Details
-
Type:
Bug
-
Status: Closed
-
Priority:
P2
-
Resolution: Fixed
-
Affects Version/s: 8, 9
-
Fix Version/s: 15
-
Component/s: security-libs
-
Labels:
-
Subcomponent:
-
Resolved In Build:b15
-
CPU:generic
-
OS:generic
-
Verification:Verified
Description
FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
WIndows 10
A DESCRIPTION OF THE PROBLEM :
I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.
I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:
`keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: My Org
What is the name of your organization?
[Unknown]: MyMy
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
[no]: yes
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Same as in description
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A Keypair should have been generated with SAN name (DNS with wildcards accepted).
ACTUAL -
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.
-ext SAN=DNS:value1,DNS:value2,DNS:value3
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
WIndows 10
A DESCRIPTION OF THE PROBLEM :
I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.
I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:
`keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: My Org
What is the name of your organization?
[Unknown]: MyMy
What is the name of your City or Locality?
[Unknown]: London
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: GB
Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
[no]: yes
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Same as in description
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A Keypair should have been generated with SAN name (DNS with wildcards accepted).
ACTUAL -
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.
-ext SAN=DNS:value1,DNS:value2,DNS:value3
Attachments
Issue Links
- relates to
-
JDK-8054380 DNSName should be verified when parsing an X509Certificate
-
- Open
-