Some of the CAs start adding new CRL distribution points in the client certificate (Since it is a trusted CA by configuration and client cert is signed by this trusted CA, this attribute is also a trusted source for distribution points). Added support for the same. Is it possible to merge with any of the applicable releases? diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 347e3e59f3..da79a9209a 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -571,6 +571,7 @@ ATTRIBUTE TLS-PSK-Identity 1933 string ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string ATTRIBUTE TLS-Client-Cert-Valid-Since 1937 string ATTRIBUTE TLS-Cache-Method 1938 integer +ATTRIBUTE TLS-Cert-CRL-Distribution-Points 1939 string VALUE TLS-Cache-Method save 1 VALUE TLS-Cache-Method load 2 VALUE TLS-Cache-Method clear 3 diff --git a/src/main/tls.c b/src/main/tls.c index 4149a473a9..f858d381fe 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -2779,7 +2779,7 @@ ocsp_end: /* * For creating certificate attributes. */ -static char const *cert_attr_names[9][2] = { +static char const *cert_attr_names[10][2] = { { "TLS-Client-Cert-Serial", "TLS-Cert-Serial" }, { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" }, { "TLS-Client-Cert-Subject", "TLS-Cert-Subject" }, @@ -2788,7 +2788,8 @@ static char const *cert_attr_names[9][2] = { { "TLS-Client-Cert-Subject-Alt-Name-Email", "TLS-Cert-Subject-Alt-Name-Email" }, { "TLS-Client-Cert-Subject-Alt-Name-Dns", "TLS-Cert-Subject-Alt-Name-Dns" }, { "TLS-Client-Cert-Subject-Alt-Name-Upn", "TLS-Cert-Subject-Alt-Name-Upn" }, - { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" } + { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" }, + { "TLS-Client-Cert-CRL-Distribution-Points", "TLS-Cert-CRL-Distribution-Points"} }; #define FR_TLS_SERIAL (0) @@ -2800,11 +2801,37 @@ static char const *cert_attr_names[9][2] = { #define FR_TLS_SAN_DNS (6) #define FR_TLS_SAN_UPN (7) #define FR_TLS_VALID_SINCE (8) +#define FR_TLS_CDP (9) static const char *cert_names[2] = { "client", "server", }; +/* + * Extract Certification Distribution point URL from the certificate + */ +const char *get_dp_url(DIST_POINT *dp) +{ + GENERAL_NAMES *gens; + GENERAL_NAME *gen; + int i, gtype; + ASN1_STRING *uri; + + if (dp == NULL || !dp->distpoint || dp->distpoint->type != 0) { + return NULL; + } + gens = dp->distpoint->name.fullname; + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { + gen = sk_GENERAL_NAME_value(gens, i); + uri = GENERAL_NAME_get0_value(gen, >ype); + if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { + const char *url_ptr = (const char*) ASN1_STRING_get0_data(uri); + return url_ptr; + } + } + return NULL; +} + /* * Before trusting a certificate, you must make sure that the * certificate is 'valid'. There are several steps that your @@ -2839,6 +2866,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) char common_name[1024]; char cn_str[1024]; char buf[64]; + char cdp[1024]; X509 *client_cert; #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) const STACK_OF(X509_EXTENSION) *ext_list; @@ -2978,6 +3006,28 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) rdebug_pair(L_DBG_LVL_2, request, vp, NULL); } + /* + * Get the Certificate Distribution points + */ + STACK_OF(DIST_POINT) *crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL); + DIST_POINT *dp; + const char *url_ptr = NULL; + if (crl_dp != NULL) { + for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) { + dp = sk_DIST_POINT_value(crl_dp, i); + if (dp != NULL) { + cdp[0] = '\0'; + url_ptr = get_dp_url(dp); + if (url_ptr != NULL) { + strncpy(cdp, (char*) url_ptr, (int) strlen(url_ptr)); + cdp[strlen(url_ptr)] = '\0'; + vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD); + rdebug_pair(L_DBG_LVL_2, request, vp, NULL); + } + } + } + } + /* * Get the RFC822 Subject Alternative Name */ Thanks Natarajan