Fix pinned certificate parsing to properly handle comments.

Karl Rieb · Karl Rieb · commit d9621257a149 · 2016-06-02T13:10:10.000-07:00
The SDK would fail to initialize on Java 6 JREs because comments in certificate chains were not properly ignored.

Fixes T98008
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -1,6 +1,7 @@
 2.0.5
 ---------------------------------------------
 - Allow old locale formats for APIv2 requests.
+- Fix ExceptionInInitializationError caused by CertificateParsingException when using Java 6 JREs.
 
 2.0.4 (2016-05-31)
 ---------------------------------------------
diff --git a/src/main/java/com/dropbox/core/http/SSLConfig.java b/src/main/java/com/dropbox/core/http/SSLConfig.java
@@ -5,6 +5,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.io.DataInputStream;
+import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.InetAddress;
@@ -341,7 +342,8 @@ private static void loadKeyStore(KeyStore keyStore, InputStream in)
 
         Collection<X509Certificate> certs;
         try {
-            certs = (Collection<X509Certificate>) x509CertFactory.generateCertificates(in);
+            certs = (Collection<X509Certificate>) x509CertFactory
+                .generateCertificates(new CommentFilterInputStream(in));
         } catch (CertificateException ex) {
             throw new LoadException("Error loading certificate: " + ex.getMessage(), ex);
         }
@@ -355,4 +357,76 @@ private static void loadKeyStore(KeyStore keyStore, InputStream in)
             }
         }
     }
+
+
+    /**
+     * Strips '#' comments from DER-encoded cert file. Java 7+ handles skipping comments that aren't
+     * within certificate blocks. Java 6, however, will fail to parse the cert file if it contains
+     * anything other than certificate blocks.
+     */
+    private static final class CommentFilterInputStream extends FilterInputStream {
+        private boolean isLineStart;
+
+        public CommentFilterInputStream(InputStream in) {
+            super(in);
+            this.isLineStart = true;
+        }
+
+        @Override
+        public int read() throws IOException {
+            int ord = super.read();
+
+            // only filter at start of line
+            if (!isLineStart) {
+                return ord;
+            }
+
+            while (ord == '#') {
+                // chomp the comment
+                do {
+                    ord = super.read();
+                } while (!isLineFeed(ord) && ord != -1);
+
+                // now chomp the line feeds
+                while (isLineFeed(ord) && ord != -1) {
+                    ord = super.read();
+                }
+                isLineStart = true;
+            }
+
+            return ord;
+        }
+
+        @Override
+        public int read(byte [] b) throws IOException {
+            return read(b, 0, b.length);
+        }
+
+        @Override
+        public int read(byte [] b, int off, int len) throws IOException {
+            if (b == null) {
+                throw new NullPointerException("b");
+            }
+            if (off < 0 || len < 0 || len > (b.length - off)) {
+                throw new IndexOutOfBoundsException();
+            }
+
+            int count = 0;
+            for (int i = 0; i < len; ++i) {
+                int ord = read();
+                if (ord == -1) {
+                    break;
+                }
+
+                b[off + i] = (byte) ord;
+                ++count;
+            }
+
+            return count == 0 ? -1 : count;
+        }
+
+        private static boolean isLineFeed(int ord) {
+            return ord == '\n' || ord == '\r';
+        }
+    }
 }
