66009 – M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject

<!DOCTYPE html> <html lang="en"> <head> <title>66009 – M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link href="data/assets/d2dc72eaec8a65ba2f1cc98ad8a98a4d.css?1725743963" rel="stylesheet" type="text/css"> <link href="data/assets/117e56f7b51d43b9b3950693e5dec8a6.css?1725743940" rel="stylesheet" type="text/css"> <script type="text/javascript" src="data/assets/a7c2f3a028f17a9aa60f56dc9d6e732d.js?1725743962"></script> <script type="text/javascript">  </script> <script type="text/javascript" src="data/assets/daf5e0fb6826e6a35280e622913f0c4a.js?1725743963"></script> <link rel="search" type="application/opensearchdescription+xml" title="ASF Bugzilla" href="./search_plugin.cgi"> <link rel="shortcut icon" href="images/favicon.ico"> </head> <body class="bz-apache-org-bugzilla bz_bug bz_status_RESOLVED bz_product_Tomcat_9 bz_component_Connectors bz_bug_66009 yui-skin-sam"> <div id="header"><div id="banner"> </div> <div id="titles"> <span id="title">ASF Bugzilla – Bug 66009</span> <span id="subtitle" class="subheader">M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject</span> <span id="information" class="header_addl_info">Last modified: 2022-04-14 10:55:45 UTC</span> </div> <div id="common_links"><ul id="useful-links"> <li id="links-actions"><ul class="links"> <li><a href="./">Home</a></li> <li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li> <li><span class="separator">| </span><a href="describecomponents.cgi">Browse</a></li> <li><span class="separator">| </span><a href="query.cgi">Search</a></li> <li class="form"> <span class="separator">| </span> <form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '') { alert('Please enter one or more search terms first.'); return false; } return true;"> <input type="hidden" id="no_redirect_top" name="no_redirect" value="0"> <script type="text/javascript"> if (history && history.replaceState) { var no_redirect = document.getElementById("no_redirect_top"); no_redirect.value = 1; } </script> <input class="txt" type="text" id="quicksearch_top" name="quicksearch" aria-labelledby="find_top" title="Quick Search" value=""> <input class="btn" type="submit" value="Search" id="find_top"></form> <a href="page.cgi?id=quicksearch.html" title="Quicksearch Help">[?]</a></li> <li><span class="separator">| </span><a href="report.cgi">Reports</a></li> <li></li> <li> <span class="separator">| </span> <a href="docs/en/html/using/understanding.html" target="_blank">Help</a> </li> <li id="new_account_container_top"> <span class="separator">| </span> <a href="createaccount.cgi">New Account</a> </li> <li id="mini_login_container_top"> <span class="separator">| </span> <a id="login_link_top" href="show_bug.cgi?id=66009&GoAheadAndLogIn=1" onclick="return show_mini_login_form('_top')">Log In</a> <form action="show_bug.cgi?id=66009" method="POST" class="mini_login bz_default_hidden" id="mini_login_top"> <input id="Bugzilla_login_top" required name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address"> <input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password_top" required placeholder="Password"> <input type="checkbox" id="Bugzilla_remember_top" name="Bugzilla_remember" value="on" class="bz_remember" checked> <label for="Bugzilla_remember_top">Remember</label> <input type="hidden" name="Bugzilla_login_token" value=""> <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_top"> <a href="#" onclick="return hide_mini_login_form('_top')">[x]</a> </form> </li> <li id="forgot_container_top"> <span class="separator">| </span> <a id="forgot_link_top" href="show_bug.cgi?id=66009&GoAheadAndLogIn=1#forgot" onclick="return show_forgot_form('_top')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form_top" class="mini_forgot bz_default_hidden"> <label for="login_top">Login:</label> <input name="loginname" size="20" id="login_top" required type="email" placeholder="Your Email Address"> <input id="forgot_button_top" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> <input type="hidden" id="token_top" name="token" value="1732437061-K22pDk3T3HOSsRrmxiAxw369MjuzeuFo338Z9KRlAAg"> <a href="#" onclick="return