On Fri, Aug 23, 2024 at 02:11:42PM +0200, 'Jacob Persson' via openssl-users wrote: > > that assigns any meaning to the username part of a URI in X.509 > > certificates. Best I can tell, if present, it should ignored! > > > > https://datatracker.ietf.org/doc/html/rfc9525#section-7.2 > > The username identifies a wire user within a domain but the meaning > and validation > of that is happening inside our client application. A more appropriate application-specific SAN might have been an "otherName" variant under some suitable OID arc, where you control the semantics of the SAN (but would also then need (and be free) to implement both the validation and any name constraint checks). > > and no associated reference to a specification of how "wireapp" clients > > are expected to employ URI-IDs in certificates. :-( > > True, we haven't registered the scheme yet. If this is at all likely to be relevant to a broader community, or just to avoid conflicts, it might make sense to register the scheme. > I understand that 1.1.1 (EOL) is unlikely to change but we have also observed > the same behaviour in the more recent versions like 3.3.1. As expected. > But if I understood correctly the fact that the userinfo component is > not ignored could be considered a bug in openssl, should I open a > Github Issue for that? By all means. This will not guarantee prompt remediation, the issue is rather a corner case, but if you're also able to contribute a robust fix (parse the URI authority to strip the username and port), then it might get adopted. Note that not all schemes encode an authority, (e.g. mailto:user@domain), so your code would apply only to URIs of the form: scheme://user@host[:port][/path...] You should also check whether other aspects of matching URI "reference" identifiers with "presented" URI SANs in the certificate matches RFCs 5280 and 6125. -- Viktor. -- You received this message because you are subscribed to the Google Groups "openssl-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx. To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/ZsiFFrj-3-Sr06oT%40chardros.imrryr.org.
