JDK-8146354 : keytool no longer supports RFC1123 compliant names in Subject Alternative Names
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7,8,9
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: linux_redhat_6.0
  • CPU: x86
  • Submitted: 2015-11-24
  • Updated: 2016-01-04
  • Resolved: 2016-01-04
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
123host:~ # uname -a
Linux 123host.123domain.com 2.6.32-504.30.3.el6.x86_64 #1 SMP Thu Jul 9 15:20:47 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
123host:~ # cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)

A DESCRIPTION OF THE PROBLEM :
When generating a Java keystore with keytool, if you include a domain component that starts with a number in the subject alternative name, keytool exits with "DNSName components must begin with a letter." 


Section 4.2.1.6 of RFC 5280:

   When the subjectAltName extension contains a domain name system
   label, the domain name MUST be stored in the dNSName (an IA5String).
   The name MUST be in the "preferred name syntax", as specified by
   Section 3.5 of [RFC1034] and as modified by Section 2.1 of
   [RFC1123].


Section 2.1 of RFC 1123:
   The syntax of a legal Internet host name was specified in RFC-952
   [DNS:4].  One aspect of host name syntax is hereby changed: the
   restriction on the first character is relaxed to allow either a
   letter or a digit.  Host software MUST support this more liberal
   syntax.



Error output:

/usr/java/default/bin/keytool -genkeypair -alias WebUI -keyalg RSA -sigalg SHA1withRSA -keypass host -validity 3650 -dname 'CN=123host.123domain.com, ou=WebUI, o=123host.123domain.com' -ext SAN=dns:123host.123domain.com,ip:192.0.2.10,dns:localhost,ip:127.0.0.1 -storepass thepassword -keystore /opt/tomcat/Security/keystore

keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

ADDITIONAL REGRESSION INFORMATION: 
123host:~ # java -version
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Try to create a keystore with a Subject Alternative Name starting with a number

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Keystore gets created successfully; keytool exits status 0
ACTUAL -
Keytool returns a non-zero exit status and an error message

ERROR MESSAGES/STACK TRACES THAT OCCUR :
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Do not include a domain component that starts with a number in the subject alternative name of the certificate


Comments
This is an issue. Verified with below builds 8u66 - Fail 7u91 - Fail 9 ea b-96 - Fail
31-12-2015