-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
7, 8, 9
-
x86
-
linux_redhat_6.0
FULL PRODUCT VERSION :
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
123host:~ # uname -a
Linux 123host.123domain.com 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
123host:~ # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
A DESCRIPTION OF THE PROBLEM :
When generating a Java keystore with keytool, if you include a domain component that starts with a number in the subject alternative name, keytool exits with "DNSName components must begin with a letter."
Section 4.2.1.6 of RFC 5280:
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123].
Section 2.1 of RFC 1123:
The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax.
Error output:
/usr/java/default/bin/keytool -genkeypair -alias WebUI -keyalg RSA -sigalg SHA1withRSA -keypass host -validity 3650 -dname 'CN=123host.123domain.com, ou=WebUI, o=123host.123domain.com' -ext SAN=dns:123host.123domain.com,ip:192.0.2.10,dns:localhost,ip:127.0.0.1 -storepass thepassword -keystore /opt/tomcat/Security/keystore
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
ADDITIONAL REGRESSION INFORMATION:
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to create a keystore with a Subject Alternative Name starting with a number
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Keystore gets created successfully; keytool exits status 0
ACTUAL -
Keytool returns a non-zero exit status and an error message
ERROR MESSAGES/STACK TRACES THAT OCCUR :
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Do not include a domain component that starts with a number in the subject alternative name of the certificate
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
123host:~ # uname -a
Linux 123host.123domain.com 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
123host:~ # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
A DESCRIPTION OF THE PROBLEM :
When generating a Java keystore with keytool, if you include a domain component that starts with a number in the subject alternative name, keytool exits with "DNSName components must begin with a letter."
Section 4.2.1.6 of RFC 5280:
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123].
Section 2.1 of RFC 1123:
The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax.
Error output:
/usr/java/default/bin/keytool -genkeypair -alias WebUI -keyalg RSA -sigalg SHA1withRSA -keypass host -validity 3650 -dname 'CN=123host.123domain.com, ou=WebUI, o=123host.123domain.com' -ext SAN=dns:123host.123domain.com,ip:192.0.2.10,dns:localhost,ip:127.0.0.1 -storepass thepassword -keystore /opt/tomcat/Security/keystore
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
ADDITIONAL REGRESSION INFORMATION:
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to create a keystore with a Subject Alternative Name starting with a number
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Keystore gets created successfully; keytool exits status 0
ACTUAL -
Keytool returns a non-zero exit status and an error message
ERROR MESSAGES/STACK TRACES THAT OCCUR :
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Do not include a domain component that starts with a number in the subject alternative name of the certificate
- duplicates
-
JDK-8054380 DNSName should be verified when parsing an X509Certificate
-
- Open
-