envoyproxy/envoy

Docs: Clarify format of Subject field in X-Forwarded-Client-Cert header

Open

#9,889 opened on Jan 31, 2020

View on GitHub
 (3 comments) (0 reactions) (0 assignees)C++ (5,373 forks)batch import
area/docsarea/tlshelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

Title: Clarify format of Subject field in X-Forwarded-Client-Cert header

Description: The documentation for the X-Forwarded-Client-Cert header says that the Subject field is the subject of the client certificate.

The Subject field in an X.509 certificate is binary ASN.1 DER formatted, so it is ambiguous as to which string syntax is used when converting to the header. The examples in the documentation use the format Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client" which appears to be an old X.500 syntax.

The code appears to actually serialize into standard RFC 2253 format, in which case the examples should read something like cn=Test Client,ou=Lyft,l=San Francisco,st=CA,c=US.

However, even in that standard format there is an ambiguity on how Envoy serializes DN attributes that are unrecognized. Because the syntax of attributes depends on the schema, it can either attempt to format them as strings or else encode the DER bytes directly using the #<hex-encoded-DER-value> syntax. There are client certs in the wild that use non-standard attributes in the subject DN, so it would be good to know how Envoy will serialize those so that I can have a fighting chance of matching them correctly on the backend.

Contributor guide