On 8186143: Subject Alternative Name doesn't Accept Wildcards for DNS names
Weijun Wang
weijun.wang at oracle.com
Tue Aug 15 07:42:43 UTC 2017
I'll start working on this bug:
8186143: Subject Alternative Name doesn't Accept Wildcards for DNS names
https://bugs.openjdk.java.net/browse/JDK-8186143
The following are from https://tools.ietf.org/html/rfc5280#section-4.2.1.6:
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]
...
Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification.
https://tools.ietf.org/html/rfc1123#page-13 has:
2.1 Host Names and Numbers
The syntax of a legal Internet host name was specified in RFC-952
[DNS:4]. One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support this more liberal
syntax.
So I plan to make these changes:
1. In the constructor DNSName(String) [1], allow a digit as the first char of each label in the name.
2. Allows "*" but check its format using the same code in HostnameChecker::isMatched[2].
I'll start with a separate constructor (which allows "*") that is only used in creating a new subjectAltName, and see if it works.
Any suggestions?
Thanks
Max
[1] http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/share/classes/sun/security/x509/DNSName.java#l74
[2] http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/share/classes/sun/security/util/HostnameChecker.java#l285
More information about the security-dev
mailing list