openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #05729
Bug#539283: PEM formate
Package: ca-certificates-java
Severity: normal
Matthias,
> Reading RFC1421, I don't see comments in the syntax (section 9).
I think you are wrong here. The RFC1421 describes PEM message format
and not PEM file format. Hence the parsing of X.509 should begin
after the parser encounters --BEGIN CERTIFICATE-- preambule and end
when it encounters --END CERTIFICATE-- postambule. It should ignore
the rest of the file (which could also contain RSA key).
Also it breaks the Postel rule: openssl will happily generate (and
read) file which contains a lot more information than just "Comment":
$ openssl x509 -in sury.org.pem -out sury.org.crt -text
See attached file...
O.
-- System Information:
Debian Release: 6.0.1
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ca-certificates-java depends on:
ii ca-certificates 20090814+nmu2 Common CA certificates
ii default-jre-headle 1:1.6-40 Standard Java or Java compatible R
ii openjdk-6-jre-head 6b18-1.8.3-2+squeeze1 OpenJDK Java runtime, using Hotspo
Versions of packages ca-certificates-java recommends:
ii libnss3-1d 3.12.8-1+squeeze1 Network Security Service libraries
ca-certificates-java suggests no packages.
-- Configuration Files:
/etc/default/cacerts [Errno 13] Permission denied: u'/etc/default/cacerts'
-- no debconf information
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 127267 (0x1f123)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
Validity
Not Before: Aug 5 04:14:23 2010 GMT
Not After : Aug 5 23:41:45 2011 GMT
Subject: description=236677-u3tuI4LC1bypveug, C=CZ, O=Persona Not Validated, OU=StartCom Free Certificate Member, CN=www.sury.org/emailAddress=ondrej@xxxxxxxx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:ab:db:c8:9c:c7:e5:54:1a:30:82:d7:e0:a1:51:
a3:0e:3e:f0:cb:7d:ad:12:d7:8f:2f:0a:25:58:39:
5a:e5:59:03:a7:16:d4:75:90:61:df:31:4d:6a:cb:
fd:3f:4d:d9:c9:3a:a0:41:cd:82:77:a2:43:44:e1:
d1:ce:0b:7f:75:2b:c7:b0:8d:4d:26:a4:df:39:29:
9d:37:0a:fd:a7:27:73:e5:a7:bc:5f:9c:91:8e:41:
5b:e4:42:31:0d:10:bd:75:62:03:7c:2f:37:72:36:
63:0e:ce:c3:30:2f:da:f9:95:20:65:e6:13:9c:37:
27:4c:af:90:a3:5c:a3:34:22:07:ee:6b:32:26:6d:
67:e4:d7:38:45:fb:13:86:b4:3c:21:14:0c:e8:8a:
e2:8d:94:99:b1:8f:8c:a9:b5:14:ed:aa:b8:cc:46:
75:02:b1:cf:da:e2:cf:e6:46:ef:97:19:29:24:5d:
bf:ad:d5:61:97:e2:37:b2:3d:4c:83:cc:ed:ff:b5:
ec:78:19:44:b1:85:f4:4b:d3:5f:7e:2f:f6:be:d6:
99:73:e1:d8:f0:f1:c7:f3:59:df:16:4c:5c:87:c1:
7f:ed:95:3b:f1:cf:73:bf:a6:19:10:4b:8a:df:ec:
b6:c2:42:29:84:37:e1:a1:2c:5f:d3:2d:bf:91:44:
9a:b7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Key Identifier:
79:47:6B:21:73:EE:55:21:EF:09:85:FD:E4:E9:7F:2E:16:0E:F1:79
X509v3 Authority Key Identifier:
keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45
X509v3 Subject Alternative Name:
DNS:www.sury.org, DNS:sury.org
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.23223.1.2.2
CPS: http://www.startssl.com/policy.pdf
CPS: http://www.startssl.com/intermediate.pdf
User Notice:
Organization: StartCom Ltd.
