Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support otherName SAN type #6393

Closed
SpectralHiss opened this issue Oct 5, 2023 · 2 comments
Closed

Support otherName SAN type #6393

SpectralHiss opened this issue Oct 5, 2023 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@SpectralHiss
Copy link
Contributor

SpectralHiss commented Oct 5, 2023
edited
Loading

We need to support the generation of Certificates containing the otherName SAN type.
This is still used in some traditional systems to indicate unique identity, it is usually just an email UPN but we can be fairly generic.
Currently we only support the most common subset of SANs, SANs are "GeneralName" types:

   SubjectAltName ::= GeneralNames

   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

   GeneralName ::= CHOICE {
        otherName                       [0]     OtherName,
        rfc822Name                      [1]     IA5String,
        dNSName                         [2]     IA5String,
        x400Address                     [3]     ORAddress,
        directoryName                   [4]     Name,
        ediPartyName                    [5]     EDIPartyName,
        uniformResourceIdentifier       [6]     IA5String,
        iPAddress                       [7]     OCTET STRING,
        registeredID                    [8]     OBJECT IDENTIFIER }

   OtherName ::= SEQUENCE {
        type-id    OBJECT IDENTIFIER,
        value      [0] EXPLICIT ANY DEFINED BY type-id }

   EDIPartyName ::= SEQUENCE {
        nameAssigner            [0]     DirectoryString OPTIONAL,
        partyName               [1]     DirectoryString }

From https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6

We've currently "deconstructed" the type and offered straight array string Certificate types to represent the most common: dns, email, ip,uri are available, however some legacy systems like ldap still leverage the otherName type.

Unfortunately otherName is a complicated type in that it is an escape hatch that allows the setting of arbitrary oids:

   OtherName ::= SEQUENCE {
        type-id    OBJECT IDENTIFIER,
        value      [0] EXPLICIT ANY DEFINED BY type-id }

The most common use case is the UPN otherName type, meaning the type-id is set to:
1.3.6.1.4.1.311.20.2.3 UPN (which actually just means a valid rfc0822 email address..)
and the actual format type is just a string.
You might wonder why not just use email SAN (which are rfc822Names), but this is the pattern established by microsoft AD servers for LDAP: https://4sysops.com/archives/understand-the-upn-and-samaccountname-user-account-attributes/

Describe the solution you'd like
I propose we continue the tradition of decomposing the generalName attribute and keep doing these niche SANs in a case by case basis, for example we can add a Certificate field called:
otherNameSANs, we can easily get a fair bit of extensibility while hitting our use case by making that a struct of type:

type otherNameSANs []struct{
  type-id string (can be upn, or oid:some.oid.value)
  value string
}

Describe alternatives you've considered
One possible alternative would be to just add a UPN SANs field for example:

type upnSANs []string

and these could be directly encoded as otherName UPN values.. this would accomplish our objective but might be less forward compatible with any future otherName types we could require, we know at least of one other type that "exists" like DNS SRV RR otherName although we're not clear if it's still in use.

Additional context:

  • we've done a bit of research of the different generalNames around and came to this analysis:
    otherName -> TBD: UPN

x400Address has been kind of discontinued since 2006
ediPartyName is used by US Dept of Defense smart cards (https://news.ycombinator.com/item?id=25350821)
registeredID -> ??
directoryName -> ??

We looked at the subset that ACM's api uses for example and it includes some of these obscure types:
https://docs.aws.amazon.com/privateca/latest/APIReference/API_GeneralName.html
where they do include the additional directoryName EdiPartyName registerID and otherName types but also ignore x400Address.

  • smallstep have built this particular generalName implementation here

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 5, 2023
@SpectralHiss SpectralHiss mentioned this issue Oct 10, 2023
Merged
@jetstack-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 3, 2024
@SpectralHiss
Copy link
Contributor Author

Fixed in
#6404
#6620

The feature is documented here:
cert-manager/website#1378

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SpectralHiss @jetstack-bot