extendedKeyUsage not honored in x509 certificates

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: 8.0.4
    • Component/s: None
    • Environment:
      Windows 10
    • ALL
    • None
    • 3
    • TBD
    • None
    • None
    • None
    • None
    • None
    • None
    • 0

      In Client Certificate Requirements you say:

      • Client certificates must contain the following fields:
      keyUsage = digitalSignature
      extendedKeyUsage = clientAuth
      

       
      However, it is possible to authenticate as client, even when extendedKeyUsage = clientAuth is not set:

      openssl x509 -in client.admin.pem -noout -subject -ext extendedKeyUsage,keyUsage
      
      subject=CN=admin
      X509v3 Key Usage:
          Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
          TLS Web Server Authentication
      
      
      mongosh --norc "mongodb://localhost:27017/admin?&authSource=$external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem"
      
      Current Mongosh Log ID: 683d48312178c488a76c4bcf
      Connecting to:          mongodb://localhost:27017/admin?authSource=%24external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.1
      Using MongoDB:          8.0.4
      Using Mongosh:          2.5.1
      
      admin> db.runCommand({ connectionStatus: 1 }).authInfo
      {
        authenticatedUsers: [ { user: 'CN=admin', db: '$external' } ],
        authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
      }
      
      

      In my understanding, authentication should fail, because extendedKeyUsage = clientAuth is missing.

      The same problem applies for server certificate.

      openssl x509 -in mongo.server.pem -noout -subject -ext extendedKeyUsage,keyUsage
      
      subject=C=CH, O=Sunrise, OU=OSS, OU=MongoDB, CN=server
      X509v3 Key Usage:
          Digital Signature, Key Encipherment
      X509v3 Extended Key Usage:
          TLS Web Client Authentication
      
      mongod --tlsCertificateKeyFile mongo.server.pem
      ->  successfully started
      

      In my understanding, mongod should not start, because extendedKeyUsage = serverAuth is missing in the certificate.

            Assignee:
            Kenan Ali
            Reporter:
            Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: