Bug #106374 Support X.509 certificate attribute SAN in addition to the usual authentication
Submitted: 4 Feb 2022 4:42 Modified: 3 Mar 2022 5:51
Reporter: Karthik Appigatla (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any

[4 Feb 2022 4:42] Karthik Appigatla
Description:
As of now, MySQL supports the following attributes of X509 for authentication
NONE, SSL, X509, SUBJECT, ISSUER, CIPHER
https://dev.mysql.com/doc/refman/8.0/en/create-user.html#create-user-tls

This request is to support SAN attribute as well.

CREATE USER 'jeffrey'@'localhost' REQUIRE SAN 'URI:urn:app:servicePrincipal(app_name;)'

Each application can have the application id or name in the SAN field of the certificate which can be used in authentication. 

Work around is to store the application service principal in the subject field. But the problem is usually certificates are issued by 3rd party providers and we do not have control on the structure. 

How to repeat:
Feature Request
[4 Feb 2022 5:07] MySQL Verification Team
Hello Karthik,

Thank you for the reasonable feature request!

regards,
Umesh
[3 Mar 2022 5:51] Karthik Appigatla
Any update on this?