Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8186143

keytool -ext option doesn't accept wildcards for DNS subject alternative names

    XMLWordPrintable

    Details

    • Subcomponent:
    • Resolved In Build:
      b15
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Description

      FULL PRODUCT VERSION :
      java version "1.8.0_121"
      Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      WIndows 10

      A DESCRIPTION OF THE PROBLEM :
      I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.

      I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:

      `keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost

      What is your first and last name?
        [Unknown]: localhost
      What is the name of your organizational unit?
        [Unknown]: My Org
      What is the name of your organization?
        [Unknown]: MyMy
      What is the name of your City or Locality?
        [Unknown]: London
      What is the name of your State or Province?
        [Unknown]:
      What is the two-letter country code for this unit?
        [Unknown]: GB
      Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
        [no]: yes

      keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

      Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Same as in description

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      A Keypair should have been generated with SAN name (DNS with wildcards accepted).
      ACTUAL -
      keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.

      -ext SAN=DNS:value1,DNS:value2,DNS:value3

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              hchao Haimay Chao
              Reporter:
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: