On 29/05/17 17:02, Christopher Schultz wrote:
> Mark,
>
> On 5/29/17 11:40 AM, Christopher Schultz wrote:
>> Mark,
>
>> On 6/23/16 7:58 AM, Mark Thomas wrote:
>>> On a related topic, I wonder how tolerant
>>> CertificateFactory.generateCertificate() is since that will have
>>> an impact on exactly how smart the SSLValve needs to be.
>
>> Tested with Oracle Java 1.8.0_121:
>
>> * Normal PEM-encoded cert is parsed just fine by
>> CertificateFactory * Replacing all newlines with a single space
>> causes an error ("Incomplete data") * Replacing all newlines after
>> the first newline (after --- BEGIN ... ---) works as desired *
>> Removing all whitespace after the initial newline works as desired
>
>> So a certificate that looks like this:
>
>> -----BEGIN CERTIFICATE-----
>> MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER
> TD
>
>
> ATACERTDATA......-----END
>> CERTIFICATE-----
>
>> Is good enough for CertificateFactory (in its current form).
>
>> We may be able to get away with just a single whitespace ->
>> newline character conversion, instead of completely restoring the
>> 64-character-wrapped PEM-encoded certificate.
>
> Furthermore, CertificateFactory does not complain if there is an
> additional newline between the "-----BEGIN CERTIFICATE-----\n" and the
> rest of the certificate.
>
> That means that, theoretically, we could simply write the "BEGIN"
> header, then a newline, then everything that follows it regardless of
> the composition, and CertificateFactory should be able to handle it.
Time to open an enhancement request and add this information?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
