Bug ID: JDK-8214270 Relax DNSName restriction as per RFC 1123

Type: CSR
Component: security-libs
Sub-Component: java.security

Priority: P4
Status: Closed
Resolution: Approved
Fix Versions: 12

Submitted: 2018-11-23
Updated: 2019-01-07
Resolved: 2018-11-30

Summary
-------
The java.security.cert.X509CertSelector.addSubjectAlternativeName(..) methods and the JDK keytool binary utility currently follow RFC 1034 guidelines when creating DNSName attributes. RFC 1123 relaxed those guidelines to allow DNSNames to begin with a digit. The same relaxation should be made in the JDK libraries.

Problem
-------
The sun.security.x509.DNSName JDK specific implementation class is used by the JDK to construct dns specific names which may be used in X509Certificate fields. Currently, its constructor doesn't allow such fields to begin with a digit. This was most likely adopted from the RFC 1034 naming convention. This causes interoperability issues with other tooling systems which allow such names to begin with a digit.

RFC 1123 �� 2.1 permits a DNSName to begin with a digit.

https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/cert/X509CertSelector.html#addSubjectAlternativeName(int,java.lang.String) makes reference to RFC 5280 �� 4.2.1.6 regards the format of the String used. The RFC section contains the following specification :

```
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123].
```

https://tools.ietf.org/html/rfc1034#section-3.5
https://tools.ietf.org/html/rfc1123#section-2.1

Solution
--------

Relax the sun.security.x509.DNSName constructor and allow DNSNames (hostnames) to begin with a digit as per RFC 1123 �� 2.1
This will allow the JDK utility to inter-operate better with other X.509 type tool stacks.

https://tools.ietf.org/html/rfc1123#section-2.1

Specification
-------------

java.security.cert.X509CertSelector will have a behavioural change to allow X509 DNSName extentions to contain names that begin with an alpha-numerical character.

The JDK keytool utility behaviour will also change for constructor of X509 Certificates which contain DNSName fields. The tool will no longer throw a `java.io.IOException: DNSName components must begin with a letter` issue if a DNSName which starts with a digit is passed as a parameter, e.g. `-ext san=dns:1abc.com` would be accepted.

The RFC 2459 reference extracts in the sun.security.x509.DNSName code will be substituted with the RFC 5280 successor. More importantly, the relevant specification text will also be updated :

```
- * The name MUST be in the "preferred name syntax," as specified by RFC
- * 1034 [RFC 1034]. Note that while upper and lower case letters are
- * allowed in domain names, no signifigance is attached to the case. In
+ * The name MUST be in the "preferred name syntax", as specified by
+ * Section 3.5 of [RFC1034] and as modified by Section 2.1 of
+ * [RFC1123]. Note that while uppercase and lowercase letters are
+ * allowed in domain names, no significance is attached to the case.
```

Moving to Approved.
30-11-2018
[Unable to edit this CSR report when it's assigned to me (even in withdrawn state) -- hope it's a known issue] [~darcy] to answer your previous question, I don't see any reference to "RFC 952" in the JDK or SE specs. I see reference to RFC 1034 in three classes - * The JDK implementation class under edit (DNSName) and discussed in CSR * javax.management.remote.JMXServiceURL implementation code references RFC 1034 but behaves in RFC 1123 mode (allows hosts to begin with alpha-numeric character) -- The RFC is not mentioned in public spec * com.sun.org.apache.xerces.internal.util.URI code mentions RFC 1034 but also allows for the relaxing made via RFC 1123 (again non JDK or SE spec)
30-11-2018
On further checks, it looks like the implementation class adopts the RFC 1034 standard rather than the RFC 952 which I alluded to. I think I should update code (implementation only AFAIK) to also mention the RFC1123 reference. I'll revisit this. Withdrawing for now.
30-11-2018
To verify, I'm inferring from this CSR that there are no instances of "RFC 952" in the JDK or SE specs that should be changed to "RFC 1123". Is that correct? Should this change have a release note?
29-11-2018