change CrlClientOnline to ignore content-type #42
Conversation
Using CrlClientOnline to fetch CRLs fails if the webserver publishing the CRL does not provide a content-type header in the response. Since the response is basically just converted to an input stream and is used in its raw format, the content type is not really needed. The case where I've seen this break is while fetching the CRL from Adobe CDS: http://crl.adobe.com/cds.crl
|
Can one of the admins verify this patch? |
|
While I'm not an expert on this piece of code, it makes more sense to me to at least try and get the regular content type, and only fall back on failure. So either |
|
@blagae The original code would make use of If you encapsulate the the |
|
I'm just looking at the code as I see it, and it seems to be not guaranteed that public Object getContent() throws IOException {
getInputStream(); // this is not the returned object !
return getContentHandler().getContent(this);
}As far as I can see, we can't make inferences of the Again, I'm not the expert here and I'll defer to one of my colleagues who have more knowledge of dig-sig, but I think if we're trying to improve behavior, we should take into account the uncertainties that are not solved by the |
|
Hi @janflora, Right now itext/itextpdf has been deprecated in favor of itext/itext7, although we will continue to incorporate security fixes in itext/itextpdf (iText5). Could you check if the issue exists in itext/itext7 so we can incorporate your fix? Thank you for contribution, it is appreciated. |
Using CrlClientOnline to fetch CRLs fails if the webserver publishing the CRL does not provide a content-type header in the response. Since the response is basically just converted to an input stream and is used in its raw format, the content type is not really needed. The case where I've seen this break is while fetching the CRL from Adobe CDS: http://crl.adobe.com/cds.crl