>>>> >>>> In jdk8, we use Base64.getMimeDecoder() to parse PEM-encoded certs and it >>>> ignores every character not in the base-64 alphabet. PEM is more >>>> restricted and as I know openssl rejects PEM with illegal chars (Ex, "!" >>>> as in bug report and test). This fix will also reject them. >>> Shouldn't you add a Base64.getPemDecoder() with these semantics? I >>> think this decoder would be useful in other contexts as well. >> Sherman, is that possible? >> > > While it is possible personally I will be a little hesitated to add the > support for a > "deprecated" rfc into the "new" Base64 class. Any evidence that PEM is still > heavily used in other contexts?
Not sure about usage outside the security area, it's heavily used for encoding of certificates, CRLs, private keys, etc. I did some experiments, creating a PEM certificate including garbage characters, only Firefox accepts it, and it's rejected by IE, openssl, Mac. --Max > > -Sherman
