-
Bug
-
Resolution: Fixed
-
P4
-
1.3.0
-
None
-
beta
-
sparc
-
solaris_7
The implementation of generateCertificates does not handle a sequence of DER encoded certs correctly. It only parses 1 certificate, and ignores any subsequent certs. The offending code is in the parseX509orPKCS7Cert() method of sun/security/provider/X509Factory.java:
private Collection parseX509orPKCS7Cert(InputStream is)
throws CertificateException
{
try {
// treat as X.509 cert
is.mark(is.available());
X509CertImpl cert = new X509CertImpl(is);
return Arrays.asList(new X509Certificate[] { cert });
This code should continue to look for more certs in the input stream.
Also, the javadoc for generateCertificates should be a bit more clear about the
format of the data for a sequence of DER encoded certs. Its the word 'sequence' that is confusing, since the caller could interpret this as meaning a DER encoded ASN.1 Sequence of certs. That is incorrect. What we mean here is something like:
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----
private Collection parseX509orPKCS7Cert(InputStream is)
throws CertificateException
{
try {
// treat as X.509 cert
is.mark(is.available());
X509CertImpl cert = new X509CertImpl(is);
return Arrays.asList(new X509Certificate[] { cert });
This code should continue to look for more certs in the input stream.
Also, the javadoc for generateCertificates should be a bit more clear about the
format of the data for a sequence of DER encoded certs. Its the word 'sequence' that is confusing, since the caller could interpret this as meaning a DER encoded ASN.1 Sequence of certs. That is incorrect. What we mean here is something like:
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blalala
-----END CERTIFICATE-----