Support to get CRL distribution points from client certificate
Some of the CAs start adding new CRL distribution points in the client certificate (Since it is a trusted CA by configuration and client cert is signed by this trusted CA, this attribute is also a trusted source for distribution points). Added support for the same. Is it possible to merge with any of the applicable releases? diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index 347e3e59f3..da79a9209a 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -571,6 +571,7 @@ ATTRIBUTE TLS-PSK-Identity 1933 string ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string ATTRIBUTE TLS-Client-Cert-Valid-Since 1937 string ATTRIBUTE TLS-Cache-Method 1938 integer +ATTRIBUTE TLS-Cert-CRL-Distribution-Points 1939 string VALUE TLS-Cache-Method save 1 VALUE TLS-Cache-Method load 2 VALUE TLS-Cache-Method clear 3 diff --git a/src/main/tls.c b/src/main/tls.c index 4149a473a9..f858d381fe 100644 --- a/src/main/tls.c +++ b/src/main/tls.c @@ -2779,7 +2779,7 @@ ocsp_end: /* * For creating certificate attributes. */ -static char const *cert_attr_names[9][2] = { +static char const *cert_attr_names[10][2] = { { "TLS-Client-Cert-Serial", "TLS-Cert-Serial" }, { "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" }, { "TLS-Client-Cert-Subject", "TLS-Cert-Subject" }, @@ -2788,7 +2788,8 @@ static char const *cert_attr_names[9][2] = { { "TLS-Client-Cert-Subject-Alt-Name-Email", "TLS-Cert-Subject-Alt-Name-Email" }, { "TLS-Client-Cert-Subject-Alt-Name-Dns", "TLS-Cert-Subject-Alt-Name-Dns" }, { "TLS-Client-Cert-Subject-Alt-Name-Upn", "TLS-Cert-Subject-Alt-Name-Upn" }, - { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" } + { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" }, + { "TLS-Client-Cert-CRL-Distribution-Points", "TLS-Cert-CRL-Distribution-Points"} }; #define FR_TLS_SERIAL (0) @@ -2800,11 +2801,37 @@ static char const *cert_attr_names[9][2] = { #define FR_TLS_SAN_DNS (6) #define FR_TLS_SAN_UPN (7) #define FR_TLS_VALID_SINCE (8) +#define FR_TLS_CDP (9) static const char *cert_names[2] = { "client", "server", }; +/* + * Extract Certification Distribution point URL from the certificate + */ +const char *get_dp_url(DIST_POINT *dp) +{ + GENERAL_NAMES *gens; + GENERAL_NAME *gen; + int i, gtype; + ASN1_STRING *uri; + + if (dp == NULL || !dp->distpoint || dp->distpoint->type != 0) { + return NULL; + } + gens = dp->distpoint->name.fullname; + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { + gen = sk_GENERAL_NAME_value(gens, i); + uri = GENERAL_NAME_get0_value(gen, >ype); + if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { + const char *url_ptr = (const char*) ASN1_STRING_get0_data(uri); + return url_ptr; + } + } + return NULL; +} + /* * Before trusting a certificate, you must make sure that the * certificate is 'valid'. There are several steps that your @@ -2839,6 +2866,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) char common_name[1024]; char cn_str[1024]; char buf[64]; + char cdp[1024]; X509 *client_cert; #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) const STACK_OF(X509_EXTENSION) *ext_list; @@ -2978,6 +3006,28 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) rdebug_pair(L_DBG_LVL_2, request, vp, NULL); } + /* + * Get the Certificate Distribution points + */ + STACK_OF(DIST_POINT) *crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL); + DIST_POINT *dp; + const char *url_ptr = NULL; + if (crl_dp != NULL) { + for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) { + dp = sk_DIST_POINT_value(crl_dp, i); + if (dp != NULL) { + cdp[0] = '\0'; + url_ptr = get_dp_url(dp); + if (url_ptr != NULL) { + strncpy(cdp, (char*) url_ptr, (int) strlen(url_ptr)); + cdp[strlen(url_ptr)] = '\0'; + vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD); + rdebug_pair(L_DBG_LVL_2, request, vp, NULL); + } + } + } + } + /* * Get the RFC822 Subject Alternative Name */ Thanks Natarajan
Created PR https://github.com/FreeRADIUS/freeradius-server/pull/4992 for the same for review. Thanks Natarajan On Thu, May 4, 2023 at 9:46 AM Natarajan M <natarajan.m@gmail.com> wrote:
Some of the CAs start adding new CRL distribution points in the client certificate (Since it is a trusted CA by configuration and client cert is signed by this trusted CA, this attribute is also a trusted source for distribution points). Added support for the same. Is it possible to merge with any of the applicable releases?
