[SERVER-14735] We need to handle emailAddress in X509 subject Created: 30/Jul/14  Updated: 05/Sep/14  Resolved: 01/Aug/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Spencer Jackson
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Steps To Reproduce:

        int cnBegin = peerSubjectName.find("CN=") + 3;
        int cnEnd = peerSubjectName.find(",", cnBegin);
        std::string commonName = peerSubjectName.substr(cnBegin, cnEnd-cnBegin);
 
        if (_hostNameMatch(remoteHost.c_str(), commonName.c_str())) {
            return peerSubjectName;
        }

Participants:

 Description   

From RFC the usage of field is deprecated but permitted.

See end of chapter 4.1.2.6 Subject from ( http://www.ietf.org/rfc/rfc5280.txt )

Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name extension (Section 4.2.1.6) to describe such
identities. Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

Right now emailAddress presence breaks X509 auth



 Comments   
Comment by Alexander Komyagin [ 01/Aug/14 ]

Could not reproduce with OpenSSL 1.0.1h-fips 5 Jun 2014. (Amazon AMI).

Comment by Alexander Komyagin [ 31/Jul/14 ]

Just generate a certificate with openssl and provide the email field:

openssl req -new -x509 -days 3650 -nodes -out rs0-cert.pem -keyout rs0-cert.key

The subject will be

Subject: C=AU, ST=Some-State, L=LONDON, O=Internet Widgits Pty Ltd, OU=CATE, CN=oracle/emailAddress=alex@mongodb.com

I emailed openssl mailing list to see if there are suggestions, and I'm also not sure why "/" is there.

-Alex

Generated at Thu Feb 08 03:35:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.