- marked as minor
X509CertChainUtils parse method makes it hard to figure out what's wrong if a certificate fails to parse
Issue #565
resolved
The code here:
namely:
public static List<X509Certificate> parse(final List<Base64> b64List)
throws ParseException {
if (b64List == null)
return null;
List<X509Certificate> out = new LinkedList<>();
for (int i=0; i < b64List.size(); i++) {
if (b64List.get(i)== null) continue; // skip
X509Certificate cert = X509CertUtils.parse(b64List.get(i).decode());
if (cert == null) {
throw new ParseException("Invalid X.509 certificate at position " + i, 0);
}
out.add(cert);
}
return out;
}
Uses X509CertUtils.parse rather than X509CertUtils.parseWithException - resulting in an exception like this:
Invalid JWK at position 0: Invalid X.509 certificate chain "x5c": Invalid X.509 certificate at position 0
The actual underlying error (which turned out to be java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates) is unfortunately lost and not visible to anyone.
Changing lines 13-17 to something like this:
X509Certificate cert = null;
try {
cert = X509CertUtils.parseWithException(b64List.get(i).decode());
} catch (CertificateException e) {
throw new ParseException("Invalid X.509 certificate at position " + i + ": " + e.getMessage(), 0);
}
would I think result in the exception message being passed through and potentially being visible somewhere useful (I have not tested this!)
Comments (5)
-
reporter
-
- changed status to open
-
Thank you for this report. It’s immediately actionable and we’ll move forward with a fix.
-
reporter
Awesome - thank you Yavor!
-
- changed status to resolved
Fixed in b2e803c85c600705bcb3534f6eb5d6b736c206f5.
9.41.1 (2024-09-12) * The ParseException thrown by X509CertChainUtils.parse(List<Base64>) must include the message from the underlying java.security.cert.CertificateException (iss #565). - Log in to comment
