Skip to content

x.509 certificate username extraction: decode other name as directory strings #2985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 19, 2021
Merged

x.509 certificate username extraction: decode other name as directory strings #2985

merged 3 commits into from
Apr 19, 2021

Conversation

michaelklishin
Copy link
Collaborator

@michaelklishin michaelklishin commented Apr 19, 2021
edited
Loading

Decode other name using 'OTP-PUB-KEY':decode/2

and assume it is a string-like value ("directory string")
because other values would not make much sense in the
username extraction context.

References #2983, follow-up to #2984.

@michaelklishin
SAN of type otherName: strip two leading characters
e15f2b4 
instead of specific ones since they will vary with the payload
(one of them likely indicates UTF string length).

This is still not perfect because we limit the maximum
allowed length but it works fine with identifiers up to 100
characters long, which should be good enough for this
best effort handling of an abscure SAN type.

References ##2983.
@michaelklishin
Decode other name using 'OTP-PUB-KEY':decode/2
73eb9b5 
and assume it is a string-like value ("directory string")
because other values would not make much sense in the
username extraction context.

References #2983.
@michaelklishin
Allow for more ASN.1 string (sub)types
60a9a89
@michaelklishin michaelklishin added this to the 3.8.15 milestone Apr 19, 2021
@michaelklishin michaelklishin merged commit 0dc1501 into master Apr 19, 2021
@michaelklishin michaelklishin deleted the mk-decode-other-name-as-directory-string branch April 19, 2021 22:20
@michaelklishin michaelklishin mentioned this pull request Apr 19, 2021
Merged
@michaelklishin michaelklishin changed the title Mk decode other name as directory string x.509 certificate username extraction: decode other name as directory strings Apr 19, 2021
@michaelklishin
Copy link
Collaborator Author

Using the following otherName value

otherName = 1.3.6.1.4.1.54392.5.436;FORMAT:UTF8,UTF8String:unicøde-vàlüe

I can tell that it is parsed correctly on this branch. It also authenticates when I create a user and grant it some permissions:

rabbitmqctl add_user "unicøde-vàlüe"
rabbitmqctl set_permissions -p / "unicøde-vàlüe" ".*" ".*" ".*"

I also tested with some Cyrillic and ASCII values ranging from 4 to 390 bytes in length.

michaelklishin added a commit that referenced this pull request Apr 19, 2021
@michaelklishin
Merge pull request #2985 from rabbitmq/mk-decode-other-name-as-direct…
3fd1883 
…ory-string

Decode other name using 'OTP-PUB-KEY':decode/2

and assume it is a string-like value ("directory string")
because other values would not make much sense in the
username extraction context.

References #2983.

(cherry picked from commit 0dc1501)
@michaelklishin
Copy link
Collaborator Author

Backported to v3.8.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.8.15

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelklishin