code review request: 6973371: X509Factory should recognize PEM headers

Weijun Wang Weijun.Wang at Sun.COM
Fri Jul 30 06:39:27 UTC 2010


Hi Sean

6973371: X509Factory should recognize PEM headers

Please review the webrev:
    http://cr.openjdk.java.net/~weijun/6973371/webrev.00/

There is one place I haven't touched, generateCertPath. PKCS #7 PEM 
block should begin with -----BEGIN PKCS7-----, or as described in [1], 
with -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?

Thanks
Max


=== *Description* 
============================================================
Currently, when X509Factory tries to read certificate or CRL from a PEM 
file, it simply finds a block starting with "-----BEGIN STH-----" and 
ending with "-----END STH-----", and does not care what this STH is at all.

There are third-party tools that generates a PEM file containing 
different kinds of PEM blocks. For example, "openssl pkcs12" can read in 
a PKCS #12 file and output private key and certficates into a single PEM 
file. If we want Java to read certificates from this file, we must take 
care to remove any private key block first. This is quite troublesome.

*** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com

[1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES



More information about the security-dev mailing list