Add support for required LDAP (rfc4514) RDNs in LiteralSubject

* Add OID translation for mandatory DC component * Used extensively in LDAP certificates, also required by rfc5280 * Add support for UID, mentioned in LDAP RFC * solves https://github.com/cert-manager/cert-manager/issues/5582 Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
2022-11-18 10:22:39 +00:00 · 2022-11-18 10:22:39 +00:00 · f41cf33efe
commit f41cf33efe
parent 2884bee3f8
2 changed files with 19 additions and 0 deletions
--- a/internal/apis/certmanager/validation/certificate_test.go
+++ b/internal/apis/certmanager/validation/certificate_test.go
@ -944,6 +944,18 @@ func Test_validateLiteralSubject(t *testing.T) {
 			},
 			a: someAdmissionRequest,
 		},
+		"valid with a `literalSubject` containing CN with special characters, multiple DC and well-known rfc4514 and rfc5280 RDN OIDs": {
+			featureEnabled: true,
+			cfg: &internalcmapi.Certificate{
+				Spec: internalcmapi.CertificateSpec{
+					Subject:        &internalcmapi.X509Subject{SerialNumber: "1"},
+					LiteralSubject: "CN=James \\\"Jim\\\" Smith\\, III,DC=dc,DC=net,UID=jamessmith,STREET=La Rambla,L=Barcelona,C=Spain,O=Acme,OU=IT,OU=Admins",
+					SecretName:     "abc",
+					IssuerRef:      validIssuerRef,
+				},
+			},
+			a: someAdmissionRequest,
+		},
 		"invalid with a `literalSubject` without CN and no dnsNames, ipAddresses, or emailAddress": {
 			featureEnabled: true,
 			cfg: &internalcmapi.Certificate{
--- a/pkg/util/pki/parse.go
+++ b/pkg/util/pki/parse.go
@ -373,6 +373,8 @@ var OIDConstants = struct {
 	Locality           []int
 	Province           []int
 	StreetAddress      []int
+	DomainComponent []int
+	UniqueIdentifier []int
 }{
 	Country:            []int{2, 5, 4, 6},
 	Organization:       []int{2, 5, 4, 10},
@ -382,10 +384,13 @@ var OIDConstants = struct {
 	Locality:           []int{2, 5, 4, 7},
 	Province:           []int{2, 5, 4, 8},
 	StreetAddress:      []int{2, 5, 4, 9},
+	DomainComponent:    []int{0,9,2342,19200300,100,1,25},
+	UniqueIdentifier: []int{0,9,2342,19200300,100,1,1},
 }

 // Copied from pkix.attributeTypeNames and inverted. (Sadly it is private.)
 // Source: https://cs.opensource.google/go/go/+/refs/tags/go1.18.2:src/crypto/x509/pkix/pkix.go;l=26
+// Added RDNs identifier to support rfc4514 LDAP certificates, cf https://github.com/cert-manager/cert-manager/issues/5582
 var attributeTypeNames = map[string][]int{
 	"C":            OIDConstants.Country,
 	"O":            OIDConstants.Organization,
@ -395,6 +400,8 @@ var attributeTypeNames = map[string][]int{
 	"L":            OIDConstants.Locality,
 	"ST":           OIDConstants.Province,
 	"STREET":       OIDConstants.StreetAddress,
+	"DC": OIDConstants.DomainComponent,
+	"UID": OIDConstants.UniqueIdentifier,
 }

 func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error) {