[jira] [Commented] (NIFI-2517) Apply ordering to DNs from certificates

Wed, 25 Oct 2023 11:57:04 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-2517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17779636#comment-17779636
 ] 

Michael W Moser commented on NIFI-2517:
---------------------------------------

One use case in favor of this is to input an RFC-2253 formatted DN into 
authorizers.xml Initial Admin Identity only to have it not match the 
X500Principal name of the actual certificate because NiFi only accepts RFC-1779 
formatting.

 

> Apply ordering to DNs from certificates
> ---------------------------------------
>
>                 Key: NIFI-2517
>                 URL: https://issues.apache.org/jira/browse/NIFI-2517
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.0.0, 0.7.0
>            Reporter: Bryan Bende
>            Priority: Minor
>
> Currently when a user authenticates to NiFi with a certificate, the DN is 
> extracted with the following code from SubjectDnX509PrincipalExtractor:
> {code}
>     public Object extractPrincipal(X509Certificate cert) {
>         return cert.getSubjectDN().getName().trim();
>     }
> {code}
> This string ends up being the user identity that needs to line up with 
> policies. 
> It is not guaranteed that the subject DN from a certificate will always be in 
> a known format. For example, one cert can put the CN before the OU, and 
> another can put the OU before the CN. Different tools can also display the 
> same DN in different orders, such as openssl vs keytool.
> NiFi should be able to apply a re-ordering of the DNs so that after passing 
> through the X509 authentication code, the app can then assume the DN is in a 
> known order. We should also consider how this interacts with the identity 
> mapping concept introduced in 1.0.0.
> In addition we are currently using getSubjectDN() from X509 certificate and 
> the Java Doc says:
> {code}
> * <strong>Denigrated</strong>, replaced by {@linkplain
>      * #getSubjectX500Principal()}. This method returns the {@code subject}
>      * as an implementation specific Principal object, which should not be
>      * relied upon by portable code.
> {code}
> So we may want to look at moving away from that method.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to