Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3263

Username derived from x509 certs on macOS has different order of RDNs

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: auth, libmongoc
    • None

      Found by chris.cho, of which he included a thorough repro data and code here:
      https://gist.github.com/ccho-mongodb/67dc14a2344971619403982def475a8d

      Per the auth spec, the username we're deriving from the client certificate should conform to:

      openssl x509 -subject -nameopt RFC2253 -noout -inform PEM -in test-client.pem
      

      On the client certificate provided in that gist, that command results in:

      CN=Chris,OU=TestClientCertificateOrgUnit,O=EducationClientCertificate,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US
      

      But the C driver on macOS derives the username as:

      C=US,ST=TestClientCertificateState,L=TestClientCertificateLocality,O=EducationClientCertificate,OU=TestClientCertificateOrgUnit,CN=Chris
      

      Which results in an authentication failure. As a workaround, the username can be provided explicitly.

            Assignee:
            Unassigned Unassigned
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: