Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3263

Username derived from x509 certs on macOS has different order of RDNs

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: auth, libmongoc
    • Labels:
      None
    • Story Points:
      2

      Description

      Found by Christopher Cho, of which he included a thorough repro data and code here:
      https://gist.github.com/ccho-mongodb/67dc14a2344971619403982def475a8d

      Per the auth spec, the username we're deriving from the client certificate should conform to:

      openssl x509 -subject -nameopt RFC2253 -noout -inform PEM -in test-client.pem
      

      On the client certificate provided in that gist, that command results in:

      CN=Chris,OU=TestClientCertificateOrgUnit,O=EducationClientCertificate,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US
      

      But the C driver on macOS derives the username as:

      C=US,ST=TestClientCertificateState,L=TestClientCertificateLocality,O=EducationClientCertificate,OU=TestClientCertificateOrgUnit,CN=Chris
      

      Which results in an authentication failure. As a workaround, the username can be provided explicitly.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              kevin.albertson Kevin Albertson
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: