Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing support for emailAddress as subject for CSR #460

Open
hesstobi opened this issue Oct 25, 2021 · 3 comments · May be fixed by #461
Open

Missing support for emailAddress as subject for CSR #460

hesstobi opened this issue Oct 25, 2021 · 3 comments · May be fixed by #461

Comments

@hesstobi
Copy link

  • YubiKey Manager (ykman) version: 4.0.3
  • How was it installed?: choco
  • Operating system and version: Windows 10
  • YubiKey model and version: YubiKey 5 NFC
  • Bug description summary: Unsupported attribute: 'emailAddress'

Steps to reproduce

Create new CSR with ykam for S/MINE

ykman piv keys generate --algorithm ECCP384 --format PEM 9c public.pem
ykman piv certificates request --subject "CN=James Smith,OU=Sales,L=Redwood Shores,O=OpenLDAP,ST=California,C=US,emailAddress=james.smith@openldap.org" 9c public.pem csr.csr

This will error with Unsupported attribute: 'emailAddress'

Expected result

A CSR with an emailAddress attribute in the subject

Actual results and logs

Error: Unsupported attribute: 'emailAddress'

Other info

I like to use the Yubikey Manager to let users create an CSR for X.509 based certificates to use with S/MINE.
Of cource this needs the emailAddress as attribute in the subject. This is currently not supported by ykman.
@hesstobi hesstobi linked a pull request Oct 25, 2021 that will close this issue
Open
@dainnilsson
Copy link
Member

RFC 4514 unfortunately does not define emailAddress, and I'm hesitant to add support for non-standard names to the RFC4514 parser. Email can still be added by manually specifying the OID: 1.2.840.113549.1.9.1=user@example.com which is compliant with the standard. The current version of ykman does not support this, but the next one (out soon!) will.

I know it's not as clear as emailAddress=... but at least it works.

@im-richard
Copy link

Just to confirm, because I stumbled across the same exact issue today. And an hour's worth of Goolging 4514 never came up with a clear answer.

Does the current version of ykman support specifying the OID for email?

If so, what is the syntax for specifying OIDs; I've looked at Yubikey's docs for PIV and I can't seem to find any info on this.

@dainnilsson
Copy link
Member

Yes, the current version (5.0.0) supports this, using the syntax I provided in the last comment. The RFC itself can be found here: https://www.ietf.org/rfc/rfc4514.txt

Here's a full example of the syntax, showing the result using openssl:

ykman piv certificates generate 9a pub_key.pem -s "CN=Test,1.2.840.113549.1.9.1=user@example.com"

ykman piv certificates export 9a cert.pem
openssl x509 -in cert.pem -text

<snip>

Subject: emailAddress = user@example.com, CN = Test
...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for emailAddress in subject hesstobi/yubikey-manager
3 participants
@dainnilsson @hesstobi @im-richard