On 29/05/17 17:02, Christopher Schultz wrote: > Mark, > > On 5/29/17 11:40 AM, Christopher Schultz wrote: >> Mark, > >> On 6/23/16 7:58 AM, Mark Thomas wrote: >>> On a related topic, I wonder how tolerant >>> CertificateFactory.generateCertificate() is since that will have >>> an impact on exactly how smart the SSLValve needs to be. > >> Tested with Oracle Java 1.8.0_121: > >> * Normal PEM-encoded cert is parsed just fine by >> CertificateFactory * Replacing all newlines with a single space >> causes an error ("Incomplete data") * Replacing all newlines after >> the first newline (after --- BEGIN ... ---) works as desired * >> Removing all whitespace after the initial newline works as desired > >> So a certificate that looks like this: > >> -----BEGIN CERTIFICATE----- >> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER > TD > > > ATACERTDATA......-----END >> CERTIFICATE----- > >> Is good enough for CertificateFactory (in its current form). > >> We may be able to get away with just a single whitespace -> >> newline character conversion, instead of completely restoring the >> 64-character-wrapped PEM-encoded certificate. > > Furthermore, CertificateFactory does not complain if there is an > additional newline between the "-----BEGIN CERTIFICATE-----\n" and the > rest of the certificate. > > That means that, theoretically, we could simply write the "BEGIN" > header, then a newline, then everything that follows it regardless of > the composition, and CertificateFactory should be able to handle it.
Time to open an enhancement request and add this information? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org