added option to filter out CRLs when reading PEM

Author: tomasstupka

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/CertUtils.java

@@ -394,6 +394,11 @@ public static LoadCertError loadVerifyLocations(TruffleFile file, TruffleFile pa
 
     @TruffleBoundary
     public static LoadCertError getCertificates(BufferedReader r, List<Object> result) throws IOException, CertificateException, CRLException {
+        return getCertificates(r, result, false);
+    }
+
+    @TruffleBoundary
+    public static LoadCertError getCertificates(BufferedReader r, List<Object> result, boolean onlyCertificates) throws IOException, CertificateException, CRLException {
         boolean sawBegin = false;
         boolean sawBeginCrl = false;
         StringBuilder certBuilder = new StringBuilder(2000);
@@ -435,9 +440,11 @@ public static LoadCertError getCertificates(BufferedReader r, List<Object> resul
         if (res != LoadCertError.NO_ERROR) {
             return res;
         }
-        res = add(dataCrl, l, decoder, factory::generateCRL);
-        if (res != LoadCertError.NO_ERROR) {
-            return res;
+        if (!onlyCertificates) {
+            res = add(dataCrl, l, decoder, factory::generateCRL);
+            if (res != LoadCertError.NO_ERROR) {
+                return res;
+            }
         }
         if (l.isEmpty()) {
             return LoadCertError.NO_CERT_DATA;

graalpython/com.oracle.graal.python/src/com/oracle/graal/python/builtins/objects/ssl/SSLContextBuiltins.java

@@ -850,9 +850,8 @@ private Object load(PSSLContext self, BufferedReader certReader, BufferedReader
             try {
                 // if keyReader and certReader are from the same file, key is expected to come first
                 byte[] pkBytes = CertUtils.getEncodedPrivateKey(this, keyReader);
-                X509Certificate[] certs;
                 List<Object> certificates = new ArrayList<>();
-                LoadCertError result = getCertificates(certReader, certificates);
+                LoadCertError result = getCertificates(certReader, certificates, true);
                 switch (result) {
                     case BAD_BASE64_DECODE:
                     case BEGIN_CERTIFICATE_WITHOUT_END:
@@ -866,7 +865,7 @@ private Object load(PSSLContext self, BufferedReader certReader, BufferedReader
                     default:
                         assert false : "not handled: " + result;
                 }
-                certs = certificates.toArray(new X509Certificate[certificates.size()]);
+                X509Certificate[] certs = certificates.toArray(new X509Certificate[certificates.size()]);
                 PrivateKey pk = CertUtils.createPrivateKey(this, pkBytes, certs[0]);
                 self.setCertChain(pk, PythonUtils.EMPTY_CHAR_ARRAY, certs);
             } catch (InvalidKeySpecException | IOException | NoSuchAlgorithmException | KeyStoreException | CertificateException | CRLException ex) {