New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
certmap fails when Issuer DN has comma in name #2602
Comments
Comment from mreynolds (@mreynolds389) at 2018-02-13 18:32:48 Metadata Update from @mreynolds389:
|
Comment from ftweedal at 2018-03-19 04:43:49 PR: #2670 |
Comment from ftweedal at 2018-11-26 07:26:45 Downstream BZ |
Comment from mreynolds (@mreynolds389) at 2018-11-26 18:34:21 Metadata Update from @mreynolds389:
|
Comment from mreynolds (@mreynolds389) at 2018-11-26 18:34:43 Metadata Update from @mreynolds389:
|
Comment from mreynolds (@mreynolds389) at 2018-11-26 18:35:11 |
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49543
Issue Description
When issuer Dn has a comma in it (or presumably other characters that reqiure escaping),
certmap fails because a comparison between the stringified Issuer DN from the certificate,
and the issuer DN from the certmap file, fails. For example, if the Issuer DN is:
This gets read from the certificate via the
ldapu_get_cert_issuer_dn
, which usesNSS'
CERT_NameToAscii
to return a stringified version of the DN.CERT_NameToAscii
uses the RFC 1485 rules to serialise the DN, so the string looks like:This string then gets processed by
ldapu_dn_normalize
which turns it into:, which is wrong.
The comparison then fails when compared with the DN in the
certmap.conf
, whichis properly escaped (a basic
strcasecmp
):Package Version and Platform
v1.3.7
Steps to reproduce
Actual results
Bind fails, and doesn't even reach the internal search op for a user
matching the certificate. (failure to match the issuer caused fallback to
default
certmap).Expected results
Bind succeeds, or at least uses the correct certmap such that internal search ops to look
up a matching user are executed.
Notes on proposed fix
NSS stringifies DNs in the obsolete RFC 1485 format (https://bugzilla.mozilla.org/show_bug.cgi?id=355096).
We should avoid string DNs entirely. The issuer DN from
certmap.conf
shouldbe parsed into 389's internal DN representation. The X.509 Issuer DN from the certificate
should be directly converted into the same internal representation, without becoming
a string. It may be possible to directly decode the DER-encoded Issuer DN from the cert.
Then these two internal representations should be compared by the appropriate function.
Related issues
It is likely that the treatment of the Subject DN is also incorrect in the presence of commas, etc, because the certmap code also uses
CERT_NameToAscii
to read the Subject DN from thecertificate (which is then used e.g. in the construction of a user search filter).
The text was updated successfully, but these errors were encountered: