[CDRIVER-3263] Username derived from x509 certs on macOS has different order of RDNs Created: 31/Jul/19  Updated: 21/Jul/23

Status: Backlog
Project: C Driver
Component/s: auth, libmongoc
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-1385 Secure Transport subject reversed Closed
is related to CDRIVER-2940 Regenerate test certificates with SHA... Closed
Epic Link: CDRIVER-4575

 Description   

Found by chris.cho, of which he included a thorough repro data and code here:
https://gist.github.com/ccho-mongodb/67dc14a2344971619403982def475a8d

Per the auth spec, the username we're deriving from the client certificate should conform to:

openssl x509 -subject -nameopt RFC2253 -noout -inform PEM -in test-client.pem

On the client certificate provided in that gist, that command results in:

CN=Chris,OU=TestClientCertificateOrgUnit,O=EducationClientCertificate,L=TestClientCertificateLocality,ST=TestClientCertificateState,C=US

But the C driver on macOS derives the username as:

C=US,ST=TestClientCertificateState,L=TestClientCertificateLocality,O=EducationClientCertificate,OU=TestClientCertificateOrgUnit,CN=Chris

Which results in an authentication failure. As a workaround, the username can be provided explicitly.



 Comments   
Comment by Kevin Albertson [ 15/Mar/20 ]

Windows may have the same issue. I believe this is specific to the certs included in the description. The fields in "Subject" are in a different order. Perhaps we need to preserve that order.

Generated at Wed Feb 07 21:17:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.