-----" and ending
>>>> with
>>>> "-----END STH-----", and does not care what this STH is at all.
>>>>
>>>> There are third-party tools that generates a PEM file containing
>>>> different kinds of PEM blocks. For example, "openssl pkcs12" can
>>>> read in
>>>> a PKCS #12 file and output private key and certficates into a single
>>>> PEM
>>>> file. If we want Java to read certificates from this file, we must take
>>>> care to remove any private key block first. This is quite troublesome.
>>>>
>>>> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>>>>
>>>> [1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES
>>



More information about the security-dev mailing list