Certificate information

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Mar 30 18:05:16 CEST 2015

> On 30 Mar 2015, at 11:28, Franks Andy (IT Technical Architecture Manager) <Andy.Franks at sath.nhs.uk> wrote:
> Hi all,
>  I need to be clearer on this obviously. We have a situation where one or two senior engineers are changing infrastructure and not being open about it, they do not want to do the "teamwork" thing and I politically cannot force them to do so since they operate at the same level as me, hence me trying to check the certificate presented to see if it fell into the "acceptable" template created at the project start. It's not ideal, but the technology route will be quicker route to resolution. Politics!
> End users cannot create certificates.
> I'll re-read the docs, but the sites-enabled/default seems to be the main place where the TLS-* attributes are mentioned.

The relevant code is here:

	 *	Grab the X509 extensions, and create attributes out of them.
	 *	For laziness, we re-use the OpenSSL names
	if (sk_X509_EXTENSION_num(ext_list) > 0) {
		int i, len;
		char *p;
		BIO *out;

		out = BIO_new(BIO_s_mem());
		strlcpy(attribute, "TLS-Client-Cert-", sizeof(attribute));

		for (i = 0; i < sk_X509_EXTENSION_num(ext_list); i++) {
			ASN1_OBJECT *obj;
			X509_EXTENSION *ext;

			ext = sk_X509_EXTENSION_value(ext_list, i);

			obj = X509_EXTENSION_get_object(ext);
			i2a_ASN1_OBJECT(out, obj);
			len = BIO_read(out, attribute + 16 , sizeof(attribute) - 16 - 1);
			if (len <= 0) continue;

			attribute[16 + len] = '\0';

			X509V3_EXT_print(out, ext, 0, 0);
			len = BIO_read(out, value , sizeof(value) - 1);
			if (len <= 0) continue;

			value[len] = '\0';

			 *	Mash the OpenSSL name to our name, and
			 *	create the attribute.
			for (p = value + 16; *p != '\0'; p++) {
				if (*p == ' ') *p = '-';

			vp = pairmake(talloc_ctx, certs, attribute, value, T_OP_ADD);
			rdebug_pair_list(L_DBG_LVL_2, request, vp, NULL);


So in theory if it appears as an X509 extension, and as Alan B said, you've created the appropriate
RADIUS attribute, it'll automatically be decoded and placed in that attribute.

I'll modify it so it prints about a bit more info, like attributes that would have been defined had
the appropriate RADIUS attribute been present. That should help you a bit.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150330/d3fe7281/attachment.sig>

More information about the Freeradius-Users mailing list