Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-6389

Reconsider fingerprint certificate mapper settings

    Details

    • Type: Improvement
    • Status: Done
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Component/s: config
    • Labels:
      None

      Description

      A fingerprint certificate mapper, https://ea.forgerock.com/docs/ds/configref/#objects-fingerprint-certificate-mapper, "maps client certificates to user entries by looking for the MD5 or SHA1 fingerprint in a specified attribute of user entries." It also works with SHA-256 fingerprints.

      The primary use case appears to be avoiding storing entire certificates. It is fairly natural when configuring SASL EXTERNAL to allow authentication with a certificate to allow the client to essentially authenticate with the fingerprint. If clients are using self-signed certificates as a sort of replacement for username-password combinations, the fingerprint needs to be hard to fake.

      The present configuration uses the MD5 fingerprint by default. With MD5 it is relatively easy to generate collisions (https://www.win.tue.nl/hashclash/rogue-ca/). It could be helpful to switch to SHA-256 as the default for new deployments.

      However, now that OpenDJ has support for certificate syntax, it might be worth moving from storing only the fingerprint to storing the certificate, and perhaps indexing only the fingerprint or some other element used for mapping. If the server has the whole certificate, it is also easier to perform cleanup like finding and removing expired certs, and it is possible to support multiple mappings without updating entries.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                miroslav.meca Miroslav Meca
                Reporter:
                Mark Mark Craig
                Dev Assignee:
                Gaetan Boismal [X] (Inactive)
                QA Assignee:
                Miroslav Meca
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: