code review request: 6973371: X509Factory should recognize PEM headers

Sean Mullan sean.mullan at oracle.com
Fri Jul 30 09:46:55 PDT 2010


Hi Max,

I'm not sure about this change. There's a definitely a change in behavior. 
Before generateCertificate would only read one PEM block from the stream, and 
throw an exception if it wasn't a certificate. But the current fix ignores non 
certificate blocks until it finds a certificate or end of stream, right?

--Sean

On 7/30/10 2:39 AM, Weijun Wang wrote:
> Hi Sean
>
> 6973371: X509Factory should recognize PEM headers
>
> Please review the webrev:
> http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
>
> There is one place I haven't touched, generateCertPath. PKCS #7 PEM
> block should begin with -----BEGIN PKCS7-----, or as described in [1],
> with -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>
> Thanks
> Max
>
>
> === *Description*
> ============================================================
> Currently, when X509Factory tries to read certificate or CRL from a PEM
> file, it simply finds a block starting with "-----BEGIN STH-----" and
> ending with "-----END STH-----", and does not care what this STH is at all.
>
> There are third-party tools that generates a PEM file containing
> different kinds of PEM blocks. For example, "openssl pkcs12" can read in
> a PKCS #12 file and output private key and certficates into a single PEM
> file. If we want Java to read certificates from this file, we must take
> care to remove any private key block first. This is quite troublesome.
>
> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>
> [1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES



More information about the security-dev mailing list