Hello devs,
I implemented tests and added documentation. So please have a look if something is
missing:
-----Ursprüngliche Nachricht-----
Von: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-
bounces(a)lists.jboss.org> Im Auftrag von Lösch, Sebastian
Gesendet: Mittwoch, 13. Februar 2019 16:27
An: psilva(a)redhat.com
Cc: keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
Okay, that sound’s great! I will work on that soon.
Thanks.
Von: Pedro Igor Silva <psilva(a)redhat.com>
Gesendet: Mittwoch, 13. Februar 2019 16:24
An: Lösch, Sebastian <Sebastian.Loesch(a)governikus.de>
Cc: jdennis(a)redhat.com; keycloak-dev(a)lists.jboss.org
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
I meant, use the BC API directly without depending on the installed provider.
If you look at how those identity extractors are implemented, you'll see that
some of them are using BC API. Not sure if this approach is good though as
we are removing the "portability" through JCA/JCE. In fact, I think use BC for
extracting DN will make things even more worse for the problem discussed in
the other thread ...
Back to your question, I'm OK about your PR and I'm not sure if we need
those two alternatives you proposed. The example you gave about
serialnumber does not seem to be impacted by canonicalization. Or I'm
missing something ? If others are happy too about your solution, we can
have your changes in as soon as you provide tests and docs.
Thanks.
On Wed, Feb 13, 2019 at 12:13 PM Lösch, Sebastian
<Sebastian.Loesch(a)governikus.de
<mailto:Sebastian.Loesch@governikus.de> > wrote:
The provider that generates the certificate contained in the HttpRequest ist
he default security provider of the application server. So using the same
provider means using the default provider.
That may lead to problems when the default security provider changes, as
the DN format changes at this time as well.
Von: Pedro Igor Silva <psilva(a)redhat.com <mailto:psilva@redhat.com> >
Gesendet: Mittwoch, 13. Februar 2019 13:08
An: Lösch, Sebastian <Sebastian.Loesch(a)governikus.de
<mailto:Sebastian.Loesch@governikus.de> >
Cc: jdennis(a)redhat.com <mailto:jdennis@redhat.com> ; keycloak-
dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
What if we use the same provider in all those identity extractors? As it stands
today, it is a mix of BC and JDK.
On Wed, Feb 13, 2019 at 3:37 AM Lösch, Sebastian
<Sebastian.Loesch(a)governikus.de
<mailto:Sebastian.Loesch@governikus.de> > wrote:
The main point on this issue in my opinion is to have a reliable, provider
independent DN representation.
This is not given using the currently used Java API
X509Certificate.getSubjectDN() and X509Certificate.getIssuerDN().
The JavaDoc states here the result is "[...]an implementation specific Principal
object, which should not be relied upon by portable code."
So I think providing an alternative is necessary.
I am wondering if this canonical config switch ON/OFF is the right way. It has
no effect on all other user identity source, e.g. serial number.
Wouldn't it be better to implement two alternatives "Match canonical
IssuerDN using regular expression" and "Match canonical SubjectDN using
regular expression"?
The existing solutions are kept for backward compatibility but deprecated in
the documentation?
Best regards,
Sebastian
> -----Ursprüngliche Nachricht-----
> Von: keycloak-dev-bounces(a)lists.jboss.org <mailto:keycloak-dev-
bounces(a)lists.jboss.org> <keycloak-dev-
> bounces(a)lists.jboss.org <mailto:bounces@lists.jboss.org> > Im Auftrag
von Pedro Igor Silva
> Gesendet: Mittwoch, 13. Februar 2019 00:03
> An: John Dennis <jdennis(a)redhat.com <mailto:jdennis@redhat.com> >
> Cc: keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> Betreff: Re: [keycloak-dev] Certificate subject DN is provider dependent
>
> On Tue, Feb 12, 2019 at 8:17 PM John Dennis <jdennis(a)redhat.com
<mailto:jdennis@redhat.com> > wrote:
>
> > On 2/12/19 4:26 PM, Pedro Igor Silva wrote:
> > > Sure, but note that RFC-4514 relies on 4519 (which actually defines
> > > the supported attributed types).
> >
> > I don't think RFC 4519 is what you're looking for, you want to be
> > looking at the X509 Certificate RFC's.
> >
> > Ugh, the RFC's for this stuff is a tangled mess of cross references to
> > other RFC's. It's ugly and hard to decipher which is probably why
> > these issues seem to keep cropping up.
> >
>
> Yes, they are ...
>
>
> >
> > > The main reason for pushing this question is that from a security
> > > perspective, using a deprecated attribute type in subject dn is not
> > > good. Privacy concerns may apply here too where you may not want
> > > people to put the email (sensitive) in something that is supposed to be
public.
> >
> > I'm not sure that's the question. You don't have control over the
> > certs that are presented to you. Rather your job is to ascertain if
> > you can unequivocally map the cert subject to a principal in your
> > domain. You probably can't put a stake in the ground and demand the
> > subject contain certain RDN's (with the exception of the CN). And FWIW
> > just to make things even more confusing a common convention for client
> > certs is to put the users email address as the subject's CN.
> >
> > I have a suggestion, I'm not the ultimate authority on this stuff. We
> > have a developer on the Certificate Server team who I believe has an
> > even more in depth understanding and is probably more current on this
> > topic that I am (I did this work several years ago). He is Fraser
> > Tweedale <ftweedal(a)redhat.com <mailto:ftweedal@redhat.com> >,
perhaps you might want to open a
> > discussion with him. FWIW the Certificate Server is also written in
> > Java and he might be able to share Java code snippets with you on the
> > best way to perform these comparisons.
> >
>
> Yeah, we can not control how people are issuing certificates. I was trying to
find
> someone to say "Yeah, emailAddress is really a bad practice in subject dn.
> People should use SAN instead".
>
> I think your contact may help here with both issues, for sure. Although I'm
> convinced that at least the changes made in that PR are fine instead of
possibly
> breaking use cases by forcing canonicalization.
>
>
> >
> >
> > --
> > John Dennis
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev