On 08/03/2010 05:10 AM, Sean Mullan wrote:
On 7/31/10 9:46 AM, Weijun Wang wrote:
Yes, you're correct.
I regard "not-working" -> "working" a fix, not a regression.
I think I would regard it as underspecified. There's nothing in
CertificateFactory.generateCertificate that says it skips non-Certificate
blocks. I suppose one could interpret it that way, but I would be wary
of changing the behavior after so many years.
Also, I'm wondering why the submitter could not have caught the
exception and
continued to read the rest of the data?
Yes, this works. I'll close the bug now.
Thanks
Max
--Sean
Thanks Max
On Jul 31, 2010, at 12:46 AM, Sean Mullan wrote:
Hi Max,
I'm not sure about this change. There's a definitely a change in
behavior.
Before generateCertificate would only read one PEM block from the
stream,
and throw an exception if it wasn't a certificate. But the current fix
ignores non certificate blocks until it finds a certificate or end of
stream, right?
--Sean
On 7/30/10 2:39 AM, Weijun Wang wrote:
Hi Sean
6973371: X509Factory should recognize PEM headers
Please review the webrev:
http://cr.openjdk.java.net/~weijun/6973371/webrev.00/
There is one place I haven't touched, generateCertPath. PKCS #7 PEM
block
should begin with -----BEGIN PKCS7-----, or as described in [1], with
-----BEGIN CERTIFICATE-----. But what about a PKIPATH data block?
Thanks Max
=== *Description*
============================================================ Currently,
when X509Factory tries to read certificate or CRL from a PEM file, it
simply finds a block starting with "-----BEGIN STH-----" and ending
with
"-----END STH-----", and does not care what this STH is at all.
There are third-party tools that generates a PEM file containing
different kinds of PEM blocks. For example, "openssl pkcs12" can
read in
a PKCS #12 file and output private key and certficates into a single
PEM
file. If we want Java to read certificates from this file, we must take
care to remove any private key block first. This is quite troublesome.
*** (#1 of 1): 2010-07-30 03:40:21 GMT+00:00 [email protected]
[1] http://www.openssl.org/docs/apps/pkcs7.html#NOTES
