RFR: 8284194: Allow empty subject fields in keytool
This code change allows one entering "." at a distinguished name prompt to skip a sub-component when running `keytool -genkeyapir`. Several new resource strings are added. There is no detailed description in `keytool.html`, so I think there's no need to update it. I'll file a CSR to describe the behavior change. Here is an example after this change: $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC Enter the distinguished name. Enter a single dot (.) to leave the sub-component empty. What is your first and last name? [Unknown]: . What is the name of your organizational unit? [Unknown]: . What is the name of your organization? [Unknown]: . What is the name of your City or Locality? [Unknown]: . What is the name of your State or Province? [Unknown]: . What is the two-letter country code for this unit? [Unknown]: . At least one field must be provided. Enter again. Enter the distinguished name. Enter a single dot (.) to leave the sub-component empty. What is your first and last name? [EMPTY]: Duke What is the name of your organizational unit? [EMPTY]: What is the name of your organization? [EMPTY]: What is the name of your City or Locality? [EMPTY]: What is the name of your State or Province? [EMPTY]: What is the two-letter country code for this unit? [EMPTY]: Is CN=Duke correct? [no]: yes Generating 384 bit EC (secp384r1) key pair and self-signed certificate (SHA384withECDSA) with a validity of 90 days for: CN=Duke In the first round, "." is entered for all fields and keytool rejected it. In the second round, CN is entered but the others are unchanged (just type enter, because they are already entered previously). At the end, the name is "CN=Duke". - Commit messages: - the fix Changes: https://git.openjdk.java.net/jdk/pull/8667/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=8667&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8284194 Stats: 128 lines in 4 files changed: 91 ins; 3 del; 34 mod Patch: https://git.openjdk.java.net/jdk/pull/8667.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/8667/head:pull/8667 PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool
On Wed, 11 May 2022 21:55:45 GMT, Weijun Wang wrote: > This code change allows one entering "." at a distinguished name prompt to > skip a sub-component when running `keytool -genkeyapir`. Several new resource > strings are added. > > There is no detailed description in `keytool.html`, so I think there's no > need to update it. > > I'll file a CSR to describe the behavior change. > > Here is an example after this change: > > $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [Unknown]: . > What is the name of your organizational unit? > [Unknown]: . > What is the name of your organization? > [Unknown]: . > What is the name of your City or Locality? > [Unknown]: . > What is the name of your State or Province? > [Unknown]: . > What is the two-letter country code for this unit? > [Unknown]: . > At least one field must be provided. Enter again. > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [EMPTY]: Duke > What is the name of your organizational unit? > [EMPTY]: > What is the name of your organization? > [EMPTY]: > What is the name of your City or Locality? > [EMPTY]: > What is the name of your State or Province? > [EMPTY]: > What is the two-letter country code for this unit? > [EMPTY]: > Is CN=Duke correct? > [no]: yes > > Generating 384 bit EC (secp384r1) key pair and self-signed certificate > (SHA384withECDSA) with a validity of 90 days > for: CN=Duke > > In the first round, "." is entered for all fields and keytool rejected it. In > the second round, CN is entered but the others are unchanged (just type > enter, because they are already entered previously). At the end, the name is > "CN=Duke". Looks pretty solid. Just that one question about how to handle an errant space after the ".". I think it might be fine to treat it literally as a dot-space combo. If it was an error it would be caught by the user most likely at the check at the end of the DN entry loop. src/java.base/share/classes/sun/security/tools/keytool/Main.java line 3781: > 3779: > 3780: private static String dotToNull(String input) { > 3781: return ".".equals(input) ? null : input; Do we deal at all with leading/trailing whitespace (maybe more concerned about trailing whitespace than leading)? What happens if we get a ". " (trailing space)? - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool
