On 8202598: [linux] keytool -certreq inconsistent with platform line.separator
Weijun Wang
weijun.wang at oracle.com
Wed Jun 27 08:28:08 UTC 2018
> On Jun 27, 2018, at 4:01 PM, Severin Gehwolf <sgehwolf at redhat.com> wrote:
>
> Hi Max,
>
> On Wed, 2018-06-27 at 09:15 +0800, Weijun Wang wrote:
>> Hi Severin and/or Andrew
>>
>> I'm going through all security bugs with JDK 11 in affected versions and noticed this one:
>>
>> 8202598: [linux] keytool -certreq inconsistent with platform line.separator
>> https://bugs.openjdk.java.net/browse/JDK-8202598
>>
>> What kind of interop issue have you observed? IMHO, \r\n is legal in a PEM file.
>
> All we know is that this breaks interop with tools on Linux/Unix which
> don't expect \r\n in PEM files.
>
>> Also, you mentioned a patch in the comment. Can I take a look?
>
> I've posted a link to the JDK 8 patch in the bug report.
A new option for keytool is too much at this stage (RDP1 begins tomorrow) and I feel uncomfortable to apply this option only to PKCS10.
Now that this is reported on Linux/Unix, I assume users on those systems can easily find a workaround to s/\r\n/\n/ on the fly. Therefore I updated the Fix Version to tbd_major which means it's not necessary to fix it in JDK 11.
If you find more information on what exact tool does not parse the input, please add a comment on it. I tried openssl and it has no problem. I do realize there is an inconsistency that there is only "\n" after the PEM header/footer but "\r\n" after each line. Maybe some tools are confused by this?
Thanks
Max
>
> Thanks,
> Severin
More information about the security-dev
mailing list