Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve handling of encoding of X.520 attributes #109349

Merged
merged 5 commits into from
Nov 1, 2024
Merged

Improve handling of encoding of X.520 attributes #109349

merged 5 commits into from
Nov 1, 2024

Conversation

vcsjones
Copy link
Member

Our managed encoder for distinguished names took a loose approach to encoding names which could result in violating the encoding rules of certain X.520 attributes. For example, the "countryName" attribute (2.5.4.6) is a PrintableString, and only a PrintableString. However, the ForceUTF8Encoding flag would result in a UTF8String, which is not permitted.

This PR brings our managed encoder to align more similarly with Windows, but makes some deviations.

  1. We are now aware of X.520 attribute encoding rules. The ForceUTF8Encoding flag will only work on things that can be encoded as UTF-8. That means DirectoryString and attributes that are unknown.
  2. Previously, even without ForceUTF8String, we would encode something as a UTF8String if it could not be represented as a PrintableString. Now, if you attempt to encode a PrintableString (or NumericString) with characters that are outside of the encoding rules, an exception is thrown instead of promoting it to UTF-8. This behavior matches Windows and aligns more with the specification. It is a breaking change however.

I expect few if anyone to be bothered by the stricter encoding requirements. Windows already had them, with the exception of two attributes (countryName3C and countryName3N). The breaking change doc will explain developers can use X500DistinguishedNameBuilder which offers an escape hatch and overriding of opinions on how to encode a particular component.

Fixes #109156

@vcsjones vcsjones added area-System.Security breaking-change Issue or PR that represents a breaking API or functional change over a prerelease. labels Oct 29, 2024
@dotnet-policy-service dotnet-policy-service bot added the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Oct 29, 2024
This was referenced Oct 30, 2024
Open
Open
@build-analysis build-analysis bot mentioned this pull request Oct 31, 2024
Open
@vcsjones vcsjones merged commit 6c83e0d into dotnet:main Nov 1, 2024
83 checks passed
@vcsjones vcsjones deleted the x520-encoding-rules branch November 1, 2024 00:48
@vcsjones
Copy link
Member Author

vcsjones commented Nov 1, 2024

I'll make the breaking change doc in the next day or two.

@vcsjones vcsjones added this to the 10.0.0 milestone Nov 1, 2024
@vcsjones
Copy link
Member Author

vcsjones commented Nov 1, 2024

Breaking change doc: dotnet/docs#43284

@vcsjones vcsjones removed the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Nov 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security breaking-change Issue or PR that represents a breaking API or functional change over a prerelease.
Projects
None yet
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.

X500DistinguishedName with ForceUTF8Encoding causes Country encoded as UTF8String on .NET 8 Linux
2 participants
@vcsjones @bartonjs