-
Enhancement
-
Resolution: Fixed
-
P4
-
None
-
None
-
b06
A PEM X.509 cert has a header "-----BEGIN CERTIFICATE-----" and a footer "-----END CERTIFICATE-----". If there is whitespace after the header or footer, CertificateFactory cannot load it and throws this exception:
Caused by: java.security.cert.CertificateException: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2599)
... 4 more
Caused by: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:656)
at java.base/sun.security.provider.X509Factory.readOneBlock(X509Factory.java:638)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:449)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)
According to https://tools.ietf.org/html/rfc7468#section-3, WSP is allowed after preeb or posteb:
textualmsg = preeb *WSP eol
*eolWSP
base64text
posteb *WSP [eol]
preeb = "-----BEGIN " label "-----" ; unlike [RFC1421] (A)BNF,
; eol is not required (but
posteb = "-----END " label "-----" ; see [RFC1421], Section 4.4)
Caused by: java.security.cert.CertificateException: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358)
at java.base/java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478)
at java.base/sun.security.tools.keytool.Main.printCertFromStream(Main.java:2599)
... 4 more
Caused by: java.io.IOException: Illegal footer: -----END CERTIFICATE-----
at java.base/sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:656)
at java.base/sun.security.provider.X509Factory.readOneBlock(X509Factory.java:638)
at java.base/sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:449)
at java.base/sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356)
According to https://tools.ietf.org/html/rfc7468#section-3, WSP is allowed after preeb or posteb:
textualmsg = preeb *WSP eol
*eolWSP
base64text
posteb *WSP [eol]
preeb = "-----BEGIN " label "-----" ; unlike [RFC1421] (A)BNF,
; eol is not required (but
posteb = "-----END " label "-----" ; see [RFC1421], Section 4.4)