hide_forgot_form('_top')">[x]</a> </form> </li> </ul> </li> </ul> </div> </div> <div id="bugzilla-body"> <script type="text/javascript">  </script> <form name="changeform" id="changeform" method="post" action="process_bug.cgi"> <input type="hidden" name="delta_ts" value="2022-04-14 10:55:45"> <input type="hidden" name="id" value="66009"> <input type="hidden" name="token" value="1732437061-keRA774ifcrqFmFFf8f7qWCD1STDPpLmhyLYE-IIgzQ"> <div class="bz_short_desc_container edit_form"> <a href="show_bug.cgi?id=66009"><b>Bug 66009</b></a> <span id="summary_container" class="bz_default_hidden"> - <span id="short_desc_nonedit_display">M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject</span> </span> <div id="summary_input"><span class="field_label " id="field_label_short_desc"> <a title="The bug summary is a short sentence which succinctly describes what the bug is about." class="field_help_link" href="page.cgi?id=fields.html#short_desc" >Summary:</a> </span><span title="M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject">M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name ins... </span> </div> </div> <script type="text/javascript"> hideEditableField('summary_container', 'summary_input', 'summary_edit_action', 'short_desc', 'M-TLS Fails, no user is found because \"OID.2.5.4.5\" is used as field name instead of \"SERIALNUMBER\", in Subject' ); </script> <table class="edit_form"> <tr> <td id="bz_show_bug_column_1" class="bz_show_bug_column"> <table> <tr> <th class="field_label"> <a href="page.cgi?id=fields.html#bug_status">Status</a>: </th> <td id="bz_field_status"> <span id="static_bug_status">RESOLVED FIXED </span> </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_alias"> <a title="A short, unique name assigned to a bug in order to assist with looking it up and referring to it in other places in Bugzilla." class="field_help_link" href="page.cgi?id=fields.html#alias" >Alias:</a> </th> <td> None </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_product"> <a title="Bugs are categorised into Products and Components." class="field_help_link" href="describecomponents.cgi" >Product:</a> </th> <td class="field_value " id="field_container_product" >Tomcat 9 </td> </tr> <tr class="bz_default_hidden"><th class="field_label " id="field_label_classification"> <a title="Bugs are categorised into Classifications, Products and Components. classifications is the top-level categorisation." class="field_help_link" href="page.cgi?id=fields.html#classification" >Classification:</a> </th> <td class="field_value " id="field_container_classification" >Unclassified </td> </tr> <tr><th class="field_label " id="field_label_component"> <a title="Components are second-level categories; each belongs to a particular Product. Select a Product to narrow down this list." class="field_help_link" href="describecomponents.cgi?product=Tomcat 9" >Component:</a> </th> <td class="field_value " id="field_container_component" >Connectors (<a href="buglist.cgi?component=Connectors&product=Tomcat%209&bug_status=__open__" target="_blank">show other bugs</a>) </td> </tr> <tr><th class="field_label " id="field_label_version"> <a title="The version field defines the version of the software the bug was found in." class="field_help_link" href="page.cgi?id=fields.html#version" >Version:</a> </th> <td>9.0.62 </td> </tr> <tr><th class="field_label " id="field_label_rep_platform"> <a title="The hardware platform the bug was observed on. Note: When searching, selecting the option "All" only finds bugs whose value for this field is literally the word "All"." class="field_help_link" href="page.cgi?id=fields.html#rep_platform" >Hardware:</a> </th> <td class="field_value">Other Linux </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr> <th class="field_label"> <label accesskey="i"> <a href="page.cgi?id=fields.html#importance"><u>I</u>mportance</a></label>: </th> <td>P2 normal<span id="votes_container"> (<a href="page.cgi?id=voting/user.html&bug_id=66009#vote_66009">vote</a>) </span> </td> </tr> <tr><th class="field_label " id="field_label_target_milestone"> <a title="The Target Milestone field is used to define when the engineer the bug is assigned to expects to fix