Question about X509Certificate SAN DNS Name
Weijun Wang
weijun.wang at oracle.com
Tue Sep 8 06:15:53 UTC 2015
Hi Sean
You closed 8016345 as a dup of 8007706, but it's about the 1st letter in
a DNSName and 8007706 is about '_' inside. Should they be treated
differently?
Thanks
Max
On 09/08/2015 12:52 PM, kepi at sg.ibm.com wrote:
> I have a question on one of the bug
> described at
> https://bugs.openjdk.java.net/browse/JDK-8016345
>
> The status of this bug is closed as it duplicates
> https://bugs.openjdk.java.net/browse/JDK-8007706. In bug _JDK-8007706_
> <https://bugs.openjdk.java.net/browse/JDK-8007706> you were claiming that your
> implementation conforms to RFCs 5280, 1034, and 1123.
>
> But after carefully reading the RFCs, I think the bug reported in JDK-8016345
> should be fixed.
>
> From RFC 5280 Section 4.2.1.6, below block says:
>
> When the subjectAltName extension contains a domain name system
> label, the domain name MUST be stored in the dNSName (an IA5String).
> The name MUST be in the "preferred name syntax", as specified by
> Section 3.5 of [RFC1034] and as modified by Section 2.1 of
> [RFC1123].
>
> In RFC1034, it says the name should begin with a letter. However, in RFC1123
> Section 2.1, the syntax is relaxed and it says the first character can be either
> a letter or digit.
>
> From RFC1123 Section 2.1
> The syntax of a legal Internet host name was specified in _RFC-952_
> <https://tools.ietf.org/html/rfc952#page-13>
> [DNS:4]. One aspect of host name syntax is hereby changed: the
> restriction on the first character is relaxed to allow either a
> letter or a digit.
More information about the security-dev
mailing list