[ https://issues.apache.org/jira/browse/NIFI-8286?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Handermann resolved NIFI-8286. ------------------------------------ Fix Version/s: 1.13.1 1.14.0 Resolution: Fixed > CertificateUtils do not support embedded emailAddress in CN > ----------------------------------------------------------- > > Key: NIFI-8286 > URL: https://issues.apache.org/jira/browse/NIFI-8286 > Project: Apache NiFi > Issue Type: Bug > Components: Security > Affects Versions: 1.13.0 > Reporter: Janosch Woschitz > Priority: Minor > Fix For: 1.14.0, 1.13.1 > > Time Spent: 50m > Remaining Estimate: 0h > > RFC5280 defines that it is allowed for legacy compliance to have an > emailAddress attribute embedded in the CN. > [https://tools.ietf.org/html/rfc5280#section-4.1.2.6] > {code:java} > Legacy implementations exist where an electronic mail address is > embedded in the subject distinguished name as an emailAddress > attribute [RFC2985]. The attribute value for emailAddress is of type > IA5String to permit inclusion of the character '@', which is not part > of the PrintableString character set. emailAddress attribute values > are not case-sensitive (e.g., "subscri...@example.com" is the same as > "subscri...@example.com"). > {code} > This is currently not considered in the CN extraction logic of the > CertificateUtils and can cause issues with certificate based authentication, > as an incorrect CN is extracted. > *Example* > If the following subject name is used: > {code:java} > Subject: C=US, O=Apache, OU=Security, CN=Some > Name/emailAddress=t...@example.com > {code} > The following username is extracted by the CertificateUtils: > {code:java} > Some Name/emailAddress=t...@example.com > {code} > Though the following username would be expected: > {code:java} > Some Name{code} > As a result, the certificate will be mapped to an incorrect CN/username and > the TLS client authentication will fail. -- This message was sent by Atlassian Jira (v8.3.4#803005)