Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-8286

CertificateUtils do not support embedded emailAddress in CN

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.13.0
    • Fix Version/s: 1.14.0
    • Component/s: Security
    • Labels:
      None

      Description

      RFC5280 defines that it is allowed for legacy compliance to have an emailAddress attribute embedded in the CN.

      https://tools.ietf.org/html/rfc5280#section-4.1.2.6 

      Legacy implementations exist where an electronic mail address is
      embedded in the subject distinguished name as an emailAddress
      attribute [RFC2985]. The attribute value for emailAddress is of type
      IA5String to permit inclusion of the character '@', which is not part
      of the PrintableString character set. emailAddress attribute values
      are not case-sensitive (e.g., "subscriber@example.com" is the same as
      "SUBSCRIBER@EXAMPLE.COM").
      

       This is currently not considered in the CN extraction logic of the CertificateUtils and can cause issues with certificate based authentication, as an incorrect CN is extracted.

      Example

      If the following subject name is used: 

      Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddress=test@example.com
      

      The following username is extracted by the CertificateUtils: 

      Some Name/emailAddress=test@example.com
      

      Though the following username would be expected:

      Some Name

      As a result, the certificate will be mapped to an incorrect CN/username and the TLS client authentication will fail.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              jwoschitz Janosch Woschitz

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 50m
                50m

                  Issue deployment