[keycloak-dev] Certificate subject DN is provider dependent
Pedro Igor Silva
psilva at redhat.com
Tue Feb 12 07:19:01 EST 2019
IIRC, email address should be included/parsed as a subject alternative name
extension. BouncyCastle seems doing it right.
What is the JDK version being used?
On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont <
thomas.darimont at googlemail.com> wrote:
> Hi Sebastian,
>
> how about Keycloak would introduce an option for this authenticator like:
> "Use canonical principal extraction" on/off with default "off",
> meaning the default behavior stays the same. "on" would then mean to use
> the "canonical" option for extracting the subject as you suggested.
>
> Cheers,
> Thomas
>
> Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
> Sebastian.Loesch at governikus.de>:
>
> > Hello Keycloak developers,
> >
> > I am currently working on configuring keycloak for X.509 certificate
> login.
> > We store the whole user certificate's subject DN as user attribute.
> During
> > the login we match the authentication certificate's subjectDN against the
> > value stored in the user attributes.
> > The subject DN is determined executing:
> > cert.getSubjectDN().getName()
> >
> > Here we have a problem regarding the subject DN order. We realized that
> > the subject DN order is security provider specific:
> >
> > · Using SUN security provider we get a subject DN like:
> > "EMAILADDRESS=bjensen at example.com, CN=Ms. Barbara J Jensen III, O=
> > example.com, ST=California, C=US"
> >
> > · Using BouncyCastle security provider we get a subject DN like:
> > "C=US,ST=California,O=example.com,CN=Ms. Barbara J Jensen III,E=
> > bjensen at example.com"
> > This is obviously a problem.
> > Does anybody else ran into the same problem?
> >
> > In my opinion it would be better to use:
> >
> > cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
> > to determine the subject DN, as the result is provider independent.
> > But this would be an backward incompatible change in Method
> >
> >
> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
> >
> > What is your opinion?
> >
> > Best regards
> > Sebastian
> >
> > --
> > Solution Engineering
> > --
> > Governikus GmbH & Co. KG
> > Hochschulring 4
> > 28359 Bremen, Germany
> >
> > Phone: +49 421 204 95 - 28
> > Fax: +49 421 204 95 - 11
> > E-Mail: Sebastian.Loesch at governikus.de<mailto:
> > Sebastian.Loesch at governikus.de>
> > www.governikus.de<http://www.governikus.de/>
> > --
> > Governikus GmbH & Co. KG
> > Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
> > 22041
> > Geschäftsführer: Dr. Stephan Klein
> >
> > Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
> > Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
> >
> >
> > ****************************************************
> > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
> > Hochschulring 4, 28359 Bremen
> >
> > Veranstaltungsvorschau: Besuchen Sie uns...
> > Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
> >
> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
> > >
> > Digitaler Staat | 02. + 03.04.2019 | Berlin<
> > https://www.digitaler-staat.org/>
> > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
> > https://www.zukunftskongress.info/de>
> > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<
> https://www.bw-4-0.de/
> > >
> >
> > [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
> > http://www.jahrestagung.governikus.de/>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list