[GODRIVER-2650] Fix incorrect X509 certificate being used as username for authentication Created: 09/Nov/22 Updated: 28/Oct/23 Resolved: 16/Dec/22 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 1.12.0, 1.12.0-alpha1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Evgeni Dobranov | Assignee: | Qingyang Hu |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Description |
|
In that ticket, while all certificates are concatenated with newlines by the driver and passed to tls.X509KeyPair(), and while tls.X509KeyPair() iterates over all certificates and un-concatenates them using pem.Decode(), the tls.X509KeyPair() function always statically takes the first certificate anyway. So providing all certificates to tls.X509KeyPair(), rather than the first or last one, doesn't do much. Ultimately, this changes the behavior of the Go driver from using the last certificate to now using the first certificate. Still, this is not an issue in itself since it aligns with OpenSSL and other libraries' behaviors, which also use the first certificate if multiple are provided. On the whole, the only concern with But there is a separate problem w.r.t. which certificate is used as the username for X509 auth. When the Go driver loops over the certificates, the certDecodedBlock variable takes on the last value (the last certificate). This certificate's Subject is returned as a string at the end of that function, and this later has an erroneous value when setting the connection string's username if there is more than one certificate per PEM file, since it doesn't correspond to the behavior changed by So for this ticket, the work is simple. This can be fixed by changing this line:
to this:
This will make certDecodedBlock take on the value of the first certificate, aligning it with the behavior introduced in |
| Comments |
| Comment by Githook User [ 16/Dec/22 ] |
|
Author: {'name': 'Qingyang Hu', 'email': '103950869+qingyang-hu@users.noreply.github.com', 'username': 'qingyang-hu'}Message: |
| Comment by Evgeni Dobranov [ 09/Nov/22 ] |
|
CC tim.fogarty@mongodb.com for awareness / for helping with investigating this (we have a similar situation in the DB Tools) |