3.2.0: certificate properties - X509v3 Certificate Policies
Hello, I also noticed that while the server logs many properties of the X.509 certificate (both incoming and outgoing), it does not store the fields X509v3 Certificate Policies, i.e.: X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36 X509v3 Authority Key Identifier: keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4 X509v3 Subject Alternative Name: DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27262.1.13.1.1 Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4 Policy: 1.3.6.1.4.1.25178.3.1.1 Policy: 1.3.6.1.4.1.25178.3.1.2 Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8 But: (0) (TLS) Creating attributes from client certificate (0) TLS-Client-Cert-Serial := "244f65593e791e5064b98342" (0) TLS-Client-Cert-Expiration := "260218163105Z" (0) TLS-Client-Cert-Valid-Since := "210219163105Z" (0) TLS-Client-Cert-Subject := "/DC=net/DC=geant/DC=eduroam/C=LU/O=Fondation Restena/CN=tld1.eduroam.lu" (0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Client-Cert-Common-Name := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1" ... but no "TLS-Client-Cert-X509v3-Certificate-Policy" In eduroam, we use certificate policy entries to denote "This is an authorized eduroam server" (or ..."client", or both), so it is required as an authz check to act on the policy OIDs present in the cert (the ones with vendor ID 25178 above). Greetings, Stefan Winter -- This email may contain information for limited distribution only, please treat accordingly. Fondation Restena, Stefan WINTER Chief Technology Officer 2, avenue de l'Université L-4365 Esch-sur-Alzette
Hello, On 6/3/22 10:53, Stefan Winter wrote:
Hello,
I also noticed that while the server logs many properties of the X.509 certificate (both incoming and outgoing), it does not store the fields X509v3 Certificate Policies, i.e.:
X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: 48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36
X509v3 Authority Key Identifier: keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4
X509v3 Subject Alternative Name: DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.27262.1.13.1.1 Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4 Policy: 1.3.6.1.4.1.25178.3.1.1 Policy: 1.3.6.1.4.1.25178.3.1.2 Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8
But:
(0) (TLS) Creating attributes from client certificate (0) TLS-Client-Cert-Serial := "244f65593e791e5064b98342" (0) TLS-Client-Cert-Expiration := "260218163105Z" (0) TLS-Client-Cert-Valid-Since := "210219163105Z" (0) TLS-Client-Cert-Subject := "/DC=net/DC=geant/DC=edsuroam/C=LU/O=Fondation Restena/CN=tld1.eduroam.lu" (0) TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01" (0) TLS-Client-Cert-Common-Name := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu" (0) TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu" (0) TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, TLS Web Server Authentication" (0) TLS-Client-Cert-X509v3-Subject-Key-Identifier += "48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36" (0) TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (0) TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.1"
... but no "TLS-Client-Cert-X509v3-Certificate-Policy" Not all TLS attributes are directly available, you must add this attribute in the dictionary to see it in debug mode and use it with unlang : ATTRIBUTE TLS-Client-Cert-X509v3-Certificate-Policies 3000 string
But yes, it's probably a good idea to have it by default. Regards, Arnaud
On Jun 3, 2022, at 4:53 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
I also noticed that while the server logs many properties of the X.509 certificate (both incoming and outgoing), it does not store the fields X509v3 Certificate Policies, i.e.: ... ... but no "TLS-Client-Cert-X509v3-Certificate-Policy"
In eduroam, we use certificate policy entries to denote "This is an authorized eduroam server" (or ..."client", or both), so it is required as an authz check to act on the policy OIDs present in the cert (the ones with vendor ID 25178 above).
We can add this to dictionary.freeradius.internal: ATTRIBUTE TLS-Client-Cert-X509v3-Certificate-Policies 1939 string If that works, I'll commit a patch. Alan DeKok.
participants (3)
-
Alan DeKok -
Arnaud LAURIOU -
Stefan Winter