JDK-8202598 : [linux] keytool -certreq inconsistent with platform line.separator
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8u171,10.0.1,11
  • Priority: P4
  • Status: In Progress
  • Resolution: Unresolved
  • OS: linux
  • CPU: generic
  • Submitted: 2018-05-03
  • Updated: 2018-06-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
tbd_majorUnresolved
Related Reports
Relates :  
Description
Certificate signing requests generated with keytool on Linux generate CRLF at the end. This is a regression to JDK 7, which used plain '\n' to separate lines. This is an interoperability issue with non-Java tools.

Steps to Reproduce:
$ keytool -genkeypair -alias dummy -keyalg RSA -keysize 2048  \
    -sigalg SHA256withRSA  \
    -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US"  \
    -validity 3652 -keypass passphrase -keystore keystore \
    -storepass passphrase
$ keytool -keypass passphrase -storepass passphrase -certreq -v -alias dummy -keystore keystore -file csr.txt
$ file csr.txt
csr.txt: RFC1421 Security Certificate Signing Request, ASCII text, with CRLF, LF line terminators

Note the "CRLF, LF line terminators" output of file.

Expected:
$ file csr.txt 
csr.txt: RFC1421 Security Certificate Signing Request, ASCII text

A plain "jtreg"-like Java test showing the issue is attached.

Expected output:
DEBUG: Verifying whether cert request is consistent with platform CRLF...
'-----BEGIN NEW CERTIFICATE REQUEST-----'
'MIICwDCCAagCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlDdXBlcnRp'
'bm8xDjAMBgNVBAoTBUR1bW15MQ4wDAYDVQQLEwVEdW1teTEaMBgGA1UEAxMRZHVtbXkuZXhhbXBs'
'ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCJyPx5CunOuNreAlp82l0Bv0N9'
'WqmvTZYSMe0YaiBFCWdc18P8Ax+9d67Z/FU+5X/sZoFm5Ei9X8Scn0WoKBuIU2n9sPiYuU3OQNEC'
'E14frpsXxScognmUcgFIGrdI9ZxxW75zxxsPtezEghSGBSrVEY7aget39/SxyjVzXUxB/T0MUsMH'
'2CnM+L/IHWeKBvGz+FtLeGQeBerlHnf0rdHQjoN+M1nB3U0TvDRYTxToXXX2tQ2aj42xhYYPE0h/'
'aKqi0t+evnx1MwrwfED0lPzXb2FzKJTaHx9u/BS9OUgjUH6jv7/JiFn9o3IH/yAEtBfLJ1d0u27W'
'hW3j3M6N6GSzAgMBAAGgETAPBgkqhkiG9w0BCQ4xAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBBsZDc'
'ZtdQivvar3iU9/tnQpTUWalF0t2xgNXyD4JBpMWceRBCJHE1LJeeOHM7L1IVO8UcrIorF6eaXk5b'
'82TXenQaVsnCenhISLF1AMjzghsiqNoqvHGbzH1wWhjQKF80+Cqd0DY8XyS8rx6p5tsWGg3KyqR7'
'i+OY0UfG7C3dW2gJijFw0XMf+Sg/5ZbUCx1VfjkOMpv3Za896jc1bk14BSew4WIFAxJXtleXV7c8'
'hW2IgWa7VbpqtgCNwymn37j2bdCNBSXKEFsaq6RQeqxxLcLg9937A8HOOGxqUL0Jcj/FveDbAucn'
'SG5zqXKkTRA1jMvSv8cAfYGEZ33W1jPg'
'-----END NEW CERTIFICATE REQUEST-----'
Test passed!

Actual output:
DEBUG: Verifying whether cert request is consistent with platform CRLF...
'-----BEGIN NEW CERTIFICATE REQUEST-----'
'MIICwDCCAagCAQAwajELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQH
'
Exception in thread "main" java.lang.Exception: Test failed! Got CR in certificate request. Expected only \n
	at SystemLineEndingCertReqTest.main(SystemLineEndingCertReqTest.java:79)
Comments
Downstream bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1337583
27-06-2018

Patch which we have applied on JDK 8 in downstream Fedora: https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/67db070908a362b2503b5272635d01f01cf80e77/f/pr2974-rh1337583.patch
27-06-2018

We have a patch for this already out in the wild. It just needs to be forward-ported to OpenJDK 11.
03-05-2018

Assigning to Andrew as he wrote a patch for this.
03-05-2018