it." class="field_help_link" href="page.cgi?id=fields.html#target_milestone" >Target Milestone:</a> </th><td>----- </td> </tr> <tr><th class="field_label " id="field_label_assigned_to"> <a title="The person in charge of resolving the bug." class="field_help_link" href="page.cgi?id=fields.html#assigned_to" >Assignee:</a> </th> <td><span class="vcard"><span class="fn">Tomcat Developers Mailing List</span> </span> </td> </tr> <script type="text/javascript"> assignToDefaultOnChange(['product', 'component'], 'dev\x40tomcat.apache.org', ''); </script> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_bug_file_loc"> <a title="Bugs can have a URL associated with them - for example, a pointer to a web site where the problem is seen." class="field_help_link" href="page.cgi?id=fields.html#bug_file_loc" >URL:</a> </th> <td> <span id="bz_url_input_area"> </span> </td> </tr> <tr><th class="field_label " id="field_label_keywords"> <a title="You can add keywords from a defined list to bugs, in order to easily identify and group them." class="field_help_link" href="describekeywords.cgi" >Keywords:</a> </th> <td class="field_value " id="field_container_keywords" > </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr><th class="field_label " id="field_label_dependson"> <a title="The bugs listed here must be resolved before this bug can be resolved." class="field_help_link" href="page.cgi?id=fields.html#dependson" >Depends on:</a> </th> <td> <span id="dependson_input_area"> </span> </td> </tr> <tr><th class="field_label " id="field_label_blocked"> <a title="This bug must be resolved before the bugs listed in this field can be resolved." class="field_help_link" href="page.cgi?id=fields.html#blocked" >Blocks:</a> </th> <td> <span id="blocked_input_area"> </span> </td> </tr> </table> </td> <td> <div class="bz_column_spacer"> </div> </td> <td id="bz_show_bug_column_2" class="bz_show_bug_column"> <table> <tr> <th class="field_label"> Reported: </th> <td>2022-04-12 09:07 UTC by <span class="vcard"><span class="fn">Maikel</span> </span> </td> </tr> <tr> <th class="field_label"> Modified: </th> <td>2022-04-14 10:55 UTC (<a href="show_activity.cgi?id=66009">History</a>) </td> </tr> <tr> <th class="field_label"> <label accesskey="a"> CC List: </label> </th> <td>0 users <div id="cc_edit_area"> <br> </div> </td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> <tr> <td colspan="2" class="bz_section_spacer"></td> </tr> </table> </td> </tr> <tr> <td colspan="3"> <hr id="bz_top_half_spacer"> </td> </tr> </table> <table id="bz_big_form_parts"> <tr> <td> <script type="text/javascript">  </script> <br> <table id="attachment_table"> <tr id="a0"> <th colspan="2" class="left"> Attachments </th> </tr> <tr class="bz_attach_footer"> <td colspan="2"> <a href="attachment.cgi?bugid=66009&action=enter">Add an attachment</a> (proposed patch, testcase, etc.) </td> </tr> </table> <br> <div id="add_comment" class="bz_section_additional_comments"> <table> <tr> <td> <fieldset> <legend>Note</legend> You need to <a href="show_bug.cgi?id=66009&GoAheadAndLogIn=1">log in</a> before you can comment on or make changes to this bug. </fieldset> </td> </tr> </table> </div> </td> <td> </td> </tr></table> <div id="comments"><script src="js/comments.js?1474742097" type="text/javascript"> </script> <script type="text/javascript">  </script>  <table class="bz_comment_table"> <tr> <td> <div id="c0" class="bz_comment bz_first_comment"> <div class="bz_first_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c0">Description</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Maikel</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-12 09:07:51 UTC </span> </div> <pre class="bz_comment_text">We upgraded from Tomcat 9.0.60 to 9.0.62 and the Mutual-TLS failed. Logging from Tomcat 9.0.60 (M-TLS Works) 01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /speer/soap/services/somefunctionality 02 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[MijnvfRealm]' against POST /services/somefunctionality --> true 03 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[MijnvfRealm]' against POST /services/somefunctionality --> true 04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 05 