On Wed, 11 May 2022 21:55:45 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> This code change allows one entering "." at a distinguished name prompt to
> skip a sub-component when running `keytool -genkeyapir`. Several new resource
> strings are added.
>
> There is no detailed description in `keytool.html`, so I think there's no
> need to update it.
>
> I'll file a CSR to describe the behavior change.
>
> Here is an example after this change:
>
> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC
> Enter the distinguished name. Enter a single dot (.) to leave the
> sub-component empty.
> What is your first and last name?
> [Unknown]: .
> What is the name of your organizational unit?
> [Unknown]: .
> What is the name of your organization?
> [Unknown]: .
> What is the name of your City or Locality?
> [Unknown]: .
> What is the name of your State or Province?
> [Unknown]: .
> What is the two-letter country code for this unit?
> [Unknown]: .
> At least one field must be provided. Enter again.
> Enter the distinguished name. Enter a single dot (.) to leave the
> sub-component empty.
> What is your first and last name?
> [EMPTY]: Duke
> What is the name of your organizational unit?
> [EMPTY]:
> What is the name of your organization?
> [EMPTY]:
> What is the name of your City or Locality?
> [EMPTY]:
> What is the name of your State or Province?
> [EMPTY]:
> What is the two-letter country code for this unit?
> [EMPTY]:
> Is CN=Duke correct?
> [no]: yes
>
> Generating 384 bit EC (secp384r1) key pair and self-signed certificate
> (SHA384withECDSA) with a validity of 90 days
> for: CN=Duke
>
> In the first round, "." is entered for all fields and keytool rejected it. In
> the second round, CN is entered but the others are unchanged (just type
> enter, because they are already entered previously). At the end, the name is
> "CN=Duke".
Looks pretty solid. Just that one question about how to handle an errant space
after the ".". I think it might be fine to treat it literally as a dot-space
combo. If it was an error it would be caught by the user most likely at the
check at the end of the DN entry loop.
src/java.base/share/classes/sun/security/tools/keytool/Main.java line 3781:
> 3779:
> 3780: private static String dotToNull(String input) {
> 3781: return ".".equals(input) ? null : input;
Do we deal at all with leading/trailing whitespace (maybe more concerned about
trailing whitespace than leading)? What happens if we get a ". " (trailing
space)?
-------------
PR: https://git.openjdk.java.net/jdk/pull/8667
