Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-5985

Username derived from x509 certs on Windows may include extra comma

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Not Needed
    • None
    • C Drivers
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      Summary

      The C driver may incorrectly include an extra comma in the derived X509 username on Windows. This can cause an authentication failure and require the username be specified in the URI as a workaround.

      How to Reproduce

      To reproduce:

      • Create a cluster in Atlas with X509 auth.
      • Download the certificate for the user.
      • Re-encrypt the certificate from PKCS#8 to PKCS#1 to workaround CDRIVER-4269
      • Try to connect with the C driver with no username specified.

      Example on Cygwin for a user "test-user":

      # Include path to libmongoc and libbson dlls:
export PATH="$PATH:$(cygpath -u "C:\cygwin\home\Administrator\code\mongo-c-driver\cmake-build\src\libbson\Debug")"
export PATH="$PATH:$(cygpath -u "C:\cygwin\home\Administrator\code\mongo-c-driver\cmake-build\src\libmongoc\Debug")"


# Path to client certificate in PKCS#1:
CLIENTCERT_PATH="C:\cygwin\home\Administrator\code\mongo-c-driver\KEVINALBS\X509-cert-8204221885429283915.pem"


URI="mongodb+srv://$DOMAIN/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=$CLIENTCERT_PATH"
./cmake-build/src/libmongoc/Debug/mongoc-ping.exe $URI
# Fails with "Authentication failed"
# Atlas server logs show extra comma incorrectly sent with username: ",CN=test-user"


# Specify username to workaround derivation bug:
URI="mongodb+srv://CN=test-user@$DOMAIN/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=$CLIENTCERT_PATH"
./cmake-build/src/libmongoc/Debug/mongoc-ping.exe $URI
# Succeeds!

      The derived username is expected to be "CN=test-user", the C driver derives it as ",CN=test-user".

      Workarounds

      Specify the username for X509, rather than using the driver derived username. Example: instead of:

      mongodb+srv://host/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=cert.pem

      Use:

      mongodb+srv://CN=user@host/?authSource=%24external&authMechanism=MONGODB-X509&tlsCertificateKeyFile=cert.pem

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: