Bug #59378 Incorrect examples for GRANT ... REQUIRE ISSUER/SUBJECT with e-mail RDN
Submitted: 9 Jan 2011 13:01 Modified: 1 Jun 2011 14:15
Reporter: Dave Kelly Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Documentation Severity:S3 (Non-critical)
Version:5.5.8 GA OS:Any
Assigned to: Paul DuBois CPU Architecture:Any
Tags: email, emailAddress, grant, grant require, issuer, RDN, subject

[9 Jan 2011 13:01] Dave Kelly
In the MySQL 5.5 Reference Manual section GRANT Syntax, there are a couple of examples for REQUIRE ISSUER and REQUIRE SUBJECT that include an RDN (Relative Distinguished Name) for an e-mail address as follows:


However, while 'email' may be valid for a 'subjectAltName' (Subject Alternate Name) RDN attribute type (but note the difference in case), it is apparently not used as a 'subject' or 'issuer' RDN attribute type.  The use of 'Email' appears to be incorrect.

I was trying to use:  /E=mymail@mydom.dom, but I found that the RDN '/E=value' is more of a defacto usage, but hasn't really been codified (that I could find).

Instead, the MySQL Server is actually looking for an RDN like the following (as seen in the server error log):


If the e-mail address RDN does not use the 'emailAddress' attribute type, connection access is denied.  And, I found that 'emailAddress' is in fact the correct attribute type to use according to the X.50x specs.  (I think :o)

How to repeat:
Try to use GRANT ... REQUIRE ISSUER or GRANT ... REQUIRE SUBJECT with an e-mail address RDN similar to that shown in the example of the reference manual (e.g., /Email=email@dom.dom.); if so, connection access is denied.

Suggested fix:
Correct the documentation by changing the e-mail address RDN for issuer and subject from '/Email=email@dom.dom' to '/emailAddress=email@dom.dom'.
[2 May 2011 16:57] Georgi Kodinov

You're correct that the documentation should be changed.
But it's not because it's incorrect. The examples used to work up until OpenSSL 0.9.6h when the short name for emailAddress changed from Email to emailAddress (and I presume they still do if you link MySQL with a OpenSSL version like this).

The X509 standard is very vague on what are the parts of a Distinguished Name. It just says that it must be formated in a certain way and it must unique. That uniqueness is left to the infrastructure to assure. 
The server probably does nothing more than just a string comparison. Thus your only safe bet that you have a valid DN that you can compare to is to parse a X509 certificate, get its subject string and use that in the GRANT statement. 

Now OpenSSL is a de-facto standard in how one formats such DNs. In its recent versions it formats the email OID as emailAddress. Thus the documentation should be updated.
[1 Jun 2011 14:15] Paul DuBois
Thank you for your bug report. This issue has been addressed in the documentation. The updated documentation will appear on our website shortly, and will be included in the next release of the relevant products.

Added to REQUIRE ISSUER description:

If MySQL is linked against a version of OpenSSL older than 0.9.6h,
use Email rather than emailAddress in the 'issuer' value. 

And similar for REQUIRE SUBJECT.