> On Jun 27, 2018, at 4:01 PM, Severin Gehwolf <sgehw...@redhat.com> wrote: > > Hi Max, > > On Wed, 2018-06-27 at 09:15 +0800, Weijun Wang wrote: >> Hi Severin and/or Andrew >> >> I'm going through all security bugs with JDK 11 in affected versions and >> noticed this one: >> >> 8202598: [linux] keytool -certreq inconsistent with platform line.separator >> https://bugs.openjdk.java.net/browse/JDK-8202598 >> >> What kind of interop issue have you observed? IMHO, \r\n is legal in a PEM >> file. > > All we know is that this breaks interop with tools on Linux/Unix which > don't expect \r\n in PEM files. > >> Also, you mentioned a patch in the comment. Can I take a look? > > I've posted a link to the JDK 8 patch in the bug report.
A new option for keytool is too much at this stage (RDP1 begins tomorrow) and I feel uncomfortable to apply this option only to PKCS10. Now that this is reported on Linux/Unix, I assume users on those systems can easily find a workaround to s/\r\n/\n/ on the fly. Therefore I updated the Fix Version to tbd_major which means it's not necessary to fix it in JDK 11. If you find more information on what exact tool does not parse the input, please add a comment on it. I tried openssl and it has no problem. I do realize there is an inconsistency that there is only "\n" after the PEM header/footer but "\r\n" after each line. Maybe some tools are confused by this? Thanks Max > > Thanks, > Severin