code review request: 6973371: X509Factory should recognize PEM headers

Weijun Wang Weijun.Wang at Sun.COM
Sat Jul 31 06:46:02 PDT 2010


Yes, you're correct.

I regard "not-working" -> "working" a fix, not a regression.

Thanks
Max



On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:

> Hi Max,
> 
> I'm not sure about this change. There's a definitely a change in behavior. Before generateCertificate would only read one PEM block from the stream, and throw an exception if it wasn't a certificate. But the current fix ignores non certificate blocks until it finds a certificate or end of stream, right?
> 
> --Sean
> 
> On 7/30/10 2:39 AM, Weijun Wang wrote:
>> Hi Sean
>> 
>> 6973371: X509Factory should recognize PEM headers
>> 
>> Please review the webrev:
>> http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
>> 
>> There is one place I haven't touched, generateCertPath. PKCS #7 PEM
>> block should begin with -----BEGIN PKCS7-----, or as described in [1],
>> with -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>> 
>> Thanks
>> Max
>> 
>> 
>> === *Description*
>> ============================================================
>> Currently, when X509Factory tries to read certificate or CRL from a PEM
>> file, it simply finds a block starting with "-----BEGIN STH-----" and
>> ending with "-----END STH-----", and does not care what this STH is at all.
>> 
>> There are third-party tools that generates a PEM file containing
>> different kinds of PEM blocks. For example, "openssl pkcs12" can read in
>> a PKCS #12 file and output private key and certficates into a single PEM
>> file. If we want Java to read certificates from this file, we must take
>> care to remove any private key block first. This is quite troublesome.
>> 
>> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>> 
>> [1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES




More information about the security-dev mailing list