JDK-8054380 : DNSName should be verified when parsing an X509Certificate
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2014-08-06
  • Updated: 2018-11-16
Related Reports
Duplicate :  
JDK-8146354 - keytool no longer supports RFC1123 compliant names in Subject Alternative Names
Duplicate :  
JDK-8016345 - Update DNSName.java to support RFC 1123
Relates :  
JDK-8186143 - keytool -ext option doesn't accept wildcards for DNS subject alternative names
Sub Tasks
JDK-8213952 :  
Relax DNSName restriction as per RFC 1123 - Resolved
Description
1. DNSName only accepts letters as the first character. RFC 1123 has relaxed that restriction:

RFC 1123, Section 2.1:
>  One aspect of host name syntax is hereby changed: the
>       restriction on the first character is relaxed to allow either a
>       letter or a digit.  Host software MUST support this more liberal
>       syntax. 

2. RFC 952 specifies that an LDH (Letter-Digit-Hyphen) label may only end with a letter or digit. We should remove hyphens from the set of permissible terminal characters in a label.

3. No verification of a DNSName occurs when parsing an X509Certificate. Verification only occurs when creating a certificate (for example, with keytool). Fix this so that verification runs for both parsing and creation.