On Wed, 11 May 2022 21:55:45 GMT, Weijun Wang wrote: > This code change allows one entering "." at a distinguished name prompt to > skip a sub-component when running `keytool -genkeyapir`. Several new resource > strings are added. > > There is no detailed description in `keytool.html`, so I think there's no > need to update it. > > I'll file a CSR to describe the behavior change. > > Here is an example after this change: > > $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [Unknown]: . > What is the name of your organizational unit? > [Unknown]: . > What is the name of your organization? > [Unknown]: . > What is the name of your City or Locality? > [Unknown]: . > What is the name of your State or Province? > [Unknown]: . > What is the two-letter country code for this unit? > [Unknown]: . > At least one field must be provided. Enter again. > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [EMPTY]: Duke > What is the name of your organizational unit? > [EMPTY]: > What is the name of your organization? > [EMPTY]: > What is the name of your City or Locality? > [EMPTY]: > What is the name of your State or Province? > [EMPTY]: > What is the two-letter country code for this unit? > [EMPTY]: > Is CN=Duke correct? > [no]: yes > > Generating 384 bit EC (secp384r1) key pair and self-signed certificate > (SHA384withECDSA) with a validity of 90 days > for: CN=Duke > > In the first round, "." is entered for all fields and keytool rejected it. In > the second round, CN is entered but the others are unchanged (just type > enter, because they are already entered previously). At the end, the name is > "CN=Duke". Marked as reviewed by jnimeh (Reviewer). - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool
On Wed, 11 May 2022 22:37:18 GMT, Jamil Nimeh wrote: >> This code change allows one entering "." at a distinguished name prompt to >> skip a sub-component when running `keytool -genkeyapir`. Several new >> resource strings are added. >> >> There is no detailed description in `keytool.html`, so I think there's no >> need to update it. >> >> I'll file a CSR to describe the behavior change. >> >> Here is an example after this change: >> >> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC >> Enter the distinguished name. Enter a single dot (.) to leave the >> sub-component empty. >> What is your first and last name? >> [Unknown]: . >> What is the name of your organizational unit? >> [Unknown]: . >> What is the name of your organization? >> [Unknown]: . >> What is the name of your City or Locality? >> [Unknown]: . >> What is the name of your State or Province? >> [Unknown]: . >> What is the two-letter country code for this unit? >> [Unknown]: . >> At least one field must be provided. Enter again. >> Enter the distinguished name. Enter a single dot (.) to leave the >> sub-component empty. >> What is your first and last name? >> [EMPTY]: Duke >> What is the name of your organizational unit? >> [EMPTY]: >> What is the name of your organization? >> [EMPTY]: >> What is the name of your City or Locality? >> [EMPTY]: >> What is the name of your State or Province? >> [EMPTY]: >> What is the two-letter country code for this unit? >> [EMPTY]: >> Is CN=Duke correct? >> [no]: yes >> >> Generating 384 bit EC (secp384r1) key pair and self-signed certificate >> (SHA384withECDSA) with a validity of 90 days >> for: CN=Duke >> >> In the first round, "." is entered for all fields and keytool rejected it. >> In the second round, CN is entered but the others are unchanged (just type >> enter, because they are already entered previously). At the end, the name is >> "CN=Duke". > > src/java.base/share/classes/sun/security/tools/keytool/Main.java line 3781: > >> 3779: >> 3780: private static String dotToNull(String input) { >> 3781: return ".".equals(input) ? null : input; > > Do we deal at all with leading/trailing whitespace (maybe more concerned > about trailing whitespace than leading)? What happens if we get a ". " > (trailing space)? The user must be deliberately doing this. Let's respect their decision. :-) - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool
On Wed, 11 May 2022 21:55:45 GMT, Weijun Wang wrote: > This code change allows one entering "." at a distinguished name prompt to > skip a sub-component when running `keytool -genkeyapir`. Several new resource > strings are added. > > There is no detailed description in `keytool.html`, so I think there's no > need to update it. > > I'll file a CSR to describe the behavior change. > > Here is an example after this change: > > $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [Unknown]: . > What is the name of your organizational unit? > [Unknown]: . > What is the name of your organization? > [Unknown]: . > What is the name of your City or Locality? > [Unknown]: . > What is the name of your State or Province? > [Unknown]: . > What is the two-letter country code for this unit? > [Unknown]: . > At least one field must be provided. Enter again. > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [EMPTY]: Duke > What is the name of your organizational unit? > [EMPTY]: > What is the name of your organization? > [EMPTY]: > What is the name of your City or Locality? > [EMPTY]: > What is the name of your State or Province? > [EMPTY]: > What is the two-letter country code for this unit? > [EMPTY]: > Is CN=Duke correct? > [no]: yes > > Generating 384 bit EC (secp384r1) key pair and self-signed certificate > (SHA384withECDSA) with a validity of 90 days > for: CN=Duke > > In the first round, "." is entered for all fields and keytool rejected it. In > the second round, CN is entered but the others are unchanged (just type > enter, because they are already entered previously). At the end, the name is > "CN=Duke". Marked as reviewed by hchao (Committer). - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool [v2]
