On 8202598: [linux] keytool -certreq inconsistent with platform line.separator

Weijun Wang weijun.wang at oracle.com
Wed Jun 27 08:28:08 UTC 2018


> On Jun 27, 2018, at 4:01 PM, Severin Gehwolf <sgehwolf at redhat.com> wrote:
> 
> Hi Max,
> 
> On Wed, 2018-06-27 at 09:15 +0800, Weijun Wang wrote:
>> Hi Severin and/or Andrew
>> 
>> I'm going through all security bugs with JDK 11 in affected versions and noticed this one:
>> 
>>   8202598: [linux] keytool -certreq inconsistent with platform line.separator
>>   https://bugs.openjdk.java.net/browse/JDK-8202598
>> 
>> What kind of interop issue have you observed? IMHO, \r\n is legal in a PEM file.
> 
> All we know is that this breaks interop with tools on Linux/Unix which
> don't expect \r\n in PEM files.
> 
>> Also, you mentioned a patch in the comment. Can I take a look?
> 
> I've posted a link to the JDK 8 patch in the bug report.

A new option for keytool is too much at this stage (RDP1 begins tomorrow) and I feel uncomfortable to apply this option only to PKCS10.

Now that this is reported on Linux/Unix, I assume users on those systems can easily find a workaround to s/\r\n/\n/ on the fly. Therefore I updated the Fix Version to tbd_major which means it's not necessary to fix it in JDK 11.

If you find more information on what exact tool does not parse the input, please add a comment on it. I tried openssl and it has no problem. I do realize there is an inconsistency that there is only "\n" after the PEM header/footer but "\r\n" after each line. Maybe some tools are confused by this?

Thanks
Max

> 
> Thanks,
> Severin



More information about the security-dev mailing list