Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for multi-valued RDNs in Name #3199

Closed
frasertweedale opened this issue Oct 18, 2016 · 1 comment

Comments

Projects
None yet
3 participants
@frasertweedale
Copy link
Contributor

commented Oct 18, 2016

If a DN contains multi-valued RDNs, Name does expose all the attributes but does not
indicate which attributes go together in a set. This could lead to bugs and even security
issues in applications using cryptography due to lack of ability to distinguish between DNs,
e.g.

cn=alice+uid=12345,dc=example,dc=com versus cn=alice,uid=12345,dc=example,dc=com

I will be happy to implement support. Let us first discuss API.

Name currently:

  • is an iterable yielding each AVA in the DN, in X.500 "order" (order of AVAs from a single, multi-valued RDNs is unspecified)
  • provides get_attributes_for_oid which returns attributes for the given OID in X.500 "order" (multi-valued RDNs do not affect order here, because RFC 5280 constrains each RDN to contain at most one value for any attribute type).
  • is hashable

Proposal:

  1. change _attributes to be a list of set of NameAttribute
  2. add a new property rdns (name tentative) which yields the RDNs
  3. preserve existing behaviour of __len__ and __iter__, but document that iteration order of AVAs from a multi-valued RDN is unspecified
  4. update __eq__, __hash__, etc to respect the full structure of a Name.
  5. change Name.__init__ to accept an iterable of NameAttribute (the existing API) or an iterable of set of NameAttribute. In the former case, each individual NameAttribute shall be promoted into a singleton set.

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 19, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 20, 2016

@reaperhulk

This comment has been minimized.

Copy link
Member

commented Oct 21, 2016

Ugh, I always try to forget multi-valued RDNs exist. Thanks for the comprehensive report here. This approach looks good, I'll review the PR shortly.

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 21, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Oct 22, 2016

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Nov 1, 2016

Name: add support for multi-value RDNs
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects.  Add the 'rdns' attribute to give
access to the RDNs.  Update ASN.1 routines to correctly decode and
encode multi-value RDNs.

Fixes: pyca#3199

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Nov 1, 2016

Name: add support for multi-value RDNs
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects.  Add the 'rdns' attribute to give
access to the RDNs.  Update ASN.1 routines to correctly decode and
encode multi-value RDNs.

Fixes: pyca#3199

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Nov 7, 2016

Name: add support for multi-value RDNs
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects.  Add the 'rdns' attribute to give
access to the RDNs.  Update ASN.1 routines to correctly decode and
encode multi-value RDNs.

Fixes: pyca#3199

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Nov 10, 2016

Name: add support for multi-value RDNs
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects.  Add the 'rdns' attribute to give
access to the RDNs.  Update ASN.1 routines to correctly decode and
encode multi-value RDNs.

Fixes: pyca#3199

frasertweedale added a commit to frasertweedale/cryptography that referenced this issue Nov 10, 2016

Name: add support for multi-value RDNs
Update the Name class to accept and internally store a list of
RelativeDistinguishedName objects.  Add the 'rdns' attribute to give
access to the RDNs.  Update ASN.1 routines to correctly decode and
encode multi-value RDNs.

Fixes: pyca#3199
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.