JDK-8054380 : DNSName should be verified when parsing an X509Certificate
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Open
  • Resolution: Unresolved
  • Submitted: 2014-08-06
  • Updated: 2018-11-16
Related Reports
Duplicate :  
Duplicate :  
Sub Tasks
JDK-8213952 :  
Description
1. DNSName only accepts letters as the first character. RFC 1123 has relaxed that restriction:

RFC 1123, Section 2.1:
>  One aspect of host name syntax is hereby changed: the
>       restriction on the first character is relaxed to allow either a
>       letter or a digit.  Host software MUST support this more liberal
>       syntax. 

2. RFC 952 specifies that an LDH (Letter-Digit-Hyphen) label may only end with a letter or digit. We should remove hyphens from the set of permissible terminal characters in a label.

3. No verification of a DNSName occurs when parsing an X509Certificate. Verification only occurs when creating a certificate (for example, with keytool). Fix this so that verification runs for both parsing and creation.