From f41cf33efe24f99a7fe9a1cf890460ad76849fdc Mon Sep 17 00:00:00 2001
From: Houssem El Fekih <houssem.elfekih@jetstack.io>
Date: Fri, 18 Nov 2022 10:22:39 +0000
Subject: [PATCH] Add support for required LDAP (rfc4514) RDNs in
 LiteralSubject

* Add OID translation for mandatory DC component
* Used extensively in LDAP certificates, also required by rfc5280
* Add support for UID, mentioned in LDAP RFC
* solves https://github.com/cert-manager/cert-manager/issues/5582

Signed-off-by: SpectralHiss <houssem.elfekih@jetstack.io>
---
 .../apis/certmanager/validation/certificate_test.go  | 12 ++++++++++++
 pkg/util/pki/parse.go                                |  7 +++++++
 2 files changed, 19 insertions(+)

diff --git a/internal/apis/certmanager/validation/certificate_test.go b/internal/apis/certmanager/validation/certificate_test.go
index 4d3280cef..4a8285b51 100644
--- a/internal/apis/certmanager/validation/certificate_test.go
+++ b/internal/apis/certmanager/validation/certificate_test.go
@@ -944,6 +944,18 @@ func Test_validateLiteralSubject(t *testing.T) {
 			},
 			a: someAdmissionRequest,
 		},
+		"valid with a `literalSubject` containing CN with special characters, multiple DC and well-known rfc4514 and rfc5280 RDN OIDs": {
+			featureEnabled: true,
+			cfg: &internalcmapi.Certificate{
+				Spec: internalcmapi.CertificateSpec{
+					Subject:        &internalcmapi.X509Subject{SerialNumber: "1"},
+					LiteralSubject: "CN=James \\\"Jim\\\" Smith\\, III,DC=dc,DC=net,UID=jamessmith,STREET=La Rambla,L=Barcelona,C=Spain,O=Acme,OU=IT,OU=Admins",
+					SecretName:     "abc",
+					IssuerRef:      validIssuerRef,
+				},
+			},
+			a: someAdmissionRequest,
+		},
 		"invalid with a `literalSubject` without CN and no dnsNames, ipAddresses, or emailAddress": {
 			featureEnabled: true,
 			cfg: &internalcmapi.Certificate{
diff --git a/pkg/util/pki/parse.go b/pkg/util/pki/parse.go
index e6376e5dd..c8e21c216 100644
--- a/pkg/util/pki/parse.go
+++ b/pkg/util/pki/parse.go
@@ -373,6 +373,8 @@ var OIDConstants = struct {
 	Locality           []int
 	Province           []int
 	StreetAddress      []int
+	DomainComponent []int
+	UniqueIdentifier []int
 }{
 	Country:            []int{2, 5, 4, 6},
 	Organization:       []int{2, 5, 4, 10},
@@ -382,10 +384,13 @@ var OIDConstants = struct {
 	Locality:           []int{2, 5, 4, 7},
 	Province:           []int{2, 5, 4, 8},
 	StreetAddress:      []int{2, 5, 4, 9},
+	DomainComponent:    []int{0,9,2342,19200300,100,1,25},
+	UniqueIdentifier: []int{0,9,2342,19200300,100,1,1},
 }
 
 // Copied from pkix.attributeTypeNames and inverted. (Sadly it is private.)
 // Source: https://cs.opensource.google/go/go/+/refs/tags/go1.18.2:src/crypto/x509/pkix/pkix.go;l=26
+// Added RDNs identifier to support rfc4514 LDAP certificates, cf https://github.com/cert-manager/cert-manager/issues/5582
 var attributeTypeNames = map[string][]int{
 	"C":            OIDConstants.Country,
 	"O":            OIDConstants.Organization,
@@ -395,6 +400,8 @@ var attributeTypeNames = map[string][]int{
 	"L":            OIDConstants.Locality,
 	"ST":           OIDConstants.Province,
 	"STREET":       OIDConstants.StreetAddress,
+	"DC": OIDConstants.DomainComponent,
+	"UID": OIDConstants.UniqueIdentifier,
 }
 
 func ParseSubjectStringToRdnSequence(subject string) (pkix.RDNSequence, error) {