On 8186143: Subject Alternative Name doesn't Accept Wildcards for DNS names

Weijun Wang weijun.wang at oracle.com
Tue Aug 15 07:42:43 UTC 2017


I'll start working on this bug:

    8186143: Subject Alternative Name doesn't Accept Wildcards for DNS names
    https://bugs.openjdk.java.net/browse/JDK-8186143

The following are from https://tools.ietf.org/html/rfc5280#section-4.2.1.6:

   When the subjectAltName extension contains a domain name system
   label, the domain name MUST be stored in the dNSName (an IA5String).
   The name MUST be in the "preferred name syntax", as specified by
   Section 3.5 of [RFC1034] and as modified by Section 2.1 of
   [RFC1123]

   ...

   Finally, the semantics of subject alternative names that include
   wildcard characters (e.g., as a placeholder for a set of names) are
   not addressed by this specification.

https://tools.ietf.org/html/rfc1123#page-13 has:

   2.1  Host Names and Numbers

      The syntax of a legal Internet host name was specified in RFC-952
      [DNS:4].  One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit.  Host software MUST support this more liberal
      syntax.

So I plan to make these changes:

1. In the constructor DNSName(String) [1], allow a digit as the first char of each label in the name.

2. Allows "*" but check its format using the same code in HostnameChecker::isMatched[2].

I'll start with a separate constructor (which allows "*") that is only used in creating a new subjectAltName, and see if it works.

Any suggestions?

Thanks
Max

[1] http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/share/classes/sun/security/x509/DNSName.java#l74
[2] http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/share/classes/sun/security/util/HostnameChecker.java#l285


More information about the security-dev mailing list