> This code change allows one entering "." at a distinguished name prompt to > skip a sub-component when running `keytool -genkeyapir`. Several new resource > strings are added. > > There is no detailed description in `keytool.html`, so I think there's no > need to update it. > > I'll file a CSR to describe the behavior change. > > Here is an example after this change: > > $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [Unknown]: . > What is the name of your organizational unit? > [Unknown]: . > What is the name of your organization? > [Unknown]: . > What is the name of your City or Locality? > [Unknown]: . > What is the name of your State or Province? > [Unknown]: . > What is the two-letter country code for this unit? > [Unknown]: . > At least one field must be provided. Enter again. > Enter the distinguished name. Enter a single dot (.) to leave the > sub-component empty. > What is your first and last name? > [EMPTY]: Duke > What is the name of your organizational unit? > [EMPTY]: > What is the name of your organization? > [EMPTY]: > What is the name of your City or Locality? > [EMPTY]: > What is the name of your State or Province? > [EMPTY]: > What is the two-letter country code for this unit? > [EMPTY]: > Is CN=Duke correct? > [no]: yes > > Generating 384 bit EC (secp384r1) key pair and self-signed certificate > (SHA384withECDSA) with a validity of 90 days > for: CN=Duke > > In the first round, "." is entered for all fields and keytool rejected it. In > the second round, CN is entered but the others are unchanged (just type > enter, because they are already entered previously). At the end, the name is > "CN=Duke". Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: word change - Changes: - all: https://git.openjdk.java.net/jdk/pull/8667/files - new: https://git.openjdk.java.net/jdk/pull/8667/files/abed47cb..1894055d Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=8667&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=8667&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/8667.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/8667/head:pull/8667 PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool [v2]
On Wed, 11 May 2022 23:40:46 GMT, Weijun Wang wrote: >> This code change allows one entering "." at a distinguished name prompt to >> skip a sub-component when running `keytool -genkeyapir`. Several new >> resource strings are added. >> >> There is no detailed description in `keytool.html`, so I think there's no >> need to update it. >> >> I'll file a CSR to describe the behavior change. >> >> Here is an example after this change: >> >> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC >> Enter the distinguished name. Enter a single dot (.) to leave the >> sub-component empty. >> What is your first and last name? >> [Unknown]: . >> What is the name of your organizational unit? >> [Unknown]: . >> What is the name of your organization? >> [Unknown]: . >> What is the name of your City or Locality? >> [Unknown]: . >> What is the name of your State or Province? >> [Unknown]: . >> What is the two-letter country code for this unit? >> [Unknown]: . >> At least one field must be provided. Enter again. >> Enter the distinguished name. Enter a single dot (.) to leave the >> sub-component empty. >> What is your first and last name? >> [EMPTY]: Duke >> What is the name of your organizational unit? >> [EMPTY]: >> What is the name of your organization? >> [EMPTY]: >> What is the name of your City or Locality? >> [EMPTY]: >> What is the name of your State or Province? >> [EMPTY]: >> What is the two-letter country code for this unit? >> [EMPTY]: >> Is CN=Duke correct? >> [no]: yes >> >> Generating 384 bit EC (secp384r1) key pair and self-signed certificate >> (SHA384withECDSA) with a validity of 90 days >> for: CN=Duke >> >> In the first round, "." is entered for all fields and keytool rejected it. >> In the second round, CN is entered but the others are unchanged (just type >> enter, because they are already entered previously). At the end, the name is >> "CN=Duke". > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > word change It might also be helpful to note that hitting return or enter will use the default, ex: "Enter a single dot (.) to leave the sub-component empty or enter return to use the default value in braces." For this: > What is your first and last name? > [EMPTY]: Duke I find the word "EMPTY" here a bit confusing because this is not a default value like "Unknown". It seems to me that it might be more intuitive to just repeat the initial set of prompts using [Unknown] and requiring '.' to be entered, especially since you repeat the part "Enter a single dot (.) to leave the sub-component empty." - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool [v2]
