-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/29/17 11:40 AM, Christopher Schultz wrote: > Mark, > > On 6/23/16 7:58 AM, Mark Thomas wrote: >> On a related topic, I wonder how tolerant >> CertificateFactory.generateCertificate() is since that will have >> an impact on exactly how smart the SSLValve needs to be. > > Tested with Oracle Java 1.8.0_121: > > * Normal PEM-encoded cert is parsed just fine by > CertificateFactory * Replacing all newlines with a single space > causes an error ("Incomplete data") * Replacing all newlines after > the first newline (after --- BEGIN ... ---) works as desired * > Removing all whitespace after the initial newline works as desired > > So a certificate that looks like this: > > -----BEGIN CERTIFICATE----- > MIICERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACERTDATACER TD > > ATACERTDATA......-----END > CERTIFICATE----- > > Is good enough for CertificateFactory (in its current form). > > We may be able to get away with just a single whitespace -> > newline character conversion, instead of completely restoring the > 64-character-wrapped PEM-encoded certificate. Furthermore, CertificateFactory does not complain if there is an additional newline between the "-----BEGIN CERTIFICATE-----\n" and the rest of the certificate. That means that, theoretically, we could simply write the "BEGIN" header, then a newline, then everything that follows it regardless of the composition, and CertificateFactory should be able to handle it. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZLEYSAAoJEBzwKT+lPKRYwqoQAKyldCc8V7PkkmDvyPrq4Feq tbO8E5lY9LQS9RhUguoI29j7/9xJSG4Z12/hRk5dkwaMwTBWgZWIrnSkVKhooCUE InFeg5F1Zt5YLK5LjtFkLg12XH55noQqEHW7cJa1XqpL72OC/qdEHMqOrMs9ZJPW LMr8E7pMmgou4NB5zxn1w2O4ZPkeRUDaw0OLmYcCH11vo27FKORAZ3UB+IAcQzq7 tPwgC7hSP5sao7x892CFHOvqNBw6bEdjpgvLtg/ndaE3odzxf1OlPfjg52RW3cwQ 06TTL6Db7HPRGme9UzQBps0gPR/57uXDsAmySejAYs3e6y8P3q4Wcp+0q0Trj1j0 5zadfF0pOIxJC/IVycg69XtGjn5Wbec8yaqaylGuiM07riC4Aev/uvbp1AEmekP5 3mOkpIFh1eZFZhDyv019BhKNm4r9QRaqBJ0llh6tHwWhlN2Ube/AlOtXe8yUPE75 jLktl3t7dqtfzzrMxn1nzEP5EWOSISxHa8lkpDXmT6tQ3XXxXiYXVwPOsFls1seh O7jlqzmmGe6vSRGIRIngh7a6oMczMaCWQ0ZWdk17oUdTYELhdLFHtFykA04wXXF7 B4BlJoG5hKTKf/d/+T+k/I57xuNYcMpSKaCZfhAJf/Gi4ASVZ3U12KpPPr66eOln ipt2DAxpm1K9l4dVaeqH =1a+W -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org