java.security.cert.CertificateException: Could not parse certificate: java.io.IOException

[jasonjkeller]

This exception occurs if there is an unexpected space character when parsing an SSL certificate. It was discovered when configuring the agent to use the Mozilla root cert bundle: PEM of Root Certificates in Mozilla's Root Store with the Websites (TLS/SSL) Trust Bit Enabled (TXT)

ca_bundle_path: /Users/jkeller/agents/newrelic_snapshot_build/DigiCertGlobalRootCA.crt.pem

It will result in failure to parse the cert and eventually an SSLException.

Because the exception occurs in sun.security.provider.X509Factory we might need to do some pre-validation of the cert formatting before calling into these APIs.

In this case the issue occurred because there was an unexpected space at the end of the header -----BEGIN CERTIFICATE-----

2021-03-11T15:51:17,781-0800 [89136 1] com.newrelic ERROR: Unable to generate ca_bundle_path certificate. Will not process further certs.
java.security.cert.CertificateException: Could not parse certificate: java.io.IOException: Illegal header: -----BEGIN CERTIFICATE----- 
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:115) ~[?:?]
	at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:355) ~[?:?]
	at com.newrelic.agent.transport.apache.ApacheSSLManager.getKeyStore(ApacheSSLManager.java:127) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.transport.apache.ApacheSSLManager.createSSLContext(ApacheSSLManager.java:48) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.transport.DataSenderFactory$DefaultDataSenderFactory.buildApacheHttpClientWrapper(DataSenderFactory.java:67) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.transport.DataSenderFactory$DefaultDataSenderFactory.create(DataSenderFactory.java:60) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.transport.DataSenderFactory.create(DataSenderFactory.java:46) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.RPMService.<init>(RPMService.java:107) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.RPMServiceManagerImpl.createRPMService(RPMServiceManagerImpl.java:174) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.RPMServiceManagerImpl.<init>(RPMServiceManagerImpl.java:78) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.service.ServiceManagerImpl.doStart(ServiceManagerImpl.java:237) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.service.AbstractService.start(AbstractService.java:63) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.agent.Agent.continuePremain(Agent.java:162) [newrelic.jar:6.5.0-SNAPSHOT]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at com.newrelic.bootstrap.BootstrapAgent.startAgent(BootstrapAgent.java:181) [newrelic.jar:6.5.0-SNAPSHOT]
	at com.newrelic.bootstrap.BootstrapAgent.premain(BootstrapAgent.java:119) [newrelic.jar:6.5.0-SNAPSHOT]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
	at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
	at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
	at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
	at sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513) [?:?]
	at sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525) [?:?]
Caused by: java.io.IOException: Illegal header: -----BEGIN CERTIFICATE----- 
	at sun.security.provider.X509Factory.checkHeaderFooter(X509Factory.java:657) ~[?:?]
	at sun.security.provider.X509Factory.readOneBlock(X509Factory.java:643) ~[?:?]
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:99) ~[?:?]
	... 24 more
2021-03-11T15:51:17,793-0800 [89136 1] com.newrelic ERROR: Read ca_bundle_path /Users/jkeller/agents/newrelic_snapshot_build/DigiCertGlobalRootCA.crt.pem and found 0 certificates.

You can repro this by pasting the below contents into a file named DigiCertGlobalRootCA.crt.pem and configuring the agent to use it via ca_bundle_path. If you remove the extra space at the end of the first line the agent should successfully parse the cert and connect to New Relic.

-----BEGIN CERTIFICATE----- 
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

[XiXiaPdx]

Doing this instead #247