[jboss-jira] [JBoss JIRA] (ELY-1630) Ignore any blank lines in between the certificates in the certificate chain returned by an ACME server to avoid parsing issues on IBM JDK

Farah Juma (JIRA) issues at jboss.org
Thu Aug 9 19:05:00 EDT 2018 

     [ https://issues.jboss.org/browse/ELY-1630?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Farah Juma updated ELY-1630:
----------------------------
    Description: 
Currently, {{AcmeClientSpiTest#testObtainCertificateChainWithKeySize}} and {{AcmeClientSpiTest#testObtainCertificateChainWithECPublicKey}} fail when run with IBM JDK with the following error:

{code}
org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:988)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.obtainCertificateChain(AcmeClientSpi.java:519)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.obtainCertificateChain(AcmeClientSpiTest.java:284)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.testObtainCertificateChainWithKeySize(AcmeClientSpiTest.java:260)
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data
	at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)
	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:448)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:984)
	... 3 more

{code}

The underlying issue is that the PEM certificate chain returned by the ACME server has a blank line in between the two certificates in the chain. This causes parsing issues on IBM JDK when {{CertificateFactory.generateCertificates()}} is called. To fix this, we can just ignore any blank lines in the chain.

  was:
Currently, {{AcmeClientSpiTest#testObtainCertificateChainWithKeySize}} and {{AcmeClientSpiTest#testObtainCertificateChainWithECPublicKey}} fail when run with IBM JDK with the following error:

{code}
org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:988)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.obtainCertificateChain(AcmeClientSpi.java:519)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.obtainCertificateChain(AcmeClientSpiTest.java:284)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.testObtainCertificateChainWithKeySize(AcmeClientSpiTest.java:260)
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data
	at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)
	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:448)
	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:984)
	... 3 more

{code}

The underlying issue is that the PEM certificate chain returned by the ACME server has a blank line in between the two certificates in the chain. This causes parsing issues on IBM JDK. To fix this, we can just ignore any blank lines in the chain.



> Ignore any blank lines in between the certificates in the certificate chain returned by an ACME server to avoid parsing issues on IBM JDK
> -----------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1630
>                 URL: https://issues.jboss.org/browse/ELY-1630
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: API / SPI
>            Reporter: Farah Juma
>            Assignee: Farah Juma
>
> Currently, {{AcmeClientSpiTest#testObtainCertificateChainWithKeySize}} and {{AcmeClientSpiTest#testObtainCertificateChainWithECPublicKey}} fail when run with IBM JDK with the following error:
> {code}
> org.wildfly.security.x500.cert.acme.AcmeException: ELY10049: Unable to download certificate chain from ACME server
> 	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:988)
> 	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.obtainCertificateChain(AcmeClientSpi.java:519)
> 	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.obtainCertificateChain(AcmeClientSpiTest.java:284)
> 	at org.wildfly.security.x500.cert.acme.AcmeClientSpiTest.testObtainCertificateChainWithKeySize(AcmeClientSpiTest.java:260)
> Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data
> 	at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:268)
> 	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:448)
> 	at org.wildfly.security.x500.cert.acme.AcmeClientSpi.getPemCertificateChain(AcmeClientSpi.java:984)
> 	... 3 more
> {code}
> The underlying issue is that the PEM certificate chain returned by the ACME server has a blank line in between the two certificates in the chain. This causes parsing issues on IBM JDK when {{CertificateFactory.generateCertificates()}} is called. To fix this, we can just ignore any blank lines in the chain.



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list