Support for standards compliant comparison of x.509 DNs from HTTP Headers containing an authenticated client DN or Certificate

README.md

@@ -109,12 +109,12 @@ trusted CA chain (see [Ingress Configuration](#4-ingress-configuration)).
 
 ### 3. Configuration Options
 
-| Variable | Description | Default |
-| -------------------------------- | ------------------------ | ------------------------------- |
-| `ALLOWED_CLIENT_SUBJECT_DN_PATH` | Path to the file listing allowed client certificate DNs.                                                                     | `/config/allowed_client_dn.txt` |
-| `SSL_CLIENT_SUBJECT_DN_HEADER` | HTTP header containing the client certificate DN. For **ingress-nginx**, this should not be changed. | `ssl-client-subject-dn`         |
-| `USE_WATCHDOG`                   | Enables file-change monitoring using [watchdog](https://pypi.org/project/watchdog/). Useful for non-Kubernetes environments. | `False`                         |
-| `LOG_LEVEL`                      | Logging verbosity. Options: `DEBUG`, `INFO`, `WARNING`, `ERROR`.                                                             | `INFO`                          |
+| Variable | Description                                                                                                                              | Default |
+| -------------------------------- |------------------------------------------------------------------------------------------------------------------------------------------| ------------------------------- |
+| `ALLOWED_CLIENT_SUBJECT_DN_PATH` | Path to the file listing allowed client certificate DNs. DNs should be as close to RFC4514 as possible, and stored as UTF-8 in the file. | `/config/allowed_client_dn.txt` |
+| `SSL_CLIENT_SUBJECT_DN_HEADER` | HTTP header containing the client certificate DN. For **ingress-nginx**, this should not be changed.                                     | `ssl-client-subject-dn`         |
+| `USE_WATCHDOG`                   | Enables file-change monitoring using [watchdog](https://pypi.org/project/watchdog/). Useful for non-Kubernetes environments.             | `False`                         |
+| `LOG_LEVEL`                      | Logging verbosity. Options: `DEBUG`, `INFO`, `WARNING`, `ERROR`.                                                                         | `INFO`                          |
 
 **File reload behavior:**
 

doc/oid2py.py

@@ -0,0 +1,81 @@
+import re
+import sys
+
+name2oid = {}
+
+skipflag = False
+
+# Working in binary domain
+f = open("oids.txt","rb")
+for line in f:
+    # remove comments
+    for i in range(0,len(line)):
+        if line[i:i+1] == b'#':
+            break
+    commentless = line[:i]
+    # remove trailing space
+    for i in range(len(commentless)-1,-1,-1):
+        if commentless[i:i+1] != b' ':
+            break
+    commentless = commentless[0:i+1]
+    prefix_bytes = commentless[0:3]
+
+    if prefix_bytes == b'OID':
+        skipflag = False
+        oid = commentless[4:] # excluding \n
+        # cryptography does not grok OIDs from the top of the hierarchy, so with few dots.
+        oidstr = str(oid)
+        if oidstr.count(".") < 2:
+            skipflag = True
+
+        matchlist = re.findall('[0-9\\.]+',oidstr)
+        if len(matchlist) == 1:
+            oidbytes = oid[:len(matchlist[0])]
+            oidobj = b'ObjectIdentifier("'+oidbytes+b'")'
+        else:
+            raise Exception("OID not digits:" + oidstr + " " + str(matchlist))
+    elif not skipflag and prefix_bytes == b'TAG':
+        unofficial_but_common_name = commentless[4:] # excluding \n
+        # add quotes
+        quoted_name = b'"'+unofficial_but_common_name+b'"'
+        name2oid[quoted_name] = oidobj
+    elif not skipflag and prefix_bytes == b'ATT':
+        attr = commentless[5:] # excluding \n
+        name2oid[attr] = oidobj
+
+f.close()
+
+#
+# Omissions in oids.txt
+#
+oidobj = name2oid[b'"givenName"']
+name2oid[b'"gn"'] = oidobj
+
+# Sigh...
+name2oid[b'"organizationIdentifier"'] = b'ObjectIdentifier("2.5.4.97")'
+
+# RFC4514 says: ST      stateOrProvinceName (2.5.4.8)
+# Mozilla uses "S"
+
+oidobj = name2oid[b'"id-at-stateOrProvinceName"']
+name2oid[b'"st"'] = oidobj
+
+
+f = open("name2oid.py","wb")
+
+
+f.write(b'# AUTOMATICALLY GENERATED BY OID2PY.PY, DO NOT EDIT\n')
+f.write(b'# Source: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_12_3_1_RTM/src/nss-3.12.3.1.tar.gz\n')
+f.write(b'#\n')
+f.write(b'from cryptography.x509.oid import ObjectIdentifier\n')
+f.write(b'#\n')
+f.write(b'names2oid = {}\n')
+
+for n,v in name2oid.items():
+    f.write(b'names2oid[')
+    f.write(n)
+    f.write(b'] = ')
+    f.write(v)
+    f.write(b'\n')
+
+f.close()