Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8290708

Relax DNSName restriction as per RFC 1123

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P4 P4
    • 8u212
    • security-libs
    • None
    • behavioral
    • minimal
    • add/remove/modify command line option
    • Implementation

      Summary

      This is a retrospective CSR review for the JDK 8 Updates implementation of JDK-8213952: Relax DNSName restriction as per RFC 1123

      While the JDK 11u and later fixes made behavioural changes to the general use of the sun.security.x509.DNSName(String name) constructor, the JDK 8u changes concentrated on only one corner case related to the keytool usage of DNSName(String name) constructor. The change relates to an implementation specific change made to the keytool binary that ships in JDK 8u

      Problem

      The sun.security.x509.DNSName JDK specific implementation class is used by the keytool binary to construct dns specific names which may be used in X509Certificate fields (via the -ext san=dns:"dns name" option). Currently, this option doesn't allow such a value to begin with a digit. This was most likely adopted from the RFC 1034 naming convention. This causes interoperability issues with other tooling systems which allow such names to begin with a digit.

      RFC 1123 § 2.1 permits a DNSName to begin with a digit.

      The keytool man page makes reference to to RFC 5280. §4.2.1.6 of that RFC highlights the format of the String used. The RFC section contains the following specification :

         When the subjectAltName extension contains a domain name system
   label, the domain name MUST be stored in the dNSName (an IA5String).
   The name MUST be in the "preferred name syntax", as specified by
   Section 3.5 of [RFC1034] and as modified by Section 2.1 of
   [RFC1123].

      https://tools.ietf.org/html/rfc1034#section-3.5 https://tools.ietf.org/html/rfc1123#section-2.1

      With this restriction in place in keytool, interoperability with certs produced by other platforms could be impacted.

      Solution

      Relax the sun.security.x509.DNSName constructor used by the keytool and introduce a DNSName constructor which allows dnsname value to begin with a digit as per RFC 1123 § 2.1 This will allow certificates produced by keytool to inter-operate better with other X.509 type tool stacks.

      https://tools.ietf.org/html/rfc1123#section-2.1

      Specification

      The JDK keytool utility behaviour around use of the "-ext san=dns:" option will be refined. The tool will no longer throw a java.io.IOException: DNSName components must begin with a letter issue if a DNSName which starts with a digit is passed as a parameter, e.g. -ext san=dns:1abc.com would be accepted.

            coffeys Sean Coffey
            coffeys Sean Coffey
            Prasadarao Koppula (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: