Add use_oid option for transport subject DN#9
Merged
Conversation
Introduce a new use_oid boolean (use_oid) to control whether Subject DN attributes are rendered as numeric OIDs or friendly names when derived from the transport certificate. The flag is threaded through CLI/config, AuthoriserBuilder, NewAuthoriser, NewJwtSigner and DCR32 config; config samples and testdata were updated. Implement subjectDN(...) to parse the certificate RawSubject ASN.1 RDNSequence and format the DN in wire order, with an oidNames map for friendly name lookup and numeric fallbacks. Tests updated to include the new parameter and a test certificate (testcert.pem) was added. The option defaults to false and is ignored when transport_cert_subject_dn is explicitly provided.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a use_oid boolean configuration option to control how the TLS transport certificate Subject DN is rendered into tls_client_auth_subject_dn (numeric OID labels vs friendly names), and threads that option through CLI/config → DCR32Config → AuthoriserBuilder → Authoriser → JwtSigner.
Changes:
- Introduces
use_oidin config/docs and passes it through the builder/authoriser/signer construction path. - Implements custom Subject DN formatting by parsing the certificate
RawSubjectASN.1RDNSequenceand emitting a comma-delimited DN string. - Updates/extends tests and sample config/testdata to include the new parameter; adds a new PEM certificate file.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
testcert.pem |
Adds a certificate intended for test coverage of Subject DN formatting. |
QUICK-START.md |
Documents the new use_oid option and updates the sample config snippet. |
pkg/compliant/dcr32_config.go |
Threads useOID through DCR32 config creation into the authoriser builder. |
pkg/compliant/dcr32_config_test.go |
Updates constructor call site to include the new useOID parameter. |
pkg/compliant/auth/signer.go |
Adds useOID to jwtSigner and implements subjectDN(...) based on RawSubject. |
pkg/compliant/auth/signer_test.go |
Updates NewJwtSigner call sites to include the new useOID parameter. |
pkg/compliant/auth/client_secret_jwt_test.go |
Updates signer construction calls for the new parameter. |
pkg/compliant/auth/client_secret_basic_test.go |
Updates signer construction calls for the new parameter. |
pkg/compliant/auth/authoriser.go |
Threads useOID through NewAuthoriser into NewJwtSigner for all auth methods. |
pkg/compliant/auth/authoriser_test.go |
Updates NewAuthoriser call sites to include the new parameter. |
pkg/compliant/auth/authoriser_builder.go |
Adds useOID field + WithUseOID(...) builder method and passes it to NewAuthoriser. |
pkg/compliant/auth/authoriser_builder_test.go |
Updates expected NewAuthoriser(...) call to include the new parameter. |
config.json.sample |
Adds use_oid to the root sample config. |
cmd/cli/testdata/config.json.sample |
Adds use_oid to CLI testdata config sample. |
cmd/cli/main.go |
Passes cfg.UseOID into NewDCR32Config(...). |
cmd/cli/config.go |
Adds UseOID field to config JSON struct. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
When ASN.1 parsing fails, the returned error drops the underlying asn1.Unmarshal error (and whether there was trailing data). Wrapping the original error (and optionally including len(rest)) would make transport cert issues much easier to diagnose. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Add escapeRFC2253 and update subjectDN to produce RFC 2253-compliant DN strings: escape special chars, join multi-valued RDNs with '+', join RDNs with ',', and respect wire/display order. subjectDN now supports forcing numeric OIDs via useOID and uses friendly names when available. Add fallback to use Subject.ToRDNSequence().String() when RawSubject is empty. Include tests: newCertWithOrgIdentifier helper and TestNewJwtSigner_TlsClientAuthDerivedSubjectDN_UseOID to verify OID vs friendly-name output. Also adjust test imports for ASN.1/crypto utilities.
Replace the oidNames map with an oidName helper and extract escape logic into needsEscape. Simplify escapeRFC2253 to use the new predicate and improve subjectDN comments to clarify RFC 2253 / RFC 8705 ordering and label selection. Behavior preserved (useOID still emits numeric OIDs; known OIDs map to friendly names), but the code is clearer and better documented.
Replace the long switch in oidName with a map lookup for clearer and more maintainable OID->name mapping. Also simplify addTlsClientAuthClaims conditional logic by using a switch to explicitly handle the transportSubjectDn case, the fallback for manually constructed certs with empty RawSubject, and the default path that parses RawSubject via subjectDN. These changes improve readability and make the DN selection logic easier to follow.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduce a new use_oid boolean (use_oid) to control whether Subject DN attributes are rendered as numeric OIDs or friendly names when derived from the transport certificate. The flag is threaded through CLI/config, AuthoriserBuilder, NewAuthoriser, NewJwtSigner and DCR32 config; config samples and testdata were updated. Implement subjectDN(...) to parse the certificate RawSubject ASN.1 RDNSequence and format the DN in wire order, with an oidNames map for friendly name lookup and numeric fallbacks. Tests updated to include the new parameter and a test certificate (testcert.pem) was added. The option defaults to false and is ignored when transport_cert_subject_dn is explicitly provided.