yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1214147] Re: non standard certificate subject string format

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Tue, 02 Feb 2016 20:40:07 -0000
Reply-to: Bug 1214147 <1214147@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

with PKI tokens deprecated and evenlet going away and pkisetup being
removed this is no longer even a wishlist. marking as wont fix.

** Changed in: keystone
       Status: Triaged => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1214147

Title:
  non standard certificate subject string format

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  The keystone configuration

  * keystone/common/config.py
  * etc/keystone.conf.sample

  as well as the documentation

  * doc/source/configuration.rst

  all make reference to certificate subjects. A certificate subject is
  actually a DN (Distinguished Name). DN's are used in other places in
  X509 besides the subject (e.g. the issuer field and some certificate
  extensions use DN's).

  Although the string representation of a DN has long been standardized
  in RFC's (most recently in RFC-4514 superseding RFC-2253) OpenSSL
  cannot not accept RFC compliant DN's as input and will not output RFC
  compliant DN's by default.

  Of the major crypto implementations (OpenSSL, NSS, GnuTLS, Java
  BouncyCastle) it is only OpenSSL which fails to utilize RFC compliant
  DN's. OpenSSL's DN format is proprietary and unique to OpenSSL.
  OpenSSL cannot accept RFC compliant DN's and all the other libraries
  cannot accept OpenSSL's DN format.

  OpenStack should follow the relevant RFC's.

  The fact OpenSSL's pecular DN format was introduced into the generic
  configuration for Keystone is unfortunate.

  The following steps should be taken.

  1. A conversion utility provided which converts between OpenSSL format
  and RFC format. This utility must handle multivalued RDN's and OID
  type names.

  2. The configuration files and documentation must be modified to use
  RFC format.

  3. The internal code must examine the cert subject (or any other DN)
  and determine what format it's it. If it's in OpenSSL format it should
  emit a deprecation warning. If it's in RFC format it should convert it
  to OpenSSL format before being passed to OpenSSL. Other crypto
  providers may need to convert a deprecated OpenSSL format into RFC
  format.

  Patches for this work are available.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1214147/+subscriptions