Skip to content

x509 - add support for updated "distinguished name" format #31406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
nightio opened this issue May 7, 2019 · 0 comments
Closed

x509 - add support for updated "distinguished name" format #31406

nightio opened this issue May 7, 2019 · 0 comments
Labels
Feature Security

Comments

@nightio
Copy link

nightio commented May 7, 2019

Description
For example from version 1.11.6 of nginx (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) default format of "distinguished name" uses RFC 2253 (https://tools.ietf.org/html/rfc2253)

k8s nginx ingress uses it as well.

Example
nginx:
$ssl_client_s_dn => emailAddress=developer@example.com,CN=symfony.com
$ssl_client_s_dn_legacy => /emailAddress=developer@example.com/CN=symfony.com

Condition must be modified (add regex):


namespace Symfony\Component\Security\Http\Firewall;
// ...
class X509AuthenticationListener extends AbstractPreAuthenticatedListener
{
  // ...
    /**
     * {@inheritdoc}
     */
    protected function getPreAuthenticatedData(Request $request)
    {
        $user = null;
        if ($request->server->has($this->userKey)) {
            $user = $request->server->get($this->userKey);
        } elseif ($request->server->has($this->credentialKey) && preg_match('#/emailAddress=(.+\@.+\..+)(/|$)#', $request->server->get($this->credentialKey), $matches)) {
            $user = $matches[1];
        }

        if (null === $user) {
            throw new BadCredentialsException(sprintf('SSL credentials not found: %s, %s', $this->userKey, $this->credentialKey));
        }

        return [$user, $request->server->get($this->credentialKey, '')];
    }
}```
nightio pushed a commit to nightio/security-http that referenced this issue May 7, 2019
[Security] added support for updated "distinguished name" format in x…
2ecbad4 
…509 authentication

RFC 2253 (https://tools.ietf.org/html/rfc2253)
issue: symfony/symfony#31406
@nightio nightio mentioned this issue May 7, 2019
Closed
nightio pushed a commit to nightio/symfony that referenced this issue May 7, 2019
[Security] added support for updated "distinguished name" format in x…
30b4b3e 
…509 authentication

RFC 2253 (https://tools.ietf.org/html/rfc2253)
issue: symfony#31406
@nightio nightio mentioned this issue May 7, 2019
Merged
nightio pushed a commit to nightio/symfony that referenced this issue May 17, 2019
[Security] added support for updated "distinguished name" format in x…
cd900b6 
…509 authentication

RFC 2253 (https://tools.ietf.org/html/rfc2253)
issue: symfony#31406
@fabpot fabpot closed this as completed Jun 4, 2019
fabpot added a commit that referenced this issue Jun 4, 2019
@fabpot
bug #31407 [Security] added support for updated "distinguished name" …
5498cf5 
…format in x509 authentication (Robert Kopera)

This PR was submitted for the master branch but it was squashed and merged into the 3.4 branch instead (closes #31407).

Discussion
----------

[Security] added support for updated "distinguished name" format in x509 authentication

RFC 2253 (https://tools.ietf.org/html/rfc2253)
issue: #31406

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #31406
| License       | MIT
| Doc PR        |

Commits
-------

bdbac2c [Security] added support for updated \"distinguished name\" format in x509 authentication
@gseric gseric mentioned this issue Oct 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fabpot @xabbuh @nightio