[NIFI-8286] CertificateUtils do not support embedded emailAddress in CN - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.13.0
Fix Version/s: 1.14.0
Component/s: Security
Labels:
None

Description

RFC5280 defines that it is allowed for legacy compliance to have an emailAddress attribute embedded in the CN.

https://tools.ietf.org/html/rfc5280#section-4.1.2.6

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "subscriber@example.com" is the same as
"SUBSCRIBER@EXAMPLE.COM").

This is currently not considered in the CN extraction logic of the CertificateUtils and can cause issues with certificate based authentication, as an incorrect CN is extracted.

Example

If the following subject name is used:

Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddress=test@example.com

The following username is extracted by the CertificateUtils:

Some Name/emailAddress=test@example.com

Though the following username would be expected:

Some Name

As a result, the certificate will be mapped to an incorrect CN/username and the TLS client authentication will fail.

Attachments

Issue Links

links to

GitHub Pull Request #4866

Activity

People

Assignee:: Unassigned

Reporter:: Janosch Woschitz

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 02/Mar/21 15:38

Updated:: 16/Mar/21 11:54

Resolved:: 02/Mar/21 18:34

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

50m