[keycloak-dev] Certificate subject DN is provider dependent
Pedro Igor Silva
psilva at redhat.com
Tue Feb 12 13:05:06 EST 2019
I think these threads are not talking about the same thing. The issue here
is the email address within the subject dn, which is deprecated in favor of
a specific subject alternative name extension in the certificate.
The PR LGTM too, I'm just not sure about the new "CANONICAL" configuration
option ...
On Tue, Feb 12, 2019 at 3:01 PM Hynek Mlnarik <hmlnarik at redhat.com> wrote:
> Incidentally, this issue has been discussed few weeks ago on this mailing
> list in the thread "User TLS client certificate authentication -
> inconsistent DN string representation with LDAP" starting on Dec 23. Could
> you please ensure the concerns from that thread are addressed in the PR?
>
> On Tue, Feb 12, 2019 at 3:30 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Thanks. I'm still not sure about that new CANONICAL parameter. Added a
>> comment to your PR.
>>
>> On Tue, Feb 12, 2019 at 11:57 AM Lösch, Sebastian <
>> Sebastian.Loesch at governikus.de> wrote:
>>
>> > Hello developer,
>> >
>> >
>> >
>> > I opened a new issue for Keycloak:
>> > https://issues.jboss.org/browse/KEYCLOAK-9554
>> >
>> > and provided a pull request:
>> > https://github.com/keycloak/keycloak/pull/5878
>> >
>> >
>> >
>> > Best regards,
>> >
>> > Sebastian
>> >
>> >
>> >
>> >
>> >
>> > *Von:* Pedro Igor Silva <psilva at redhat.com>
>> > *Gesendet:* Dienstag, 12. Februar 2019 13:24
>> > *An:* Thomas Darimont <thomas.darimont at googlemail.com>
>> > *Cc:* Lösch, Sebastian <Sebastian.Loesch at governikus.de>; keycloak-dev <
>> > keycloak-dev at lists.jboss.org>
>> > *Betreff:* Re: [keycloak-dev] Certificate subject DN is provider
>> dependent
>> >
>> >
>> >
>> > Btw, we also support extracting email using a subject alt name
>> extension.
>> > Maybe we could safely use CANONICAL (which seems to be more aligned with
>> > the specs) and tell people to use this extractor if they want to use
>> email
>> > address from certificates.
>> >
>> >
>> >
>> > On Tue, Feb 12, 2019 at 10:19 AM Pedro Igor Silva <psilva at redhat.com>
>> > wrote:
>> >
>> > IIRC, email address should be included/parsed as a subject alternative
>> > name extension. BouncyCastle seems doing it right.
>> >
>> >
>> >
>> > What is the JDK version being used?
>> >
>> >
>> >
>> > On Tue, Feb 12, 2019 at 9:57 AM Thomas Darimont <
>> > thomas.darimont at googlemail.com> wrote:
>> >
>> > Hi Sebastian,
>> >
>> > how about Keycloak would introduce an option for this authenticator
>> like:
>> > "Use canonical principal extraction" on/off with default "off",
>> > meaning the default behavior stays the same. "on" would then mean to use
>> > the "canonical" option for extracting the subject as you suggested.
>> >
>> > Cheers,
>> > Thomas
>> >
>> > Am Di., 12. Feb. 2019 um 12:33 Uhr schrieb Lösch, Sebastian <
>> > Sebastian.Loesch at governikus.de>:
>> >
>> > > Hello Keycloak developers,
>> > >
>> > > I am currently working on configuring keycloak for X.509 certificate
>> > login.
>> > > We store the whole user certificate's subject DN as user attribute.
>> > During
>> > > the login we match the authentication certificate's subjectDN against
>> the
>> > > value stored in the user attributes.
