[security-dev 01633]: Re: CR 6928227 Updated, weijun.wang now responsible engineer, P4 java/classes_secu keytool -printcert fails on extra trailing whitespace.

Weijun Wang Weijun.Wang at Sun.COM
Tue Feb 23 00:40:51 PST 2010

Hi Brad

Keytool's -printcert tries to parse multiple certificates in a single
file, when there is an empty line there it tries to parse it as another
certificate, and fails.

I had a fix some time ago that covers this issue --


Andrew reviewed it and thought it's fine. Sean is worried about any
performance hurt:

Sean: How does your change affect existing code that passes in a
Max: I don't think there's any difference. My new code only calls read()
and read(byte[],offset,length). If the underlying stream is already
buffered, it can only be faster.

I haven't heard anything from Sean since, and the fix is still in my
patch queue not pushed yet, almost forgotten.

Can you have a look? :)


> *Change Request ID*: 6928227
> *Synopsis*: keytool -printcert fails on extra trailing whitespace.
> === *Description* ============================================================
> This seems wrong to me.  Add an extra line at the end of a cert file, and keytool will no longer parse it.
>> keytool -genkeypair -keystore mykeystore
>> keytool -exportcert -rfc -keystore mykeystore -file cert.out
>> keytool -printcert -v -file cert.out
>> echo " " | cat cert.out - > foo.out
>> keytool -printcert -v -file foo.out
> keytool error: java.lang.Exception: Failed to parse input
> java.lang.Exception: Failed to parse input
>         at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1682)
>         at sun.security.tools.KeyTool.doCommands(KeyTool.java:878)
>         at sun.security.tools.KeyTool.run(KeyTool.java:172)
>         at sun.security.tools.KeyTool.main(KeyTool.java:166)
> Caused by: java.security.cert.CertificateException: java.io.EOFException
>         at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:419)
>         at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:427)
>         at sun.security.tools.KeyTool.doPrintCert(KeyTool.java:1680)
>         ... 3 more
> Caused by: java.io.EOFException
>         at java.io.DataInputStream.readFully(DataInputStream.java:180)
>         at java.io.DataInputStream.readFully(DataInputStream.java:152)
>         at sun.security.util.DerValue.init(DerValue.java:374)
>         at sun.security.util.DerValue.<init>(DerValue.java:302)
>         at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:532)
>         at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:417)
>         ... 5 more
> *** (#1 of 1): 2010-02-20 01:50:51 GMT+00:00 bradford.wetmore at sun.com

More information about the security-dev mailing list