org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm [org.apache.catalina.realm.UserDatabaseRealm] 08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client certificate chain 09 org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000' 10 org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'CN=cnCA, O=o, C=c' 11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509 certificate: [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] 12 org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm [org.apache.catalina.realm.UserDatabaseRealm] 13 org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000' with type 'CLIENT_CERT' 14 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl() 15 org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000()] 16 org.apache.catalina.realm.RealmBase.hasRole Username [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] has role [correctUser] 17 org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: correctUser 18 org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints Logging from Tomcat 9.0.62 (M-TLS fails, no/wrong user found) 01 org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request POST /speer/soap/services/somefunctionality 02 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[MijnvfRealm]' against POST /services/somefunctionality --> true 03 org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[MijnvfRealm]' against POST /services/somefunctionality --> true 04 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission() 05 org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint already satisfied 06 org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate() 07 org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm [org.apache.catalina.realm.UserDatabaseRealm] 08 org.apache.catalina.realm.RealmBase.authenticate Authenticating client certificate chain 09 org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000' 10 org.apache.catalina.realm.RealmBase.authenticate Checking validity for 'CN=cnCA, O=o, C=c' 11 org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509 certificate: [CN=cn, O=o, L=l, ST=st, C=c, OID.2.5.4.5=00000001804415183000] 12 org.apache.catalina.realm.CombinedRealm.authenticate Failed to authenticate user [CN=cn, O=o, L=l, ST=st, C=c, SERIALNUMBER=00000001804415183000] with realm [org.apache.catalina.realm.UserDatabaseRealm] 13 org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed authenticate() test If you look at line 11, in both logging you can see that "OID.2.5.4.5" is used in Tomcat 9.0.62 and "SERIALNUMBER" in Tomcat 9.0.60. While in all other instances "SERIALNUMBER" is used. Because of this correct user can not be found. Possible workaround: is to add the "OID.2.5.4.5" version also to the "tomcat-users.xml" file (not tested yet, but I expect id to work). We are running Tomcat in Docker and are using the "tomcat:9-jdk11" container as base image. When we reverted to the container using Tomcat 9.0.60 it worked again. Possible suspect is release 9.0.61, and the change in Coyote, <a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html</a></pre> </div> <div id="c1" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c1">Comment 1</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Remy Maucherat</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-12 09:40:30 UTC </span> </div> <pre class="bz_comment_text">(In reply to Maikel from <a href="show_bug.cgi?id=66009#c0">comment #0</a>) <span class="quote">> Possible suspect is release 9.0.61, and the change in Coyote, > <a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html</a></span > I recommend you investigate this further. The relevant change is not in the changelog I think: <a rel="nofollow" href="https://github.com/apache/tomcat/commit/38d2c138a102a793bce630056fbca7088b7e05a3">https://github.com/apache/tomcat/commit/38d2c138a102a793bce630056fbca7088b7e05a3</a> <a rel="nofollow" href="https://github.com/apache/tomcat/commit/b21268dcebc3d470430227978caa4f168a3346d4">https://github.com/apache/tomcat/commit/b21268dcebc3d470430227978caa4f168a3346d4</a> Is this really equivalent in all cases ?