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 347e3e59f3..da79a9209a 100644
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -571,6 +571,7 @@ ATTRIBUTE TLS-PSK-Identity 1933 string
ATTRIBUTE TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 1936 string
ATTRIBUTE TLS-Client-Cert-Valid-Since 1937 string
ATTRIBUTE TLS-Cache-Method 1938 integer
+ATTRIBUTE TLS-Cert-CRL-Distribution-Points 1939 string
VALUE TLS-Cache-Method save 1
VALUE TLS-Cache-Method load 2
VALUE TLS-Cache-Method clear 3
diff --git a/src/main/tls.c b/src/main/tls.c
index 4149a473a9..f858d381fe 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -2779,7 +2779,7 @@ ocsp_end:
/*
* For creating certificate attributes.
*/
-static char const *cert_attr_names[9][2] = {
+static char const *cert_attr_names[10][2] = {
{ "TLS-Client-Cert-Serial", "TLS-Cert-Serial" },
{ "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" },
{ "TLS-Client-Cert-Subject", "TLS-Cert-Subject" },
@@ -2788,7 +2788,8 @@ static char const *cert_attr_names[9][2] = {
{ "TLS-Client-Cert-Subject-Alt-Name-Email", "TLS-Cert-Subject-Alt-Name-Email" },
{ "TLS-Client-Cert-Subject-Alt-Name-Dns", "TLS-Cert-Subject-Alt-Name-Dns" },
{ "TLS-Client-Cert-Subject-Alt-Name-Upn", "TLS-Cert-Subject-Alt-Name-Upn" },
- { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" }
+ { "TLS-Client-Cert-Valid-Since", "TLS-Cert-Valid-Since" },
+ { "TLS-Client-Cert-CRL-Distribution-Points", "TLS-Cert-CRL-Distribution-Points"}
};
#define FR_TLS_SERIAL (0)
@@ -2800,11 +2801,37 @@ static char const *cert_attr_names[9][2] = {
#define FR_TLS_SAN_DNS (6)
#define FR_TLS_SAN_UPN (7)
#define FR_TLS_VALID_SINCE (8)
+#define FR_TLS_CDP (9)
static const char *cert_names[2] = {
"client", "server",
};
+/*
+ * Extract Certification Distribution point URL from the certificate
+ */
+const char *get_dp_url(DIST_POINT *dp)
+{
+ GENERAL_NAMES *gens;
+ GENERAL_NAME *gen;
+ int i, gtype;
+ ASN1_STRING *uri;
+
+ if (dp == NULL || !dp->distpoint || dp->distpoint->type != 0) {
+ return NULL;
+ }
+ gens = dp->distpoint->name.fullname;
+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+ gen = sk_GENERAL_NAME_value(gens, i);
+ uri = GENERAL_NAME_get0_value(gen, >ype);
+ if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
+ const char *url_ptr = (const char*) ASN1_STRING_get0_data(uri);
+ return url_ptr;
+ }
+ }
+ return NULL;
+}
+
/*
* Before trusting a certificate, you must make sure that the
* certificate is 'valid'. There are several steps that your
@@ -2839,6 +2866,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
char common_name[1024];
char cn_str[1024];
char buf[64];
+ char cdp[1024];
X509 *client_cert;
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
const STACK_OF(X509_EXTENSION) *ext_list;
@@ -2978,6 +3006,28 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
}
+ /*
+ * Get the Certificate Distribution points
+ */
+ STACK_OF(DIST_POINT) *crl_dp = X509_get_ext_d2i(client_cert, NID_crl_distribution_points, NULL, NULL);
+ DIST_POINT *dp;
+ const char *url_ptr = NULL;
+ if (crl_dp != NULL) {
+ for (int i = 0; i < sk_DIST_POINT_num(crl_dp); i++) {
+ dp = sk_DIST_POINT_value(crl_dp, i);
+ if (dp != NULL) {
+ cdp[0] = '\0';
+ url_ptr = get_dp_url(dp);
+ if (url_ptr != NULL) {
+ strncpy(cdp, (char*) url_ptr, (int) strlen(url_ptr));
+ cdp[strlen(url_ptr)] = '\0';
+ vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_CDP][lookup], cdp, T_OP_ADD);
+ rdebug_pair(L_DBG_LVL_2, request, vp, NULL);
+ }
+ }
+ }
+ }
+
/*
* Get the RFC822 Subject Alternative Name
*/
Thanks
Natarajan
participants (1)
-
Natarajan M