Re: RFR: 8284194: Allow empty subject fields in keytool

Wed, 11 May 2022 16:00:53 -0700 

On Wed, 11 May 2022 22:37:18 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:

>> This code change allows one entering "." at a distinguished name prompt to 
>> skip a sub-component when running `keytool -genkeyapir`. Several new 
>> resource strings are added.
>> 
>> There is no detailed description in `keytool.html`, so I think there's no 
>> need to update it.
>> 
>> I'll file a CSR to describe the behavior change.
>> 
>> Here is an example after this change:
>> 
>> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC
>> Enter the distinguished name. Enter a single dot (.) to leave the 
>> sub-component empty.
>> What is your first and last name?
>>   [Unknown]:  .
>> What is the name of your organizational unit?
>>   [Unknown]:  .
>> What is the name of your organization?
>>   [Unknown]:  .
>> What is the name of your City or Locality?
>>   [Unknown]:  .
>> What is the name of your State or Province?
>>   [Unknown]:  .
>> What is the two-letter country code for this unit?
>>   [Unknown]:  .
>> At least one field must be provided. Enter again.
>> Enter the distinguished name. Enter a single dot (.) to leave the 
>> sub-component empty.
>> What is your first and last name?
>>   [EMPTY]:  Duke
>> What is the name of your organizational unit?
>>   [EMPTY]:
>> What is the name of your organization?
>>   [EMPTY]:
>> What is the name of your City or Locality?
>>   [EMPTY]:
>> What is the name of your State or Province?
>>   [EMPTY]:
>> What is the two-letter country code for this unit?
>>   [EMPTY]:
>> Is CN=Duke correct?
>>   [no]:  yes
>> 
>> Generating 384 bit EC (secp384r1) key pair and self-signed certificate 
>> (SHA384withECDSA) with a validity of 90 days
>>      for: CN=Duke
>> 
>> In the first round, "." is entered for all fields and keytool rejected it. 
>> In the second round, CN is entered but the others are unchanged (just type 
>> enter, because they are already entered previously). At the end, the name is 
>> "CN=Duke".
>
> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 3781:
> 
>> 3779: 
>> 3780:     private static String dotToNull(String input) {
>> 3781:         return ".".equals(input) ? null : input;
> 
> Do we deal at all with leading/trailing whitespace (maybe more concerned 
> about trailing whitespace than leading)?  What happens if we get a ". " 
> (trailing space)?

The user must be deliberately doing this. Let's respect their decision. :-)

-------------

PR: https://git.openjdk.java.net/jdk/pull/8667

Reply via email to