Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notary requires an X509 cert's common name to match the GUN exactly, but the length of a common name is restricted to 64 chars #914

Closed
dnwake opened this issue Aug 12, 2016 · 3 comments

Comments

@dnwake
Copy link

dnwake commented Aug 12, 2016

In order to be valid, Notary requires that any cert must have a common name that matches the GUN. See https://github.com/docker/notary/blob/master/trustpinning/certs.go#L178

However, RFC3280 imposes a maximum length of 64 characters on the common name of an X509 certificate. See https://www.ietf.org/rfc/rfc3280.txt (search for ub-common-name).

When using Notary with Docker, it is easy to end up with a GUN that is longer than 64 characters (e.g. "my_docker_registry.somedomain.com/my_docker_repo_part_1/my_docker_repo_part_2")

While Notary's own internal certificate-generating code may not enforce this limit, it is enforced by third-party tools such as openssl. This is a big problem for anyone planning to generate their own certificates and then import them into Notary (see #821)

@dnwake dnwake changed the title A X509 cert's common name is required to be equal to the GUN, but the length of a common name is restricted to 64 chars Notary requires an X509 cert's common name is required to match the GUN exactly, but the length of a common name is restricted to 64 chars Aug 12, 2016
@dnwake dnwake changed the title Notary requires an X509 cert's common name is required to match the GUN exactly, but the length of a common name is restricted to 64 chars Notary requires an X509 cert's common name to match the GUN exactly, but the length of a common name is restricted to 64 chars Aug 12, 2016
@riyazdf
Copy link
Contributor

riyazdf commented Aug 13, 2016

Thank you @dnwake for pointing this out! I'm going to link this issue to #883 since it's similar in nature, but different

@dnwake
Copy link
Author

dnwake commented Sep 27, 2016

For the benefit of future people running into this problem, I've found that the certtool command (supplied as part of the gnutls-utils package) ignores the 64 character limitation, so can be used as a workaround.

@endophage
Copy link
Contributor

Having merged wildcard CNs and there being workarounds, I'm going to close this. We don't have any specific action items to address GUN name length. Please re-open or file an issue with specific action items if more is needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants