diff options
| author | Jonathan Reams <jbreams@mongodb.com> | 2019-01-29 13:09:04 -0500 |
|---|---|---|
| committer | Jonathan Reams <jbreams@mongodb.com> | 2019-01-30 14:56:25 -0500 |
| commit | ac3f2f46c776d844e44d2cd31629ebc1eacf1638 (patch) | |
| tree | ba2e9bcf6431f44e7da2313061b762b2820a7e7a | |
| parent | 3a9efc840255c252732429b97c8b36ded52ed417 (diff) | |
| download | mongo-ac3f2f46c776d844e44d2cd31629ebc1eacf1638.tar.gz | |
SERVER-39107 Allow empty components in certificate DNs
| -rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 9 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_test.cpp | 5 |
2 files changed, 14 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 9fbfe088c71..b93ebe84a4a 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -586,6 +586,15 @@ Status SSLX509Name::normalizeStrings() { case kASN1UniversalString: case kASN1BMPString: case kASN1OctetString: { + // Technically https://tools.ietf.org/html/rfc5280#section-4.1.2.4 requires + // that DN component values must be at least 1 code point long, but we've + // supported empty components before (see SERVER-39107) so we special-case + // normalizing empty values to an empty UTF-8 string + if (entry.value.empty()) { + entry.type = kASN1UTF8String; + break; + } + auto res = icuX509DNPrep(entry.value); if (!res.isOK()) { return res.getStatus(); diff --git a/src/mongo/util/net/ssl_manager_test.cpp b/src/mongo/util/net/ssl_manager_test.cpp index 1c7d866815a..8869cbede6f 100644 --- a/src/mongo/util/net/ssl_manager_test.cpp +++ b/src/mongo/util/net/ssl_manager_test.cpp @@ -326,6 +326,11 @@ TEST(SSLManager, DNParsingAndNormalization) { {"2.5.4.3", "J. Smith"}, {"0.9.2342.19200300.100.1.25", "example"}, {"0.9.2342.19200300.100.1.25", "net"}}}, + {"CN=server, O=, DC=example, DC=net", + {{"2.5.4.3", "server"}, + {"2.5.4.10", ""}, + {"0.9.2342.19200300.100.1.25", "example"}, + {"0.9.2342.19200300.100.1.25", "net"}}}, {R"(CN=James \"Jim\" Smith\, III,DC=example,DC=net)", {{"2.5.4.3", R"(James "Jim" Smith, III)"}, {"0.9.2342.19200300.100.1.25", "example"}, |