</pre> </div> <div id="c2" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c2">Comment 2</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Michael Osipov</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-12 09:53:04 UTC </span> </div> <pre class="bz_comment_text">Although, I haven't analyzed recent changes, the problem you see is different representations of the ASN.1 encoded subject DN. Here (<a rel="nofollow" href="https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/RealmBase.java#L454-L455">https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/RealmBase.java#L454-L455</a>) it uses <a rel="nofollow" href="https://docs.oracle.com/javase/8/docs/api/javax/security/cert/X509Certificate.html#getIssuerDN">https://docs.oracle.com/javase/8/docs/api/javax/security/cert/X509Certificate.html#getIssuerDN</a>-- which does not describe the format which is applied, but X509SubjectDnRetriever uses RFC 1779 (<a rel="nofollow" href="https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/X509SubjectDnRetriever.java#L31">https://github.com/apache/tomcat/blob/431f08b66e27411decb52e1333dd886cc181a854/java/org/apache/catalina/realm/X509SubjectDnRetriever.java#L31</a>) which is totally outdated. Moreover, depending on the X.500 Principal format you select Java maintains an internal map which OIDs can be reasonably mapped from ASN.1 to a string. Especially 2.5.4.5 is a total mess. I have a certificate processing application at work where I apply a custom formatting to properly canonicalize RFC 2253 formatted output with all possible OIDs Java will not map by default. I assume the codebase in Tomcat needs to be analyzed and apply similar. (My custom approach bases on the way OpenSSL handles DNs)</pre> </div> <div id="c3" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c3">Comment 3</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Konstantin Kolinko</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-12 12:57:36 UTC </span> </div> <pre class="bz_comment_text">(In reply to Remy Maucherat from <a href="show_bug.cgi?id=66009#c1">comment #1</a>) <span class="quote">> (In reply to Maikel from <a href="show_bug.cgi?id=66009#c0">comment #0</a>) > > Possible suspect is release 9.0.61, and the change in Coyote, > > <a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html</a> > > I recommend you investigate this further. > > The relevant change is not in the changelog I think: > <a rel="nofollow" href="https://github.com/apache/tomcat/commit/38d2c138a102a793bce630056fbca7088b7e05a3">https://github.com/apache/tomcat/commit/38d2c138a102a793bce630056fbca7088b7e05a3</a> > <a rel="nofollow" href="https://github.com/apache/tomcat/commit/b21268dcebc3d470430227978caa4f168a3346d4">https://github.com/apache/tomcat/commit/b21268dcebc3d470430227978caa4f168a3346d4</a> > Is this really equivalent in all cases ?</span > To help investigate this: Note that an implementation of org.apache.catalina.realm.X509UsernameRetriever that was changed by those commits is configurable, with "X509UsernameRetrieverClassName" attribute on a Realm. <a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/config/realm.html">https://tomcat.apache.org/tomcat-9.0-doc/config/realm.html</a> So that you can configure your own.</pre> </div> <div id="c4" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c4">Comment 4</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Remy Maucherat</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-13 14:50:20 UTC </span> </div> <pre class="bz_comment_text">Thanks for the comments. Overall I would need a test certificate to see what each different method does. I don't know why getName(X500Principal.RFC1779) was used in X509UsernameRetriever instead of getName(X500Principal.RFC2253) or simply getName() (which simply uses X500Principal.RFC2253). Alternately, you can try to test by using X509UsernameRetrieverClassName as Konstantin said (thanks, great tip !).</pre> </div> <div id="c5" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c5">Comment 5</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Maikel</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-13 16:01:42 UTC </span> </div> <pre class="bz_comment_text">Thanks for the information, I did not know I could use X509UsernameRetrieverClassName to change the behavior. We where using the certificate functionality out of the box with only some changes in the config files. I now use the workaround by adding the "OID.2.5.4.5" version also in the "tomcat-users.xml" file. That works.