Affects Version/s: 6.5.1, 7.0.0
The comparison between the registered subject DN and the DN from a certificate for mTLS may fail due to differences in the ASN.1 DER-encoding of the values when a custom OID is used for one of the components. In particular, the X500Principal constructed from a String will encode the custom OID value with the tag 0x13 (PrintableString), while the value in the certificate will often be encoded with tag 0x0c (UTF8String). While the values are otherwise identical, this tag difference is enough to cause the comparison to fail.
- Generate a CA certificate and keypair (see mTLS documentation)
- Generate a client certificate signed by the CA with the subject DN "18.104.22.168=#0c1350534447422d4643412d6b742d343834333437,cn=test,o=test,c=gb"
- Register the client with the Subject DN field set to "OID.22.214.171.124=PSDGB-FCA-kt-484347,cn=test,o=test,c=gb"
- Attempt to authenticate to AM using the certificate from step 2.
The certificate should be accepted as the DN is identical apart from the encoding.
The certificate is rejected.
Register clients using the RFC 2253 Canonical DN representation.
We currently compare the DNs in OpenAMClientRegistration#verifyTlsClientCertificateAuthentication using X500Principal.equals():
This will compare the RFC 2253 Canonical representation, which for unknown OIDs will compare the literal bytes of the ASN.1 syntax. We could instead compare using `subjectDn.getName(X500Principal.RFC1779).equals(certDn.getName(X500Principal.RFC1779))`, which is not sensitive to these differences, but is an obsolete spec. RFC 2253 has also been obsoleted by RFC 4514, which has rules in https://tools.ietf.org/html/rfc4514#section-2 which I think would also work.
The OAuth mTLS spec itself only refers to the RFC 4517 distinguishedNameMatch (https://tools.ietf.org/html/rfc4517#section-4.2.15) which is a bit vague on what to do if the OID is unrecognised.
Another option is that we explicitly try and support OID 126.96.36.199 (organisation identifier) by passing in an OID map to X500Principal.getName(format, map).