8175029: StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider)
authormullan
Fri, 31 Mar 2017 13:28:26 -0400
changeset 44476 e275cd2f9319
parent 44475 43ac80b688cd
child 44477 3d2229b0037b
child 46852 f26d122bc32c
8175029: StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider) Reviewed-by: weijun, vinnie
jdk/src/java.base/share/classes/java/security/cert/X509CRL.java
jdk/src/java.base/share/classes/java/security/cert/X509Certificate.java
jdk/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
jdk/src/java.base/share/classes/sun/security/x509/X509CertImpl.java
jdk/test/java/security/cert/X509CRL/VerifyDefault.java
jdk/test/java/security/cert/X509Certificate/VerifyDefault.java
jdk/test/java/security/testlibrary/CertUtils.java
--- a/jdk/src/java.base/share/classes/java/security/cert/X509CRL.java	Sat Mar 25 01:43:49 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/security/cert/X509CRL.java	Fri Mar 31 13:28:26 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
 import java.security.Principal;
 import java.security.Provider;
 import java.security.PublicKey;
+import java.security.Signature;
 import javax.security.auth.x500.X500Principal;
 
 import java.math.BigInteger;
@@ -241,7 +242,17 @@
     public void verify(PublicKey key, Provider sigProvider)
         throws CRLException, NoSuchAlgorithmException,
         InvalidKeyException, SignatureException {
-        X509CRLImpl.verify(this, key, sigProvider);
+        Signature sig = (sigProvider == null)
+            ? Signature.getInstance(getSigAlgName())
+            : Signature.getInstance(getSigAlgName(), sigProvider);
+        sig.initVerify(key);
+
+        byte[] tbsCRL = getTBSCertList();
+        sig.update(tbsCRL, 0, tbsCRL.length);
+
+        if (sig.verify(getSignature()) == false) {
+            throw new SignatureException("Signature does not match.");
+        }
     }
 
     /**
--- a/jdk/src/java.base/share/classes/java/security/cert/X509Certificate.java	Sat Mar 25 01:43:49 2017 +0000
+++ b/jdk/src/java.base/share/classes/java/security/cert/X509Certificate.java	Fri Mar 31 13:28:26 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -647,7 +647,7 @@
         return X509CertImpl.getIssuerAlternativeNames(this);
     }
 
-     /**
+    /**
      * Verifies that this certificate was signed using the
      * private key that corresponds to the specified public key.
      * This method uses the signature verification engine
@@ -673,6 +673,16 @@
     public void verify(PublicKey key, Provider sigProvider)
         throws CertificateException, NoSuchAlgorithmException,
         InvalidKeyException, SignatureException {
-        X509CertImpl.verify(this, key, sigProvider);
+        Signature sig = (sigProvider == null)
+            ? Signature.getInstance(getSigAlgName())
+            : Signature.getInstance(getSigAlgName(), sigProvider);
+        sig.initVerify(key);
+
+        byte[] tbsCert = getTBSCertificate();
+        sig.update(tbsCert, 0, tbsCert.length);
+
+        if (sig.verify(getSignature()) == false) {
+            throw new SignatureException("Signature does not match.");
+        }
     }
 }
--- a/jdk/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java	Sat Mar 25 01:43:49 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java	Fri Mar 31 13:28:26 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -443,18 +443,6 @@
     }
 
     /**
-     * This static method is the default implementation of the
-     * verify(PublicKey key, Provider sigProvider) method in X509CRL.
-     * Called from java.security.cert.X509CRL.verify(PublicKey key,
-     * Provider sigProvider)
-     */
-    public static void verify(X509CRL crl, PublicKey key,
-            Provider sigProvider) throws CRLException,
-            NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-        crl.verify(key, sigProvider);
-    }
-
-    /**
      * Encodes an X.509 CRL, and signs it using the given key.
      *
      * @param key the private key used for signing.
--- a/jdk/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	Sat Mar 25 01:43:49 2017 +0000
+++ b/jdk/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	Fri Mar 31 13:28:26 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -494,18 +494,6 @@
         }
     }
 