>> > > The subject DN is determined executing:
>> > > cert.getSubjectDN().getName()
>> > >
>> > > Here we have a problem regarding the subject DN order. We realized
>> that
>> > > the subject DN order is security provider specific:
>> > >
>> > > · Using SUN security provider we get a subject DN like:
>> > > "EMAILADDRESS=bjensen at example.com, CN=Ms. Barbara J Jensen III, O=
>> > > example.com, ST=California, C=US"
>> > >
>> > > · Using BouncyCastle security provider we get a subject DN
>> like:
>> > > "C=US,ST=California,O=example.com,CN=Ms. Barbara J Jensen III,E=
>> > > bjensen at example.com"
>> > > This is obviously a problem.
>> > > Does anybody else ran into the same problem?
>> > >
>> > > In my opinion it would be better to use:
>> > >
>> > > cert.getSubjectX500Principal().getName(X500Principal.CANONICAL)
>> > > to determine the subject DN, as the result is provider independent.
>> > > But this would be an backward incompatible change in Method
>> > >
>> > >
>> >
>> org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator.UserIdentityExtractorBuilder.fromConfig()
>> > >
>> > > What is your opinion?
>> > >
>> > > Best regards
>> > > Sebastian
>> > >
>> > > --
>> > > Solution Engineering
>> > > --
>> > > Governikus GmbH & Co. KG
>> > > Hochschulring 4
>> > > 28359 Bremen, Germany
>> > >
>> > > Phone: +49 421 204 95 - 28
>> > > Fax: +49 421 204 95 - 11
>> > > E-Mail: Sebastian.Loesch at governikus.de<mailto:
>> > > Sebastian.Loesch at governikus.de>
>> > > www.governikus.de<http://www.governikus.de/>
>> > > --
>> > > Governikus GmbH & Co. KG
>> > > Aufsichtsratsvorsitzender: Dr. Martin Hagen | Amtsgericht Bremen HRA
>> > > 22041
>> > > Geschäftsführer: Dr. Stephan Klein
>> > >
>> > > Persönlich haftende Gesellschafterin: Governikus Bremen GmbH
>> > > Geschäftsführer: Dr. Stephan Klein | Amtsgericht Bremen HRB 18756
>> > >
>> > >
>> > > ****************************************************
>> > > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
>> > > Hochschulring 4, 28359 Bremen
>> > >
>> > > Veranstaltungsvorschau: Besuchen Sie uns...
>> > > Dataport Hausmesse | 02.04.2019 | Hamburg - Schnelsen<
>> > >
>> >
>> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
>> > > >
>> > > Digitaler Staat | 02. + 03.04.2019 | Berlin<
>> > > https://www.digitaler-staat.org/>
>> > > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin<
>> > > https://www.zukunftskongress.info/de>
>> > > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart<
>> > https://www.bw-4-0.de/
>> > > >
>> > >
>> > > [cid:image8a82cf.JPG at 26f9b88d.448c29be]<
>> > > http://www.jahrestagung.governikus.de/>
>> > >
>> >
>> >
>> > ****************************************************
>> > Wir sind umgezogen! Bitte beachten Sie unsere neue Anschrift:
>> > Hochschulring 4, 28359 Bremen
>> >
>> > Veranstaltungsvorschau: Besuchen Sie uns…
>> > Dataport Hausmesse | 02.04.2019 | Hamburg – Schnelsen
>> > <
>> https://www.dataport.de/Seiten/Aktuelles/Veranstaltungen/190402-Hausmesse-Dataport.aspx
>> >
>> > Digitaler Staat | 02. + 03.04.2019 | Berlin
>> > <https://www.digitaler-staat.org/>
>> > 7. Zukunftskongress Staat & Verwaltung | 27. - 29.05.2019 | Berlin
>> > <https://www.zukunftskongress.info/de>
>> > Kongress Baden-Württemberg | 04.07.2019 | Stuttgart
>> > <https://www.bw-4-0.de/>
>> >
>> > <http://www.jahrestagung.governikus.de/>
>> >
>> > _______________________________________________
>> > > keycloak-dev mailing list
>> > > keycloak-dev at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> >
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list