Hi folks,
currenly we have a minimalistic ASN.1 parser in the code tree w/o any
testing since it assumes that the passed byte array is properly encoded.
Now, I do have some X.509 related improvements which I'd like to bring
upstream from my OSS project which I think will benefit everyone using
X.509 (processing SAN from a client cert) in the enterprise world, but
this requires extending the parser. In fact, I have written a
minimalistic parser for my use case with error handling and swapped for
the Tomcat's one and most tests fail with ArrayIndexOutOfBoundsException
because our code does not check anything.
I do not want to write yet another full-blown parser, but do not also
want to reinvent the wheel.
So several questions come to my mind:
1. Since I do also have other OSS components for Tomcat which do require
an ASN.1 parser would our position be use our parser at your own risk or
solve the problem yourself? I need only SEQUENCEs, tagged types. Nothing
fancy.
2. Should we consider ditching it for something public and shade it like
we do with other components? Apache Kerby ASN.1 is quite small and very
decent.
Let me know what you think!
M
(Maybe this discussion applies to the ASN.1 writer as well)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org