-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
8u66, 9
-
x86
-
os_x
FULL PRODUCT VERSION :
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
A DESCRIPTION OF THE PROBLEM :
keytool's -certreq option doesn't include user-specified extensions such as Subject Alternative Name, etc. It's an omission that makes the -certreq option useless.
I don't see a security issue since the CA will verify the subject name and all extensions anyway.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
#generate a keypair; add SubjectAlternativeName, also IssuerAlternativeName and ExtendedKeyUsage extensions
keytool -genkeypair -keystore san2.jks -storepass password -dname "CN=san.example.com,O=Example,C=US" -alias san -keypass password -keyalg RSA -keysize 2048 -sigalg SHA256WithRSA -ext san=IP:10.245.1.2 -ext ian=IP:10.245.1.2 -ext EKU=serverAuth
#above succeeds and is complete. Generate CSR
keytool -certreq -keystore san2.jks -storepass password -v -alias san -keypass password -rfc >| san2.csr
#verify in OpenSSL
openssl req -in san2.csr -noout -text
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Last step should ALSO show under X509v3 Extensions
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Issuer Alternative Name:
IP Address:10.245.1.2
X509v3 Subject Alternative Name:
IP Address:10.245.1.2
ACTUAL -
Only the internally computed
X509v3 Subject Key Identifier:
2F:DD:60:8D:93:E8:6E:FF:65:7C:F1:3B:77:6A:DF:B2:AB:04:28:76
REPRODUCIBILITY :
This bug can be reproduced always.
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
A DESCRIPTION OF THE PROBLEM :
keytool's -certreq option doesn't include user-specified extensions such as Subject Alternative Name, etc. It's an omission that makes the -certreq option useless.
I don't see a security issue since the CA will verify the subject name and all extensions anyway.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
#generate a keypair; add SubjectAlternativeName, also IssuerAlternativeName and ExtendedKeyUsage extensions
keytool -genkeypair -keystore san2.jks -storepass password -dname "CN=san.example.com,O=Example,C=US" -alias san -keypass password -keyalg RSA -keysize 2048 -sigalg SHA256WithRSA -ext san=IP:10.245.1.2 -ext ian=IP:10.245.1.2 -ext EKU=serverAuth
#above succeeds and is complete. Generate CSR
keytool -certreq -keystore san2.jks -storepass password -v -alias san -keypass password -rfc >| san2.csr
#verify in OpenSSL
openssl req -in san2.csr -noout -text
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Last step should ALSO show under X509v3 Extensions
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Issuer Alternative Name:
IP Address:10.245.1.2
X509v3 Subject Alternative Name:
IP Address:10.245.1.2
ACTUAL -
Only the internally computed
X509v3 Subject Key Identifier:
2F:DD:60:8D:93:E8:6E:FF:65:7C:F1:3B:77:6A:DF:B2:AB:04:28:76
REPRODUCIBILITY :
This bug can be reproduced always.