On 7/31/10 9:46 AM, Weijun Wang wrote:
Yes, you're correct.
I regard "not-working" -> "working" a fix, not a regression.
I think I would regard it as underspecified. There's nothing in
CertificateFactory.generateCertificate that says it skips non-Certificate
blocks. I suppose one could interpret it that way, but I would be wary of
changing the behavior after so many years.
Also, I'm wondering why the submitter could not have caught the exception and
continued to read the rest of the data?
--Sean
Thanks Max
On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
Hi Max,
I'm not sure about this change. There's a definitely a change in behavior.
Before generateCertificate would only read one PEM block from the stream,
and throw an exception if it wasn't a certificate. But the current fix
ignores non certificate blocks until it finds a certificate or end of
stream, right?
--Sean
On 7/30/10 2:39 AM, Weijun Wang wrote:
Hi Sean
6973371: X509Factory should recognize PEM headers
Please review the webrev:
http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
There is one place I haven't touched, generateCertPath. PKCS #7 PEM block
should begin with -----BEGIN PKCS7-----, or as described in [1], with
-----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
Thanks Max
=== *Description*
============================================================ Currently,
when X509Factory tries to read certificate or CRL from a PEM file, it
simply finds a block starting with "-----BEGIN STH-----" and ending with
"-----END STH-----", and does not care what this STH is at all.
There are third-party tools that generates a PEM file containing
different kinds of PEM blocks. For example, "openssl pkcs12" can read in
a PKCS #12 file and output private key and certficates into a single PEM
file. If we want Java to read certificates from this file, we must take
care to remove any private key block first. This is quite troublesome.
*** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 [email protected]
[1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES
