8186143: keytool -ext option doesn't accept wildcards for DNS subject alternative names

Reviewed-by: jnimeh, weijun, mullan
2025-08-26 22:34:27 +02:00 · 2020-03-18 09:23:57 +08:00 · 2020-03-18 09:23:57 +08:00 · 0c9f8e472f
commit 0c9f8e472f
parent a147636157
3 changed files with 110 additions and 14 deletions
--- a/src/java.base/share/classes/sun/security/x509/DNSName.java
+++ b/src/java.base/share/classes/sun/security/x509/DNSName.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -69,9 +69,10 @@ public class DNSName implements GeneralNameInterface {
     * Create the DNSName object with the specified name.
     *
     * @param name the DNSName.
-     * @throws IOException if the name is not a valid DNSName subjectAltName
+     * @param allowWildcard the flag for wildcard checking.
+     * @throws IOException if the name is not a valid DNSName
     */
-    public DNSName(String name) throws IOException {
+    public DNSName(String name, boolean allowWildcard) throws IOException {
        if (name == null || name.isEmpty())
            throw new IOException("DNSName must not be null or empty");
        if (name.contains(" "))
@ -91,9 +92,26 @@ public class DNSName implements GeneralNameInterface {
            if (endIndex - startIndex < 1)
                throw new IOException("DNSName with empty components are not permitted");

-            // RFC 1123: DNSName components must begin with a letter or digit
-            if (alphaDigits.indexOf(name.charAt(startIndex)) < 0)
-                throw new IOException("DNSName components must begin with a letter or digit");
+            if (allowWildcard) {
+                // RFC 1123: DNSName components must begin with a letter or digit
+                // or RFC 4592: the first component of a DNSName can have only a wildcard
+                // character * (asterisk), i.e. *.example.com. Asterisks at other components
+                // will not be allowed as a wildcard.
+                if (alphaDigits.indexOf(name.charAt(startIndex)) < 0) {
+                    // Checking to make sure the wildcard only appears in the first component,
+                    // and it has to be at least 3-char long with the form of *.[alphaDigit]
+                    if ((name.length() < 3) || (name.indexOf('*', 0) != 0) ||
+                        (name.charAt(startIndex+1) != '.') ||
+                        (alphaDigits.indexOf(name.charAt(startIndex+2)) < 0))
+                        throw new IOException("DNSName components must begin with a letter, digit, "
+                            + "or the first component can have only a wildcard character *");
+                }
+            } else {
+                // RFC 1123: DNSName components must begin with a letter or digit
+                if (alphaDigits.indexOf(name.charAt(startIndex)) < 0)
+                    throw new IOException("DNSName components must begin with a letter or digit");
+            }
+
            //nonStartIndex: index for characters in the component beyond the first one
            for (int nonStartIndex=startIndex+1; nonStartIndex < endIndex; nonStartIndex++) {
                char x = name.charAt(nonStartIndex);
@ -104,6 +122,15 @@ public class DNSName implements GeneralNameInterface {
        this.name = name;
    }

+    /**
+     * Create the DNSName object with the specified name.
+     *
+     * @param name the DNSName.
+     * @throws IOException if the name is not a valid DNSName
+     */
+    public DNSName(String name) throws IOException {
+        this(name, false);
+    }

    /**
     * Return the type of the GeneralName.