Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8208602

Cannot read PEM X.509 cert if there is whitespace after the header or footer

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 12
    • Component/s: security-libs
    • Labels:
      None

      Description

      A PEM X.509 cert has a header "-----BEGIN CERTIFICATE-----" and a footer "-----END CERTIFICATE-----". If there is whitespace after the header or footer, CertificateFactory cannot load it and throws this exception:

      Caused by: java.security.cert.CertificateException: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
      at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358)
      at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
      at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2599)
      ... 4 more
      Caused by: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
      at java.base/sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:656)
      at java.base/sun.security.provider.X509Factory.readOneBlock(X509Factory.java:638)
      at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:449)
      at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)

      According to https://tools.ietf.org/html/rfc7468#section-3, WSP is allowed after preeb or posteb:

        textualmsg = preeb *WSP eol
                     *eolWSP
                     base64text
                     posteb *WSP [eol]

        preeb = "-----BEGIN " label "-----" ; unlike [RFC1421] (A)BNF,
                                                 ; eol is not required (but
        posteb = "-----END " label "-----" ; see [RFC1421], Section 4.4)

        Attachments

          Activity

            People

            Assignee:
            weijun Weijun Wang
            Reporter:
            weijun Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: