Re: Passing client certificate through Nginx to Tomcat SSL Valve

Mon, 29 May 2017 08:41:47 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/23/16 7:58 AM, Mark Thomas wrote:
> On a related topic, I wonder how tolerant 
> CertificateFactory.generateCertificate() is since that will have
> an impact on exactly how smart the SSLValve needs to be.

Tested with Oracle Java 1.8.0_121:

* Normal PEM-encoded cert is parsed just fine by CertificateFactory
* Replacing all newlines with a single space causes an error
("Incomplete data")
* Replacing all newlines after the first newline (after --- BEGIN ...
- ---) works as desired
* Removing all whitespace after the initial newline works as desired

So a certificate that looks like this:

- -----BEGIN CERTIFICATE-----
MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTD
ATACERTDATA......-----END
CERTIFICATE-----

Is good enough for CertificateFactory (in its current form).

We may be able to get away with just a single whitespace -> newline
character conversion, instead of completely restoring the
64-character-wrapped PEM-encoded certificate.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZLED8AAoJEBzwKT+lPKRY+ikP/18GRhuOz2XvQaWCDIKPncqo
0TEoDQBccKB+tiVF89kqaFakjIz832NzjwkeALxK76Sr6ybBwiW1+alky2uUlRa6
/YFZJK4rBlBlJqjXlBxs7M1kLErlzWpWrQA/PKCGylh1Eh8xcMWelGmtPyWUGWre
20ATMEKaeTpMNMv863MiYoDPfqMbTsMdpGjBUP6135M1cm1wW/IBYyJMPf94ep4v
jUNE7x0Ryv7iCaNFFoqxOTdsBh+b03+DHRw5/ltXMBKJY487ITSjeBAPwXj5wbJg
IvgzLm0Mu3DGEXBdV0loGi+ALso0ctbp2UuHNvw/j5P5qMjHvRvWpLpke91nCjLr
8mpQc49P1tC1zYPDEHeCXkRJKq78y0aJWwH41UmhlniEnbtcIDEEziBSpkeQM3H1
XrqTm3uthjTJgd8Hhcc5nFUMTdruDeeMmNNsyWp7lElGShf52DSZrGSsn9TNEOz0
eAc+4FuBdwDV+gFTcwMlqwL0XzoXuyQBZ13MDldS/zc7wGuXpFjjD9QJKdhdtHlo
CAgHayA13MEPSV9MuCBcfP8psOVaGQsnpIKOTHAinIyPYRgLUbibWW8NvQma2rHu
QcqCBGDDJspAp2YSP1+LF5lJAU5sC7ZZRqRO6JxDfcMqeEHEDijIwYnWrHa4K88P
ITjHyG0qEBQxkstpYSdb
=vEY+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to