code review request: 6973371: X509Factory should recognize PEM headers
Weijun Wang
Weijun.Wang at Sun.COM
Sat Jul 31 13:46:02 UTC 2010
Yes, you're correct.
I regard "not-working" -> "working" a fix, not a regression.
Thanks
Max
On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
> Hi Max,
>
> I'm not sure about this change. There's a definitely a change in behavior. Before generateCertificate would only read one PEM block from the stream, and throw an exception if it wasn't a certificate. But the current fix ignores non certificate blocks until it finds a certificate or end of stream, right?
>
> --Sean
>
> On 7/30/10 2:39 AM, Weijun Wang wrote:
>> Hi Sean
>>
>> 6973371: X509Factory should recognize PEM headers
>>
>> Please review the webrev:
>> http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
>>
>> There is one place I haven't touched, generateCertPath. PKCS #7 PEM
>> block should begin with -----BEGIN PKCS7-----, or as described in [1],
>> with -----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
>>
>> Thanks
>> Max
>>
>>
>> === *Description*
>> ============================================================
>> Currently, when X509Factory tries to read certificate or CRL from a PEM
>> file, it simply finds a block starting with "-----BEGIN STH-----" and
>> ending with "-----END STH-----", and does not care what this STH is at all.
>>
>> There are third-party tools that generates a PEM file containing
>> different kinds of PEM blocks. For example, "openssl pkcs12" can read in
>> a PKCS #12 file and output private key and certficates into a single PEM
>> file. If we want Java to read certificates from this file, we must take
>> care to remove any private key block first. This is quite troublesome.
>>
>> *** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 weijun.wang at sun.com
>>
>> [1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES
More information about the security-dev
mailing list