On Wed, 11 May 2022 23:40:46 GMT, Weijun Wang wrote: >> This code change allows one entering "." at a distinguished name prompt to >> skip a sub-component when running `keytool -genkeyapir`. Several new >> resource strings are added. >> >> There is no detailed description in `keytool.html`, so I think there's no >> need to update it. >> >> I'll file a CSR to describe the behavior change. >> >> Here is an example after this change: >> >> $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC >> Enter the distinguished name. Provide a single dot (.) to leave a >> sub-component empty. >> What is your first and last name? >> [Unknown]: . >> What is the name of your organizational unit? >> [Unknown]: . >> What is the name of your organization? >> [Unknown]: . >> What is the name of your City or Locality? >> [Unknown]: . >> What is the name of your State or Province? >> [Unknown]: . >> What is the two-letter country code for this unit? >> [Unknown]: . >> At least one field must be provided. Enter again. >> Enter the distinguished name. Provide a single dot (.) to leave a >> sub-component empty. >> What is your first and last name? >> [EMPTY]: Duke >> What is the name of your organizational unit? >> [EMPTY]: >> What is the name of your organization? >> [EMPTY]: >> What is the name of your City or Locality? >> [EMPTY]: >> What is the name of your State or Province? >> [EMPTY]: >> What is the two-letter country code for this unit? >> [EMPTY]: >> Is CN=Duke correct? >> [no]: yes >> >> Generating 384 bit EC (secp384r1) key pair and self-signed certificate >> (SHA384withECDSA) with a validity of 90 days >> for: CN=Duke >> >> In the first round, "." is entered for all fields and keytool rejected it. >> In the second round, CN is entered but the others are unchanged (just type >> enter, because they are already entered previously). At the end, the name is >> "CN=Duke". > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > word change I've already modified the prompt a little before the CSR is finalized. How about Enter the distinguished name. Provider a single dot (.) to leave a sub-component empty or press ENTER to use the default value in braces. Hopefully this is not too long, and macOS users know "ENTER" is "return", and people won't debate on "braces" or "brackets". As for the "[EMPTY]" prompt, the user has already entered "." in the first round and we always remember the inputs as the new default values in the next round so that they only need to enter the components they want to update. - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool [v2]
On Thu, 12 May 2022 13:48:46 GMT, Weijun Wang wrote: > I've already modified the prompt a little before the CSR is finalized. How > about > > ``` > Enter the distinguished name. Provider a single dot (.) to leave a > sub-component empty or press ENTER to use the default value in braces. > ``` > > Hopefully this is not too long, and macOS users know "ENTER" is "return", and > people won't debate on "braces" or "brackets". Ok, I like that. One typo though: s/Provider/Provide > As for the "[EMPTY]" prompt, the user has already entered "." in the first > round and we always remember the inputs as the new default values in the next > round so that they only need to enter the components they want to update. What about just "[]"? I think if you keep EMPTY, you should really define what that keyword means, but that might make the text too verbose. - PR: https://git.openjdk.java.net/jdk/pull/8667
Re: RFR: 8284194: Allow empty subject fields in keytool [v3]
> This code change allows one entering "." at a distinguished name prompt to > skip a sub-component when running `keytool -genkeyapir`. Several new resource > strings are added. > > There is no detailed description in `keytool.html`, so I think there's no > need to update it. > > I'll file a CSR to describe the behavior change. > > Here is an example after this change: > > $ keytool -genkeypair -keystore ks -storepass changeit -alias b -keyalg EC > Enter the distinguished name. Provide a single dot (.) to leave a > sub-component empty. > What is your first and last name? > [Unknown]: . > What is the name of your organizational unit? > [Unknown]: . > What is the name of your organization? > [Unknown]: . > What is the name of your City or Locality? > [Unknown]: . > What is the name of your State or Province? > [Unknown]: . > What is the two-letter country code for this unit? > [Unknown]: . > At least one field must be provided. Enter again. > Enter the distinguished name. Provide a single dot (.) to leave a > sub-component empty. > What is your first and last name? > [EMPTY]: Duke > What is the name of your organizational unit? > [EMPTY]: > What is the name of your organization? > [EMPTY]: > What is the name of your City or Locality? > [EMPTY]: > What is the name of your State or Province? > [EMPTY]: > What is the two-letter country code for this unit? > [EMPTY]: > Is CN=Duke correct? > [no]: yes > > Generating 384 bit EC (secp384r1) key pair and self-signed certificate > (SHA384withECDSA) with a validity of 90 days > for: CN=Duke > > In the first round, "." is entered for all fields and keytool rejected it. In > the second round, CN is entered but the others are unchanged (just type > enter, because they are already entered previously). At the end, the name is > "CN=Duke". Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: update the output - Changes: - all: https://git.openjdk.java.net/jdk/pull/8667/files - new: https://git.openjdk.java.net/jdk/pull/8667/files/1894055d..8c592f89 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=8667&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=8667&range=01-02 Stats: 3 lines in 3 files changed: 0 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/8667.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/8667/head:pull/8667 PR: https://git.openjdk.java.net/jdk/pull/8667