</pre> </div> <div id="c6" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c6">Comment 6</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Christopher Schultz</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-13 16:58:40 UTC </span> </div> <pre class="bz_comment_text">(In reply to Remy Maucherat from <a href="show_bug.cgi?id=66009#c1">comment #1</a>) <span class="quote">> <a rel="nofollow" href="https://github.com/apache/tomcat/commit/">https://github.com/apache/tomcat/commit/</a> > b21268dcebc3d470430227978caa4f168a3346d4</span > My guess is that the above patch will fix this issue. Can you please provide a copy of the certificate and we can double-check the behavior of getSubjectDN() vs getX500Principal().getName() vs getX500Principal().getName(X500Principal.RFC1779)? Alternatively, we could provide you with a simple Java utility to look at the cert and print those values.</pre> </div> <div id="c7" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c7">Comment 7</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Christopher Schultz</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-13 17:02:40 UTC </span> </div> <pre class="bz_comment_text">Actually, this ought to do the trick: import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import javax.security.auth.x500.X500Principal; public class CertInfo { public static void main(String[] args) throws Exception { CertificateFactory cf = CertificateFactory.getInstance("X.509"); Certificate cert = cf.generateCertificate(System.in); if(cert instanceof X509Certificate) { System.out.println("Certificate is X.509"); X509Certificate xc = (X509Certificate)cert; System.out.println("getSubjectDN: " + xc.getSubjectDN()); System.out.println("getSubjectX500Principal.getName: " + xc.getSubjectX500Principal().getName()); System.out.println("getSubjectX500Principal.getName(RFC1779): " + xc.getSubjectX500Principal().getName(X500Principal.RFC1779)); } } }</pre> </div> <div id="c8" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c8">Comment 8</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Remy Maucherat</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-14 08:17:20 UTC </span> </div> <pre class="bz_comment_text">Using your test, I can see that getName(RFC1779) formatting matches getSubjectDN, and RFC2253 does not. Now, with a certificate with more stuff inside, I get something where getSubjectDN returns EMAILADDRESS= and all the getName ones replace that with OID.1.2.840.113549.1.9.1=, which reproduces the bug. Replacing getSubjectDN with getSubjectX500Principal is simply not equivalent, so resolving the deprecation will require more effort (see <a href="show_bug.cgi?id=66009#c2">comment 2</a> ;) ).</pre> </div> <div id="c9" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c9">Comment 9</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Remy Maucherat</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-14 08:25:03 UTC </span> </div> <pre class="bz_comment_text">However getSubjectX500Principal().toString() returns the same result as getSubjectDN().getName() (I did look at the JVM code to find options ;) ), so I will revert to using that since the idea was not to changes things.</pre> </div> <div id="c10" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c10">Comment 10</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Remy Maucherat</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-14 08:48:33 UTC </span> </div> <pre class="bz_comment_text">The fix will be in Tomcat 10.1.0-M15, 10.0.21, 9.0.63, 8.5.79.</pre> </div> <div id="c11" class="bz_comment"> <div class="bz_comment_head"> <span class="bz_comment_number"> <a href="show_bug.cgi?id=66009#c11">Comment 11</a> </span> <span class="bz_comment_user"> <span class="vcard"><span class="fn">Maikel</span> </span> </span> <span class="bz_comment_user_images"> </span> <span class="bz_comment_time"> 2022-04-14 10:55:45 UTC </span> </div> <pre class="bz_comment_text">Thanks for the quick reply and fixing the issue.