-     /**
-     * This static method is the default implementation of the
-     * verify(PublicKey key, Provider sigProvider) method in X509Certificate.
-     * Called from java.security.cert.X509Certificate.verify(PublicKey key,
-     * Provider sigProvider)
-     */
-    public static void verify(X509Certificate cert, PublicKey key,
-            Provider sigProvider) throws CertificateException,
-            NoSuchAlgorithmException, InvalidKeyException, SignatureException {
-        cert.verify(key, sigProvider);
-    }
-
     /**
      * Creates an X.509 certificate, and signs it using the given key
      * (associating a signature algorithm and an X.500 name).
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/X509CRL/VerifyDefault.java	Fri Mar 31 13:28:26 2017 -0400
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8175029
+ * @library ../../testlibrary
+ * @summary check that default implementation of
+ *          X509CRL.verify(PublicKey, Provider) works on custom X509CRL impl.
+ */
+
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CRLException;
+import java.security.cert.X509Certificate;
+import java.security.cert.X509CRL;
+import java.security.cert.X509CRLEntry;
+import java.util.Date;
+import java.util.Set;
+
+public class VerifyDefault {
+    private static final String TEST_CRL =
+        "-----BEGIN X509 CRL-----\n" +
+        "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" +
+        "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" +
+        "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" +
+        "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" +
+        "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" +
+        "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" +
+        "-----END X509 CRL-----";
+
+    private static final String TEST_CERT =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" +
+        "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" +
+        "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" +
+        "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" +
+        "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" +
+        "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" +
+        "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" +
+        "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" +
+        "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" +
+        "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" +
+        "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" +
+        "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" +
+        "-----END CERTIFICATE-----";
+
+    private static class TestX509CRL extends X509CRL {
+        private final X509CRL crl;
+        TestX509CRL(X509CRL crl) {
+            this.crl = crl;
+        }
+        public Set<String> getCriticalExtensionOIDs() {
+           return crl.getCriticalExtensionOIDs();
+        }
+        public byte[] getExtensionValue(String oid) {
+            return crl.getExtensionValue(oid);
+        }
+        public Set<String> getNonCriticalExtensionOIDs() {
+            return crl.getNonCriticalExtensionOIDs();
+        }
+        public boolean hasUnsupportedCriticalExtension() {
+            return crl.hasUnsupportedCriticalExtension();
+        }
+        public Set<? extends X509CRLEntry> getRevokedCertificates() {
+            return crl.getRevokedCertificates();
+        }
+        public X509CRLEntry getRevokedCertificate(BigInteger serialNumber) {
+            return crl.getRevokedCertificate(serialNumber);
+        }
+        public boolean isRevoked(Certificate cert) {
+            return crl.isRevoked(cert);
+        }
+        public Date getNextUpdate() { return crl.getNextUpdate(); }
+        public Date getThisUpdate() { return crl.getThisUpdate(); }
+        public int getVersion() { return crl.getVersion(); }
+        public Principal getIssuerDN() { return crl.getIssuerDN(); }
+        public byte[] getTBSCertList() throws CRLException {
+            return crl.getTBSCertList();
+        }
+        public byte[] getSignature() { return crl.getSignature(); }
+        public String getSigAlgName() { return crl.getSigAlgName(); }
+        public String getSigAlgOID() { return crl.getSigAlgOID(); }
+        public byte[] getSigAlgParams() { return crl.getSigAlgParams(); }
+        public byte[] getEncoded() throws CRLException {
+            return crl.getEncoded();
+        }
+        public void verify(PublicKey key) throws CRLException,
+            InvalidKeyException, NoSuchAlgorithmException,
+            NoSuchProviderException, SignatureException {
+            crl.verify(key);
+        }
+        public void verify(PublicKey key, String sigProvider) throws
+            CRLException, InvalidKeyException, NoSuchAlgorithmException,
+            NoSuchProviderException, SignatureException {
+            crl.verify(key, sigProvider);
+        }
+        public String toString() { return crl.toString(); }
+    }
+
+    public static void main(String[] args) throws Exception {
+        X509Certificate cert = CertUtils.getCertFromString(TEST_CERT);
+        X509CRL crl = CertUtils.getCRLFromString(TEST_CRL);
+        new TestX509CRL(crl).verify(cert.getPublicKey(), (Provider)null);
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/security/cert/X509Certificate/VerifyDefault.java	Fri Mar 31 13:28:26 2017 -0400
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8175029
+ * @library ../../testlibrary
+ * @summary check that default implementation of
+ *          X509Certificate.verify(PublicKey, Provider) works on custom
+ *          X509Certificate impl.
+ */
+
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.Date;
+import java.util.List;
+import java.util.Set;
+
+public class VerifyDefault {
+    private static final String TEST_CERT =
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICvTCCAaWgAwIBAgIEGYqL9TANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRT\n" +
+        "ZWxmMB4XDTE3MDMyODE2NDcyNloXDTE3MDYyNjE2NDcyNlowDzENMAsGA1UEAxME\n" +
+        "U2VsZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1pfSJljFVSABOL\n" +
+        "tJbIVPEkz1+2AFgzY1hqwE0EH80lvhOEkiPPYCKwBE5VTZdyFfwFjpyx7eEeJMNT\n" +
+        "o7cixfmkQaiXHr/S1AS4BRTqLG/zgLzoJpVbzi45rnVEZc0oTm11KG3uUxkZTRr3\n" +
+        "5ORbYyZpkscKwHL2M0J/1GmnA1hmhQdwUQyIKxg4eKQwyE+/TdbFlCWVNnOlb+91\n" +
+        "eXvS11nIJ1oaBgn7u4qihuVmFmngLMxExnLYKV6AwdkwFD6pERObclRD9vAl5eUk\n" +
+        "+sM6zQYwfLdyC2i8e+ETBeOg1ijptM4KT5Uaq89zxjLR0DPH4S+aILp3gYHGrW5r\n" +
+        "eMxZAEMCAwEAAaMhMB8wHQYDVR0OBBYEFOME39JtbjzQaK3ufpKo/Pl4sZ8XMA0G\n" +
+        "CSqGSIb3DQEBCwUAA4IBAQCDcw0+Sf0yeVROVlb2/VV3oIblHkGQheXeIurW64k7\n" +
+        "tEzHtx9i8dnj5lzTZNH6hU4GRlyULbSDzjcM3P2XFRsM+0a/kEJZVqnLz5ji//7/\n" +
+        "ZXaRX0TiE2IfFOTGbO6LusO3yR4tOER/WHllz2H21C2SbW3+92Ou28glTZa42AAZ\n" +
