x509, subject alternative name: RFC822 Name=first.name@mail.com

rupert.thurner

unread,

Sep 2, 2013, 10:04:33 AM9/2/13

to git...@googlegroups.com

hi,

we have certificates which have the email of the user in the subject alternative name:
RFC822 Name=first...@mail.com

i saw in the configuration file, that one could specify which field to get out of a certificate, which i tried to set:
git.certificateUsernameOIDs = RFC822 Name

but the title "# List of OIDs to extract from a client certificate DN" says that it should not work. the concerned code is in https://github.com/gitblit/gitblit/blob/HEAD/src/main/java/com/gitblit/utils/HttpUtils.java#L146, isn't it? would it make sense to look in the subject alternative name (http://en.wikipedia.org/wiki/SubjectAltName) as well?

rupert.

James Moger

unread,

Sep 5, 2013, 10:31:21 AM9/5/13

to git...@googlegroups.com

Hi Rupert,

You need to quote the attribute name because of the space.

Try this:

git.certificateUsernameOIDs = "RFC822 Name"

Having said that, your account/login names will have to be email addresses too.

-J

rupert.thurner

unread,

Sep 9, 2013, 10:13:01 AM9/9/13

to git...@googlegroups.com

On Thursday, September 5, 2013 4:31:21 PM UTC+2, James Moger wrote:

Hi Rupert,

You need to quote the attribute name because of the space.

Try this:

git.certificateUsernameOIDs = "RFC822 Name"

hi james, i tried it and it does not work. https://forums.oracle.com/thread/1535284 says that one can retrieve it with

   x509Certs[i].getSubjectAlternativeNames();

which is not in gitblit's code. the standard http://tools.ietf.org/html/rfc3280#section-4.2.1.7 to my understanding suggests that it should be supported, but i am unsure if this matches your wish as well.

rupert.

James Moger

unread,

Sep 9, 2013, 10:24:46 AM9/9/13

to git...@googlegroups.com

How about:

git.certificateUsernameOIDs = rfc822name

or

git.certificateUsernameOIDs = emailaddress

Have you inspected your client certs with Portecle or some other tool which accurately displays the subject?

-J

--
You received this message because you are subscribed to the Google Groups "gitblit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitblit+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

rupert.thurner

unread,

Sep 10, 2013, 7:45:24 AM9/10/13

to git...@googlegroups.com

i need to check, until now i just wrote code to extract it. but i asked my colleague who is responsible for the x509 infrastructure implementation and he suggested the best way would be if gitblit would be configured so it just takes the principal set by the webserver resp. tomcat. how could we configure gitblit to do something like this:

@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
// some code
Principal principal = request.getUserPrincipal();
principal = principal.getName()
// some code

James Moger

unread,

Sep 10, 2013, 7:52:29 AM9/10/13

to git...@googlegroups.com

It already does that after checking the certificates first:
https://demo-gitblit.rhcloud.com/blob/gitblit.git/master/src!main!java!com!gitblit!GitBlit.java#L884

-J

rupert.thurner

unread,

Oct 12, 2013, 8:13:38 AM10/12/13

to git...@googlegroups.com

oh, excellent. how would i set the options so this code part is reached? in our config it already gets the user out of the certs subject which is the name and the persons id, so not usable as a git login.

James Moger

unread,

Oct 15, 2013, 8:05:03 AM10/15/13

to git...@googlegroups.com

No options, it's automatic after trying certificates. So for your case, this doesn't help. You could hack Gitblit and build from source if you need to reverse the order.