[SERVER-35196] Unable to X.509 authenticate using a client certificate with a subjectAltName component Created: 23/May/18  Updated: 29/Oct/23  Resolved: 06/Jun/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.0.0-rc0
Fix Version/s: 4.0.0-rc3, 4.1.1

Type: Bug Priority: Major - P3
Reporter: Timothy Olsen (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Generate appropriate PEM keyfiles. Have the subject for your client certificate include a subjectAltName component

Start mongod

Insert user with the username matching the client certificate subject.

Connect to the mongod using the client certificate and try to authenticate using X.509 auth.

Sprint: Platforms 2018-06-18
Participants:

 Description   

I believe this is a regression introduced in 4.0.0-rc0. The same automated test of ours that triggered this did not have this problem with 3.7.9. I have seen this happen on Amazon Linux and macOS.

Basically, if I have a PEM key file with a certificate with a subjectAltName component:

$ openssl x509 -in /tmp/mms-automation/test/output/certificates/pem-967246847 -inform PEM -subject -nameopt RFC2253
subject= subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan

And that user exists on the mongod:

MongoDB Enterprise csrs:PRIMARY> db.system.users.find({})
{ "_id" : "$external.subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "user" : "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "db" : "$external", "credentials" : { "external" : true }, "roles" : [ { "role" : "backup", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "restore", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }

This is what happens when I try to authenticate:

$ /tmp/mms-automation/test/versions/mongodb-linux-x86_64-enterprise-amzn64-4.0.0-rc0/bin/mongo --ssl --sslCAFile /tmp/mms-automation/test/output/certificates/mmsCA.pem --sslPEMKeyFile /tmp/mms-automation/test/output/certificates/pem-967246847 `hostname -f`:9007
MongoDB shell version v4.0.0-rc0
connecting to: mongodb://ip-10-113-168-251.ec2.internal:9007/test
MongoDB server version: 4.0.0-rc0
MongoDB Enterprise csrs:PRIMARY> use $external
switched to db $external
MongoDB Enterprise csrs:PRIMARY> db.auth({mechanism: "MONGODB-X509", user: "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"})
Error: Username "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" does not match the provided client certificate user "2.5.29.17=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"
0



 Comments   
Comment by Githook User [ 06/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35196 Map additional X509 OIDs

(cherry picked from commit 23cd748c2df0800d908bb6c0e8b29d6f6ef7d0da)
Branch: v4.0
https://github.com/mongodb/mongo/commit/f58092e36cf32ed90fdae5a5b619f8ed456a009d

Comment by Githook User [ 06/Jun/18 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-35196 Map additional X509 OIDs
Branch: master
https://github.com/mongodb/mongo/commit/23cd748c2df0800d908bb6c0e8b29d6f6ef7d0da

Generated at Thu Feb 08 04:39:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.