Description
RFC5280 defines that it is allowed for legacy compliance to have an emailAddress attribute embedded in the CN.
https://tools.ietf.org/html/rfc5280#section-4.1.2.6
Legacy implementations exist where an electronic mail address is embedded in the subject distinguished name as an emailAddress attribute [RFC2985]. The attribute value for emailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. emailAddress attribute values are not case-sensitive (e.g., "subscriber@example.com" is the same as "SUBSCRIBER@EXAMPLE.COM").
This is currently not considered in the CN extraction logic of the CertificateUtils and can cause issues with certificate based authentication, as an incorrect CN is extracted.
Example
If the following subject name is used:
Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddress=test@example.com
The following username is extracted by the CertificateUtils:
Some Name/emailAddress=test@example.com
Though the following username would be expected:
Some Name
As a result, the certificate will be mapped to an incorrect CN/username and the TLS client authentication will fail.
Attachments
Issue Links
- links to