RFC5280 defines that it is allowed for legacy compliance to have an emailAddress attribute embedded in the CN.
Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "firstname.lastname@example.org" is the same as
This is currently not considered in the CN extraction logic of the CertificateUtils and can cause issues with certificate based authentication, as an incorrect CN is extracted.
If the following subject name is used:
Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddressemail@example.com
The following username is extracted by the CertificateUtils:
Though the following username would be expected:
As a result, the certificate will be mapped to an incorrect CN/username and the TLS client authentication will fail.