+        "mUj9j+p6mZqD4/tUBqAEqqQoMIhw9CNjc46STNayBjt/0/+I2pfy6LagrMbjBzZ0\n" +
+        "A5kXg9WjnywGk8XFr/3RZz8DrUmCYs2qCYLCHQHsuCE6gCuf9wKhKyD51MFXXRr0\n" +
+        "cyG6LYQjrreMHYk4ZfN2NPC6lGjWxB5mIbV/DuikCnYu\n" +
+        "-----END CERTIFICATE-----";
+
+    private static class TestX509Certificate extends X509Certificate {
+        private final X509Certificate cert;
+        TestX509Certificate(X509Certificate cert) {
+            this.cert = cert;
+        }
+        public Set<String> getCriticalExtensionOIDs() {
+           return cert.getCriticalExtensionOIDs();
+        }
+        public byte[] getExtensionValue(String oid) {
+            return cert.getExtensionValue(oid);
+        }
+        public Set<String> getNonCriticalExtensionOIDs() {
+            return cert.getNonCriticalExtensionOIDs();
+        }
+        public boolean hasUnsupportedCriticalExtension() {
+            return cert.hasUnsupportedCriticalExtension();
+        }
+        public void checkValidity() throws CertificateExpiredException,
+            CertificateNotYetValidException {
+            cert.checkValidity();
+        }
+        public void checkValidity(Date date) throws CertificateExpiredException,
+            CertificateNotYetValidException {
+            cert.checkValidity(date);
+        }
+        public int getVersion() { return cert.getVersion(); }
+        public BigInteger getSerialNumber() { return cert.getSerialNumber(); }
+        public Principal getIssuerDN() { return cert.getIssuerDN(); }
+        public Principal getSubjectDN() { return cert.getSubjectDN(); }
+        public Date getNotBefore() { return cert.getNotBefore(); }
+        public Date getNotAfter() { return cert.getNotAfter(); }
+        public byte[] getTBSCertificate() throws CertificateEncodingException {
+            return cert.getTBSCertificate();
+        }
+        public byte[] getSignature() { return cert.getSignature(); }
+        public String getSigAlgName() { return cert.getSigAlgName(); }
+        public String getSigAlgOID() { return cert.getSigAlgOID(); }
+        public byte[] getSigAlgParams() { return cert.getSigAlgParams(); }
+        public boolean[] getIssuerUniqueID() {
+            return cert.getIssuerUniqueID();
+        }
+        public boolean[] getSubjectUniqueID() {
+            return cert.getSubjectUniqueID();
+        }
+        public boolean[] getKeyUsage() { return cert.getKeyUsage(); }
+        public int getBasicConstraints() { return cert.getBasicConstraints(); }
+        public byte[] getEncoded() throws CertificateEncodingException {
+            return cert.getEncoded();
+        }
+        public void verify(PublicKey key) throws CertificateException,
+            InvalidKeyException, NoSuchAlgorithmException,
+            NoSuchProviderException, SignatureException {
+            cert.verify(key);
+        }
+        public void verify(PublicKey key, String sigProvider) throws
+            CertificateException, InvalidKeyException, NoSuchAlgorithmException,
+            NoSuchProviderException, SignatureException {
+            cert.verify(key, sigProvider);
+        }
+        public PublicKey getPublicKey() { return cert.getPublicKey(); }
+        public String toString() { return cert.toString(); }
+    }
+
+    public static void main(String[] args) throws Exception {
+        X509Certificate cert = CertUtils.getCertFromString(TEST_CERT);
+        new TestX509Certificate(cert).verify(cert.getPublicKey(),
+                                             (Provider)null);
+    }
+}
--- a/jdk/test/java/security/testlibrary/CertUtils.java	Sat Mar 25 01:43:49 2017 +0000
+++ b/jdk/test/java/security/testlibrary/CertUtils.java	Fri Mar 31 13:28:26 2017 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,17 +27,20 @@
  * @author Steve Hanna
  *
  */
+import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.InputStream;
 import java.io.IOException;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathBuilder;
 import java.security.cert.CertPathValidator;
 import java.security.cert.CertStore;
 import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.CRLException;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathBuilderResult;
 import java.security.cert.PKIXCertPathValidatorResult;
@@ -60,59 +63,71 @@
      * Get a DER-encoded X.509 certificate from a file.
      *
      * @param certFilePath path to file containing DER-encoded certificate
-     * @return X509Certificate
-     * @throws IOException on error
+     * @return the X509Certificate
+     * @throws CertificateException if the certificate type is not supported
+     *                              or cannot be parsed
+     * @throws IOException if the file cannot be opened
      */
     public static X509Certificate getCertFromFile(String certFilePath)
-        throws IOException {
-            X509Certificate cert = null;
-            try {
-                File certFile = new File(System.getProperty("test.src", "."),
-                    certFilePath);
-                if (!certFile.canRead())
-                    throw new IOException("File " +
-                                          certFile.toString() +
-                                          " is not a readable file.");
-                FileInputStream certFileInputStream =
-                    new FileInputStream(certFile);
-                CertificateFactory cf = CertificateFactory.getInstance("X509");
-                cert = (X509Certificate)
-                    cf.generateCertificate(certFileInputStream);
-            } catch (Exception e) {
-                e.printStackTrace();
-                throw new IOException("Can't construct X509Certificate: " +
-                                      e.getMessage());
-            }
-            return cert;
+        throws CertificateException, IOException {
+        File certFile = new File(System.getProperty("test.src", "."),
+                                 certFilePath);
+        try (FileInputStream fis = new FileInputStream(certFile)) {
+            return (X509Certificate)
+                CertificateFactory.getInstance("X.509")
+                                  .generateCertificate(fis);
+        }
+    }
+
+    /**
+     * Get a PEM-encoded X.509 certificate from a string.
+     *
+     * @param cert string containing the PEM-encoded certificate
+     * @return the X509Certificate
+     * @throws CertificateException if the certificate type is not supported
+     *                              or cannot be parsed
+     */
+    public static X509Certificate getCertFromString(String cert)
+        throws CertificateException {
+        byte[] certBytes = cert.getBytes();
+        ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
+        return (X509Certificate)
+            CertificateFactory.getInstance("X.509").generateCertificate(bais);
     }
 