</pre> </div> </td> <td> </td> </tr></table> </div> </form> <hr> <ul class="related_actions"> <li><a href="show_bug.cgi?format=multiple&id=66009">Format For Printing</a></li> <li> - <a href="show_bug.cgi?ctype=xml&id=66009">XML</a></li> <li> - <a href="enter_bug.cgi?cloned_bug_id=66009">Clone This Bug</a></li> <li> - <a href="#">Top of page </a></li> </ul> <br> </div> <div id="footer"> <div class="intro"></div> This is <b>ASF Bugzilla</b>: the Apache Software Foundation bug system. In case of problems with the functioning of ASF Bugzilla, please contact <a href="mailto:bugzilla-admin@apache.org">bugzilla-admin@apache.org</a>. <b>Please Note:</b> this e-mail address is <b>only</b> for reporting problems with ASF Bugzilla. Mail about any other subject will be silently ignored. <ul id="useful-links"> <li id="links-actions"><ul class="links"> <li><a href="./">Home</a></li> <li><span class="separator">| </span><a href="enter_bug.cgi">New</a></li> <li><span class="separator">| </span><a href="describecomponents.cgi">Browse</a></li> <li><span class="separator">| </span><a href="query.cgi">Search</a></li> <li class="form"> <span class="separator">| </span> <form action="buglist.cgi" method="get" onsubmit="if (this.quicksearch.value == '') { alert('Please enter one or more search terms first.'); return false; } return true;"> <input type="hidden" id="no_redirect_bottom" name="no_redirect" value="0"> <script type="text/javascript"> if (history && history.replaceState) { var no_redirect = document.getElementById("no_redirect_bottom"); no_redirect.value = 1; } </script> <input class="txt" type="text" id="quicksearch_bottom" name="quicksearch" aria-labelledby="find_bottom" title="Quick Search" value=""> <input class="btn" type="submit" value="Search" id="find_bottom"></form> <a href="page.cgi?id=quicksearch.html" title="Quicksearch Help">[?]</a></li> <li><span class="separator">| </span><a href="report.cgi">Reports</a></li> <li></li> <li> <span class="separator">| </span> <a href="docs/en/html/using/understanding.html" target="_blank">Help</a> </li> <li id="new_account_container_bottom"> <span class="separator">| </span> <a href="createaccount.cgi">New Account</a> </li> <li id="mini_login_container_bottom"> <span class="separator">| </span> <a id="login_link_bottom" href="show_bug.cgi?id=66009&GoAheadAndLogIn=1" onclick="return show_mini_login_form('_bottom')">Log In</a> <form action="show_bug.cgi?id=66009" method="POST" class="mini_login bz_default_hidden" id="mini_login_bottom"> <input id="Bugzilla_login_bottom" required name="Bugzilla_login" class="bz_login" type="email" placeholder="Email Address"> <input class="bz_password" name="Bugzilla_password" type="password" id="Bugzilla_password_bottom" required placeholder="Password"> <input type="checkbox" id="Bugzilla_remember_bottom" name="Bugzilla_remember" value="on" class="bz_remember" checked> <label for="Bugzilla_remember_bottom">Remember</label> <input type="hidden" name="Bugzilla_login_token" value=""> <input type="submit" name="GoAheadAndLogIn" value="Log in" id="log_in_bottom"> <a href="#" onclick="return hide_mini_login_form('_bottom')">[x]</a> </form> </li> <li id="forgot_container_bottom"> <span class="separator">| </span> <a id="forgot_link_bottom" href="show_bug.cgi?id=66009&GoAheadAndLogIn=1#forgot" onclick="return show_forgot_form('_bottom')">Forgot Password</a> <form action="token.cgi" method="post" id="forgot_form_bottom" class="mini_forgot bz_default_hidden"> <label for="login_bottom">Login:</label> <input name="loginname" size="20" id="login_bottom" required type="email" placeholder="Your Email Address"> <input id="forgot_button_bottom" value="Reset Password" type="submit"> <input type="hidden" name="a" value="reqpw"> <input type="hidden" id="token_bottom" name="token" value="1732437061-K22pDk3T3HOSsRrmxiAxw369MjuzeuFo338Z9KRlAAg"> <a href="#" onclick="return hide_forgot_form('_bottom')">[x]</a> </form> </li> </ul> </li> </ul> <div class="outro"></div> </div> </body> </html>

CINXE.COM

66009 – M-TLS Fails, no user is found because "OID.2.5.4.5" is used as field name instead of "SERIALNUMBER", in Subject