CSR subject attributes such as emailAddress are lost

[syncsynchalt]

What I did:

• CSR with subject /C=US/O=scep-client/OU=MDM/CN=scepclient/[email protected] is passed to the server

What happens:

• Certificate with subject /C=US/O=scep-client/OU=MDM/CN=scepclient is returned

What should happen:

• Certificate with subject /C=US/O=scep-client/OU=MDM/CN=scepclient/[email protected] is returned

Explanation:

In PKIMessage.SignCSR() we pass in the variable template that was generated from the CSR. I see that all the expected subject attributes (in my case C, O, OU, CN, emailAddress) are present in template.Subject.Names (the input). I inspect the output of x509.CreateCertificate and the emailAddress attribute is missing from crt.Subject.Names (only C, O, OU, CN are present, emailAddress is missing).

I tracked this down to the following code in the golang stdlib pkix.Name.ToRDNSequence():
https://golang.org/src/crypto/x509/pkix/pkix.go?s=5216:5263#L193
In this code we see that the library checks for the 9 oids it knows about, then it runs through the list of ExtraNames (there are none in our case, everything is in Names, as returned by x509.ParseCertificateRequest()). However if there were any other oids in Names than the 9 known oids (such as emailAddress), then they are lost.

To me this seems like a bug or a wart in the golang x509 library. I don't have any control over that library, so I've come up with an ugly workaround in scep instead. I haven't put a lot of effort into making it more elegant since I'm not sure it's the direction to go.

Expect a PR soon that shows my workaround. To test this issue, it may be useful to add the -email-address flag to your scepclient, see this patch: syncsynchalt@247ee76