Bug ID: JDK-8186143 keytool -ext option doesn't accept wildcards for DNS subject alternative names

JDK-8186143 : keytool -ext option doesn't accept wildcards for DNS subject alternative names

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 8,9

Priority: P2
Status: Closed
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2017-08-08
Updated: 2025-07-10
Resolved: 2020-03-18

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 15	JDK 8	Other
11.0.17-oracleFixed	15 b15Fixed	8u351Fixed	openjdk8u462,shenandoah8u462Fixed

Related Reports

Relates :

JDK-8054380 - DNSName should be verified when parsing an X509Certificate

Description

FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
WIndows 10

A DESCRIPTION OF THE PROBLEM :
I wanted to understand whether Java has got the support for wildcard based DNS names in X509 V3 extensions with Keytool option.

I was following RFC 2818 and RFC 2459 to use SAN with my keystore. I generated my keystore using the following command:

`keytool -genkeypair -alias localhost -keystore mykeys.jks -storepass somepass -keypass somepass -validity 730 -keyalg RSA -ext SAN=DNS:localhost,DNS:*.mydomain.com,DNS:localhost

What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  My Org
What is the name of your organization?
  [Unknown]:  MyMy
What is the name of your City or Locality?
  [Unknown]:  London
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=localhost, OU=My Org, O=MyMy, L=London, ST=Unknown, C=GB correct?
  [no]:  yes

keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

Please could you confirm if this is a bug or an expected behaviour with Keytool. If I cannot create my certificate signing request using keytool (with SAN extensions) - does Java provide any other mean to do this?

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Same as in description

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
A Keypair should have been generated with SAN name (DNS with wildcards accepted).
ACTUAL -
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
Currently, I have to add each and every single DNS name using comma-separated dictionary-like entry form e.g.

-ext SAN=DNS:value1,DNS:value2,DNS:value3

Comments

Fix request [8u] I backport this for parity with Oracle 8u351 Almost clean backport except for small unrelated merge in DNSName.java caused by the absence of "JDK-8215281: Use String.isEmpty() when applicable in java.base" All sun/security/x509 and sun/security/tools/keytool JTREG tests passed
26-03-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk8u-dev/pull/629 Date: 2025-02-25 20:10:34 +0000
25-02-2025
Fix request [11u] I backport this for parity with 11.0.17-oracle. Clean backport except for one Copyright. SAP nightly testing passed.
23-07-2022
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1257 Date: 2022-07-21 18:04:12 +0000
21-07-2022
Git URL: https://github.com/openjdk/jdk/commit/0c9f8e472f1d452e97b3cbd50b9e5d700fffcd15
21-07-2022
URL: https://hg.openjdk.java.net/jdk/jdk/rev/824e6b7c5bcf User: weijun Date: 2020-03-18 01:25:15 +0000
18-03-2020
Could this be fixed for Java 8 keytool so that it accepts wildcard or partial-wildcard for SAN DNS names ? increasing priority - e.g. >keytool -genkeypair -alias xxx -keyalg RSA -keystore xxx -keysize 2048 -validity 360 -keypass xxx -storepass xxx -dname CN=XXX,....-ext 'san=DNS:broker-*.sample.com' >keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must consist of letters, digits, and hyphens
26-11-2017
There are 2 issues here Case 1. keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter Case 2. Subject Alternative Name doesn't Accept Wildcards for DNS names Case 1: This is an issue. According to RFC 1123 the restriction on the first character is relaxed to allow either a letter or a digit RFC 1123, Section 2.1: 2.1 Host Names and Numbers The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax. This is an open issue, and it is been address through JDK-8054380 Case 2: Instead of adding each and every single DNS name using comma-separated dictionary-like entry. There should be provision to accept subject alternative name as wildcards for DNS names
09-08-2017