Number: 1
Explicit Text: Limited Liability, see section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf
X509v3 CRL Distribution Points:
URI:http://www.startssl.com/crt1-crl.crl
URI:http://crl.startssl.com/crt1-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
CA Issuers - URI:http://www.startssl.com/certs/sub.class1.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
01:66:35:71:e5:1c:59:6b:ca:6a:fb:0a:72:55:42:74:f4:77:
f2:56:c6:69:21:ea:04:15:8f:6e:20:d0:ad:5e:9a:60:73:53:
de:a8:f4:33:73:b2:1d:3c:e2:c0:5c:ee:2b:05:06:92:e3:2e:
57:a9:53:d9:21:a4:e4:bb:80:83:07:7a:60:76:2c:17:3e:83:
0d:e1:b5:5a:fe:20:3e:ce:06:c4:8e:4a:12:24:31:c8:88:85:
16:05:93:3e:20:6b:99:37:04:ce:9a:98:89:83:f5:3a:99:b0:
bb:4c:f2:83:af:3d:91:0e:25:f5:65:ad:a4:60:68:e5:56:69:
1f:0f:38:e3:73:88:04:1b:85:11:a6:22:66:4a:bc:bf:d9:4d:
be:ec:0f:45:18:21:79:60:5d:89:32:06:f4:bd:d1:15:aa:06:
c3:2a:74:34:4c:25:a1:1e:60:5a:7d:2c:41:19:f3:94:63:10:
b8:1b:f9:e6:f5:e0:5c:11:d0:3b:45:a8:3d:db:9a:4b:c5:35:
d7:af:30:b4:57:37:23:e0:ad:48:ae:8f:0f:f6:1e:b8:c7:1c:
f6:89:9f:ad:50:09:51:c4:85:a1:7d:d7:e7:0c:f0:46:3d:0b:
76:a5:49:b9:1b:e3:67:4f:4a:04:ee:79:38:de:61:53:36:1b:
0e:c5:79:05
-----BEGIN CERTIFICATE-----
MIIGsTCCBZmgAwIBAgIDAfEjMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTAwODA1MDQxNDIz
WhcNMTEwODA1MjM0MTQ1WjCBsTEgMB4GA1UEDRMXMjM2Njc3LXUzdHVJNExDMWJ5
cHZldWcxCzAJBgNVBAYTAkNaMR4wHAYDVQQKExVQZXJzb25hIE5vdCBWYWxpZGF0
ZWQxKTAnBgNVBAsTIFN0YXJ0Q29tIEZyZWUgQ2VydGlmaWNhdGUgTWVtYmVyMRUw
EwYDVQQDEwx3d3cuc3VyeS5vcmcxHjAcBgkqhkiG9w0BCQEWD29uZHJlakBzdXJ5
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvbyJzH5VQaMILX
4KFRow4+8Mt9rRLXjy8KJVg5WuVZA6cW1HWQYd8xTWrL/T9N2ck6oEHNgneiQ0Th
0c4Lf3Urx7CNTSak3zkpnTcK/acnc+WnvF+ckY5BW+RCMQ0QvXViA3wvN3I2Yw7O
wzAv2vmVIGXmE5w3J0yvkKNcozQiB+5rMiZtZ+TXOEX7E4a0PCEUDOiK4o2UmbGP
jKm1FO2quMxGdQKxz9riz+ZG75cZKSRdv63VYZfiN7I9TIPM7f+17HgZRLGF9EvT
X34v9r7WmXPh2PDxx/NZ3xZMXIfBf+2VO/HPc7+mGRBLit/stsJCKYQ34aEsX9Mt
v5FEmrcCAwEAAaOCAvMwggLvMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1Ud
JQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBR5R2shc+5VIe8Jhf3k6X8uFg7xeTAf
BgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAhBgNVHREEGjAYggx3d3cu
c3VyeS5vcmeCCHN1cnkub3JnMIIBQgYDVR0gBIIBOTCCATUwggExBgsrBgEEAYG1
NwECAjCCASAwLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv
bGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2lu
dGVybWVkaWF0ZS5wZGYwgbcGCCsGAQUFBwICMIGqMBQWDVN0YXJ0Q29tIEx0ZC4w
AwIBARqBkUxpbWl0ZWQgTGlhYmlsaXR5LCBzZWUgc2VjdGlvbiAqTGVnYWwgTGlt
aXRhdGlvbnMqIG9mIHRoZSBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv
bGljeS5wZGYwYQYDVR0fBFowWDAqoCigJoYkaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vY3J0MS1jcmwuY3JsMCqgKKAmhiRodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9j
cnQxLWNybC5jcmwwgY4GCCsGAQUFBwEBBIGBMH8wOQYIKwYBBQUHMAGGLWh0dHA6
Ly9vY3NwLnN0YXJ0c3NsLmNvbS9zdWIvY2xhc3MxL3NlcnZlci9jYTBCBggrBgEF
BQcwAoY2aHR0cDovL3d3dy5zdGFydHNzbC5jb20vY2VydHMvc3ViLmNsYXNzMS5z
ZXJ2ZXIuY2EuY3J0MCMGA1UdEgQcMBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29t
LzANBgkqhkiG9w0BAQUFAAOCAQEAAWY1ceUcWWvKavsKclVCdPR38lbGaSHqBBWP
biDQrV6aYHNT3qj0M3OyHTziwFzuKwUGkuMuV6lT2SGk5LuAgwd6YHYsFz6DDeG1
Wv4gPs4GxI5KEiQxyIiFFgWTPiBrmTcEzpqYiYP1Opmwu0zyg689kQ4l9WWtpGBo
5VZpHw8443OIBBuFEaYiZkq8v9lNvuwPRRgheWBdiTIG9L3RFaoGwyp0NEwloR5g
Wn0sQRnzlGMQuBv55vXgXBHQO0WoPduaS8U1168wtFc3I+CtSK6PD/YeuMcc9omf
rVAJUcSFoX3X5wzwRj0LdqVJuRvjZ09KBO55ON5hUzYbDsV5BQ==
-----END CERTIFICATE-----
