Package: openjdk-21-jre-headless
Version: 21.0.9+10-1~deb13u1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
First, the problem is not from the machine this bug report is sent from,
but from one running the same Debian release.
We have a java web application that runs in tomcat and has done so for
several years without major changes. The application uses X509
certificates for authentication. It compares subject and issuer DN of
the client certificate presented in the SSL handshake with stored
values. Many of the certificate subject DNs contain utf-8 encoded
characters as per RFC2253.
All this has worked for many years up until and including
openjdk 21.0.8+9-1 (and also 17.0.16+8-1).
After upgrading to openjdk 21.0.9+10-1~deb13u1 (or
17.0.17+10-1~deb12u1), the DN attribute returned by
X509Certificate.getSubjectX500Principal().getName() is
misencoded:
Subject DN: /C=CH/ST=BE/O=xfer.ch/OU=IT Security/CN=\xC3\x9Cm
L\xC3\xA4ut/[email protected]
Decoded correctly with openjdk version "21.0.8" 2025-07-15 (build
21.0.8+9-Debian-1):
C=CH,O=xfer.ch,OU=IT Security,CN=Üm Läut,[email protected]
Decoded incorrectly with openjdk version "21.0.9" 2025-10-21 (build
21.0.9+10-Debian-1deb13u1):
C=CH,O=xfer.ch,OU=IT Security,CN=Ãm Läut,[email protected]
In this case, the CN contains german umlauts: CN=Üm Läut, which are
encoded according to RFC2253 in the certificate.
It seems as if the DerValue returned from AVA.parseString() has a wrong
tag value set there (i.e. none or DerValue.tag_IA5String instead of
DerValue.tag_UTF8String).
The X509Certificate class and the other classes involved are part of the
standard JRE.
I do not know if this behaviour is specific to Debian.
There were changes to certificate handling in the latest openjdk update
(especially JDK-8360937 and JDK-8359454), but those are not publicly
accessible.
Thanks for looking into this!
Best regards
Markus
-- System Information:
Debian Release: 13.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.48+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.utf8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openjdk-21-jre-headless depends on:
pn ca-certificates-java <none>
pn java-common <none>
ii libc6 2.41-12
ii libgcc-s1 14.2.0-19
ii libjpeg62-turbo 1:2.1.5-4
ii liblcms2-2 2.16-2
pn libnss3 <none>
ii libpcsclite1 2.3.3-1
ii libstdc++6 14.2.0-19
ii util-linux 2.41-5
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages openjdk-21-jre-headless recommends:
pn libasound2t64 <none>
ii libcups2t64 2.4.10-3+deb13u1
ii libfontconfig1 2.15.0-2.3
ii libfreetype6 2.13.3+dfsg-1
pn libharfbuzz0b <none>
Versions of packages openjdk-21-jre-headless suggests:
pn fonts-dejavu-extra <none>
pn fonts-indic <none>
pn fonts-ipafont-gothic <none>
pn fonts-ipafont-mincho <none>
pn fonts-wqy-microhei | fonts-wqy-zenhei <none>
pn libnss-mdns <none>