     /**
      * Get a DER-encoded X.509 CRL from a file.
      *
      * @param crlFilePath path to file containing DER-encoded CRL
-     * @return X509CRL
-     * @throws IOException on error
+     * @return the X509CRL
+     * @throws CertificateException if the crl type is not supported
+     * @throws CRLException if the crl cannot be parsed
+     * @throws IOException if the file cannot be opened
      */
     public static X509CRL getCRLFromFile(String crlFilePath)
-        throws IOException {
-            X509CRL crl = null;
-            try {
-                File crlFile = new File(System.getProperty("test.src", "."),
-                    crlFilePath);
-                if (!crlFile.canRead())
-                    throw new IOException("File " +
-                                          crlFile.toString() +
-                                          " is not a readable file.");
-                FileInputStream crlFileInputStream =
-                    new FileInputStream(crlFile);
-                CertificateFactory cf = CertificateFactory.getInstance("X509");
-                crl = (X509CRL) cf.generateCRL(crlFileInputStream);
-            } catch (Exception e) {
-                e.printStackTrace();
-                throw new IOException("Can't construct X509CRL: " +
-                                      e.getMessage());
-            }
-            return crl;
+        throws CertificateException, CRLException, IOException {
+        File crlFile = new File(System.getProperty("test.src", "."),
+                                crlFilePath);
+        try (FileInputStream fis = new FileInputStream(crlFile)) {
+            return (X509CRL)
+                CertificateFactory.getInstance("X.509").generateCRL(fis);
+        }
+    }
+
+    /**
+     * Get a PEM-encoded X.509 crl from a string.
+     *
+     * @param crl string containing the PEM-encoded crl
+     * @return the X509CRL
+     * @throws CertificateException if the crl type is not supported
+     * @throws CRLException if the crl cannot be parsed
+     */
+    public static X509CRL getCRLFromString(String crl)
+        throws CertificateException, CRLException {
+        byte[] crlBytes = crl.getBytes();
+        ByteArrayInputStream bais = new ByteArrayInputStream(crlBytes);
+        return (X509CRL)
+            CertificateFactory.getInstance("X.509").generateCRL(bais);
     }
 
     /**