RFR: 8284194: Allow empty subject fields in keytool [v2]

Weijun Wang weijun at openjdk.java.net
Thu May 12 13:54:09 UTC 2022 

On Wed, 11 May 2022 23:40:46 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> This code change allows one entering "." at a distinguished name prompt to skip a sub-component when running `keytool -genkeyapir`. Several new resource strings are added.
>> 
>> There is no detailed description in `keytool.html`, so I think there's no need to update it.
>> 
>> I'll file a CSR to describe the behavior change.
>> 
>> Here is an example after this change:
>> 
>> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC
>> Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty.
>> What is your first and last name?
>>   [Unknown]:  .
>> What is the name of your organizational unit?
>>   [Unknown]:  .
>> What is the name of your organization?
>>   [Unknown]:  .
>> What is the name of your City or Locality?
>>   [Unknown]:  .
>> What is the name of your State or Province?
>>   [Unknown]:  .
>> What is the two-letter country code for this unit?
>>   [Unknown]:  .
>> At least one field must be provided. Enter again.
>> Enter the distinguished name. Provide a single dot (.) to leave a sub-component empty.
>> What is your first and last name?
>>   [EMPTY]:  Duke
>> What is the name of your organizational unit?
>>   [EMPTY]:
>> What is the name of your organization?
>>   [EMPTY]:
>> What is the name of your City or Locality?
>>   [EMPTY]:
>> What is the name of your State or Province?
>>   [EMPTY]:
>> What is the two-letter country code for this unit?
>>   [EMPTY]:
>> Is CN=Duke correct?
>>   [no]:  yes
>> 
>> Generating 384 bit EC (secp384r1) key pair and self-signed certificate (SHA384withECDSA) with a validity of 90 days
>> 	for: CN=Duke
>> 
>> In the first round, "." is entered for all fields and keytool rejected it. In the second round, CN is entered but the others are unchanged (just type enter, because they are already entered previously). At the end, the name is "CN=Duke".
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   word change

I've already modified the prompt a little before the CSR is finalized. How about

Enter the distinguished name. Provider a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces.

Hopefully this is not too long, and macOS users know "ENTER" is "return", and people won't debate on "braces" or "brackets".

As for the "[EMPTY]" prompt, the user has already entered "." in the first round and we always remember the inputs as the new default values in the next round so that they only need to enter the components they want to update.

-------------

PR: https://git.openjdk.java.net/jdk/pull/8667

More information about the security-dev mailing list