Janosch Woschitz created NIFI-8286:
--------------------------------------
Summary: CertificateUtils do not support embedded emailAddress in
CN
Key: NIFI-8286
URL: https://issues.apache.org/jira/browse/NIFI-8286
Project: Apache NiFi
Issue Type: Bug
Components: Security
Affects Versions: 1.13.0
Reporter: Janosch Woschitz
RFC5280 defines that it is allowed for legacy compliance to have an
emailAddress attribute embedded in the CN.
[https://tools.ietf.org/html/rfc5280#section-4.1.2.6]
{code:java}
Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "subscri...@example.com" is the same as
"subscri...@example.com").
{code}
This is currently not considered in the CN extraction logic of the
CertificateUtils and can cause issues with certificate based authentication, as
an incorrect CN is extracted.
*Example*
If the following subject name is used:
{code:java}
Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddress=t...@example.com
{code}
The following username is extracted by the CertificateUtils:
{code:java}
Some Name/emailAddress=t...@example.com
{code}
Though the following username would be expected:
{code:java}
Some Name{code}
As a result, the certificate will be mapped to an incorrect CN/username and the
TLS client authentication will fail.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
