envoyproxy/envoy

Docs: Clarify format of Subject field in X-Forwarded-Client-Cert header

Open

#9889 aperta il 31 gen 2020

Vedi su GitHub
 (3 commenti) (0 reazioni) (0 assegnatari)C++ (5373 fork)batch import
area/docsarea/tlshelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Title: Clarify format of Subject field in X-Forwarded-Client-Cert header

Description: The documentation for the X-Forwarded-Client-Cert header says that the Subject field is the subject of the client certificate.

The Subject field in an X.509 certificate is binary ASN.1 DER formatted, so it is ambiguous as to which string syntax is used when converting to the header. The examples in the documentation use the format Subject="/C=US/ST=CA/L=San Francisco/OU=Lyft/CN=Test Client" which appears to be an old X.500 syntax.

The code appears to actually serialize into standard RFC 2253 format, in which case the examples should read something like cn=Test Client,ou=Lyft,l=San Francisco,st=CA,c=US.

However, even in that standard format there is an ambiguity on how Envoy serializes DN attributes that are unrecognized. Because the syntax of attributes depends on the schema, it can either attempt to format them as strings or else encode the DER bytes directly using the #<hex-encoded-DER-value> syntax. There are client certs in the wild that use non-standard attributes in the subject DN, so it would be good to know how Envoy will serialize those so that I can have a fighting chance of matching them correctly on the backend.

Guida contributor