Janosch Woschitz created NIFI-8286: -------------------------------------- Summary: CertificateUtils do not support embedded emailAddress in CN Key: NIFI-8286 URL: https://issues.apache.org/jira/browse/NIFI-8286 Project: Apache NiFi Issue Type: Bug Components: Security Affects Versions: 1.13.0 Reporter: Janosch Woschitz
RFC5280 defines that it is allowed for legacy compliance to have an emailAddress attribute embedded in the CN. [https://tools.ietf.org/html/rfc5280#section-4.1.2.6] {code:java} Legacy implementations exist where an electronic mail address is embedded in the subject distinguished name as an emailAddress attribute [RFC2985]. The attribute value for emailAddress is of type IA5String to permit inclusion of the character '@', which is not part of the PrintableString character set. emailAddress attribute values are not case-sensitive (e.g., "subscri...@example.com" is the same as "subscri...@example.com"). {code} This is currently not considered in the CN extraction logic of the CertificateUtils and can cause issues with certificate based authentication, as an incorrect CN is extracted. *Example* If the following subject name is used: {code:java} Subject: C=US, O=Apache, OU=Security, CN=Some Name/emailAddress=t...@example.com {code} The following username is extracted by the CertificateUtils: {code:java} Some Name/emailAddress=t...@example.com {code} Though the following username would be expected: {code:java} Some Name{code} As a result, the certificate will be mapped to an incorrect CN/username and the TLS client authentication will fail. -- This message was sent by Atlassian Jira (v8.3.4#803005)