Username derived from x509 certs on Windows may include extra comma

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Unknown
    • 2.1.0, 2.0.1, 1.30.4
    • Affects Version/s: None
    • Component/s: None
    • None
    • Not Needed
    • None
    • C Drivers
    • Not Needed
    • None
    • None
    • None
    • None
    • None
    • None

      Summary

      The C driver may incorrectly include an extra comma in the derived X509 username on Windows. This can cause an authentication failure and require the username be specified in the URI as a workaround.

      How to Reproduce

      To reproduce:

      • Create a cluster in Atlas with X509 auth.
      • Download the certificate for the user.
      • Re-encrypt the certificate from PKCS#8 to PKCS#1 to workaround CDRIVER-4269
      • Try to connect with the C driver with no username specified.

      Example on Cygwin for a user "test-user":

      # Include path to libmongoc and libbson dlls:
export PATH="$PATH:$(cygpath -u "C:\cygwin\home\Administrator\code\mongo-c-driver\cmake-build\src\libbson\Debug")"
export PATH="$PATH:$(cygpath -u "C:\cygwin\home\Administrator\code\mongo-c-driver\cmake-build\src\libmongoc\Debug")"


# Path to client certificate in PKCS#1:
CLIENTCERT_PATH="C:\cygwin\home\Administrator\code\mongo-c-driver\KEVINALBS\X509-cert-8204221885429283915.pem"


URI="mongodb+srv://$DOMAIN/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=$CLIENTCERT_PATH"
./cmake-build/src/libmongoc/Debug/mongoc-ping.exe $URI
# Fails with "Authentication failed"
# Atlas server logs show extra comma incorrectly sent with username: ",CN=test-user"


# Specify username to workaround derivation bug:
URI="mongodb+srv://CN=test-user@$DOMAIN/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=$CLIENTCERT_PATH"
./cmake-build/src/libmongoc/Debug/mongoc-ping.exe $URI
# Succeeds!

      The derived username is expected to be "CN=test-user", the C driver derives it as ",CN=test-user".

      Workarounds

      Specify the username for X509, rather than using the driver derived username. Example: instead of:

      mongodb+srv://host/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=cert.pem

      Use:

      mongodb+srv://CN=user@host/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=cert.pem

            Assignee:
            Kevin Albertson
            Reporter:
            Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: