[BUG] Using a long project name causes provisioning failure

[taleinat]

Setting a project name of over 64 characters causes provisioning failure.

Traceback:

Exception raised during provision.  Incomplete prod_n folder removed.
Traceback (most recent call last):
  File "nvflare/lighter/provision.py", line 189, in <module>
    main()
  File "nvflare/lighter/provision.py", line 185, in main
    handle_provision(args)
  File "nvflare/lighter/provision.py", line 101, in handle_provision
    provision(project_full_path, workspace_full_path, add_user_full_path, add_client_full_path)
  File "nvflare/lighter/provision.py", line 119, in provision
    provisioner.provision(project)
  File "nvflare/lighter/spec.py", line 174, in provision
    b.build(project, ctx)
  File "nvflare/lighter/impl/cert.py", line 123, in build
    self._build_root(project.name, subject_org=None)
  File "nvflare/lighter/impl/cert.py", line 74, in _build_root
    self.root_cert = self._generate_cert(subject, subject_org, self.issuer, pri_key, pub_key, ca=True)
  File "nvflare/lighter/impl/cert.py", line 162, in _generate_cert
    x509_subject = self._x509_name(subject, subject_org, role)
  File "nvflare/lighter/impl/cert.py", line 194, in _x509_name
    name = [x509.NameAttribute(NameOID.COMMON_NAME, cn_name)]
  File "cryptography/x509/name.py", line 152, in __init__
    raise ValueError(msg)
ValueError: Attribute's length must be >= 1 and <= 64, but it was 74

To Reproduce

1. Create a project config use a name of over 64 characters.
2. Run provisioning.

Expected behavior
Successful provisioning, or at least an informative error message.

Desktop (please complete the following information):

• OS: Ubuntu 22.04
• Python Version: 3.10
• NVFlare Version: 2.5.1

[yanchengnv]

First of all, to be precise, the problem is not about the name of the "project" - it is rather about the name of the "server" in the "participants" section.

Secondly, this is a known limitation since the server name is the Common Name (CN) in the server cert, and CN cannot exceed 63 chars. Today, you can only use server name to specify the server's host name. So if your host name exceeds 63 chars, you are stuck.

Version 2.6 will fix this problem by allowing multiple host names and IP addresses for the server, and you no longer have to use the server name as the host name: the server name can be a simple unique string.

[IsaacYangSLA]

One more note on the issue. We also found cryptography fixed an issue a few months ago. That fix changed how cryptography handled long CN field. Previously, it allowed CN longer than 64. After the fix, it enforced the limitation on CN length so it's compliant with the standard.

With different versions of cryptography packages, users may see either the reported errors or no errors during provisioning with long project names.