-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Connection refused if T field exists in X509 credentials #3487
Comments
Did you use the same certificate that the client device uses also for registering the device? |
During device registration the certificate was not provided. The credentials API was called passing auth-id as |
You mean the Device Registry Management API's update Credentials operation had been used to add X.509 credentials passing a public key and the auth-id explicitly instead of specifying a certificate? |
Yes, Device Registry Management API's update Credentials operation had been used. |
Can you check if the the same problem occurs when you provide the device's client cert when registering the X.509 credentials? |
I have tested that.
|
That's what I thought. FMPOV there is no bug here. However, it would be good to better understand under what circumstances the value of title attribute is being interpreted as a PrintableString vs UTF8String ... |
This issue was reported by a client. If the PrintableString or UTF8String interpretation is clear and eventually documented, the advice to them could be to register providing the proper OIDs mapped value. |
@n-deliyski is this still an issue? |
If an MQTT device is registered manually with X.509-cert credentials, where the certificate subject-DN has T field (e.g T=Test), the device connection is refused with "Bad username or password". This is not expected as
title
is valid attribute type - rfc4519The device certificate is created via command:
openssl req -key <device-key.pem> -new -out <device.csr> -subj "/title=Test/CN=..."
The analysis shows following:
X500Principal(<auth-id-string>).getName(X500Principal.RFC2253)
. This call forT=Test
gives OIDs mapping2.5.4.12=#130454657374
, where 0x13 is for PrintableStringCertificate#getSubjectX500Principal().getName(X500Principal.RFC2253)
See https://github.com/eclipse-hono/hono/blob/master/adapter-base/src/main/java/org/eclipse/hono/adapter/auth/device/x509/TenantServiceBasedX509Authentication.java#L170. This call gives
2.5.4.12=#0c0454657374
, where 0x0c is for UTF8String2.5.4.12=#0c0454657374
could not be found, thus the connection is refused.This behavior seems a rear case only if the subject-DN has non standard rfc2253 fields.
The text was updated successfully, but these errors were encountered: