Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8290708

Relax DNSName restriction as per RFC 1123

    XMLWordPrintable

Details

    • CSR
    • Resolution: Approved
    • P4
    • 8u212
    • security-libs
    • None
    • behavioral
    • minimal
    • add/remove/modify command line option
    • Implementation

    Description

      Summary

      This is a retrospective CSR review for the JDK 8 Updates implementation of JDK-8213952: Relax DNSName restriction as per RFC 1123

      While the JDK 11u and later fixes made behavioural changes to the general use of the sun.security.x509.DNSName(String name) constructor, the JDK 8u changes concentrated on only one corner case related to the keytool usage of DNSName(String name) constructor. The change relates to an implementation specific change made to the keytool binary that ships in JDK 8u

      Problem

      The sun.security.x509.DNSName JDK specific implementation class is used by the keytool binary to construct dns specific names which may be used in X509Certificate fields (via the -ext san=dns:"dns name" option). Currently, this option doesn't allow such a value to begin with a digit. This was most likely adopted from the RFC 1034 naming convention. This causes interoperability issues with other tooling systems which allow such names to begin with a digit.

      RFC 1123 § 2.1 permits a DNSName to begin with a digit.

      The keytool man page makes reference to to RFC 5280. §4.2.1.6 of that RFC highlights the format of the String used. The RFC section contains the following specification :

         When the subjectAltName extension contains a domain name system
   label, the domain name MUST be stored in the dNSName (an IA5String).
   The name MUST be in the "preferred name syntax", as specified by
   Section 3.5 of [RFC1034] and as modified by Section 2.1 of
   [RFC1123].

      https://tools.ietf.org/html/rfc1034#section-3.5 https://tools.ietf.org/html/rfc1123#section-2.1

      With this restriction in place in keytool, interoperability with certs produced by other platforms could be impacted.

      Solution

      Relax the sun.security.x509.DNSName constructor used by the keytool and introduce a DNSName constructor which allows dnsname value to begin with a digit as per RFC 1123 § 2.1 This will allow certificates produced by keytool to inter-operate better with other X.509 type tool stacks.

      https://tools.ietf.org/html/rfc1123#section-2.1

      Specification

      The JDK keytool utility behaviour around use of the "-ext san=dns:" option will be refined. The tool will no longer throw a java.io.IOException: DNSName components must begin with a letter issue if a DNSName which starts with a digit is passed as a parameter, e.g. -ext san=dns:1abc.com would be accepted.

      Attachments

        Issue Links

          csr of

          Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8216061 Relax DNSName restriction as per RFC 1123

          • P4 - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              coffeys Sean Coffey
              coffeys Sean Coffey
              Prasadarao Koppula
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: