Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: DN OU ordering #29040

Open
rikkuness opened this issue Nov 30, 2018 · 3 comments

Comments

@rikkuness
Copy link

commented Nov 30, 2018

What version of Go are you using (go version)?

$ go version
go version go.1.11.1 linux/amd

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
linux amd64

What did you do?

When getting the subject of a certificate through cert.Subject.String(), where the DN has multiple OU's, the OU's are in a backwards order and joined with a '+'

https://play.golang.org/p/hKtL6TEeln5

What did you expect to see?

CN=Example User,OU=Upper,OU=Lower,O=My Org,C=GB

What did you see instead?

CN=Example User,OU=Lower+OU=Upper,O=My Org,C=GB

@gopherbot gopherbot added this to the Unreleased milestone Nov 30, 2018

@agnivade

This comment has been minimized.

Copy link
Member

commented Dec 1, 2018

@mengzhuo

This comment has been minimized.

Copy link
Contributor

commented Dec 6, 2018

When getting the subject of a certificate through cert.Subject.String(), where the DN has multiple OU's, the OU's are in a backwards order and joined with a '+'

It's a multi-valued RDN described in RFC2253 section 2.
https://www.ietf.org/rfc/rfc2253.txt

@rikkuness

This comment has been minimized.

Copy link
Author

commented Dec 7, 2018

Interesting, so it's technically a valid RDN as per the RFC, the frustration I guess is that I can't just feed that straight then into gopkg.in/ldap.v2 to retrieve that object. Whereas say in nginx, nodejs etc. querying the subject string I'd get a DN that I could lookup in LDAP.

Am I misunderstanding the use of a multivalue? It seems to suggest that in this case the OU could be either one or the other where in the directory it's actually a nested OU and as such has a fixed order.

@FiloSottile FiloSottile changed the title x/crypto/x509: DN OU ordering crypto/x509: DN OU ordering Mar 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.