3.2.0: certificate properties - X509v3 Certificate Policies

[Arnaud LAURIOU]

Hello,

On 6/3/22 10:53, Stefan Winter wrote:
> Hello,
>
>
> I also noticed that while the server logs many properties of the X.509 
> certificate (both incoming and outgoing), it does not store the fields 
> X509v3 Certificate Policies, i.e.:
>
> X509v3 Extended Key Usage:
>                TLS Web Client Authentication, TLS Web Server 
> Authentication
>            X509v3 Subject Key Identifier:
>                48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36 
>
>            X509v3 Authority Key Identifier:
>                keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4 
>
>
>            X509v3 Subject Alternative Name:
>                DNS:tld1.eduroam.lu, DNS:tld2.eduroam.lu
>            X509v3 Certificate Policies:
>                Policy: 1.3.6.1.4.1.27262.1.13.1.1
>                Policy: 1.3.6.1.4.1.27262.1.13.1.1.1.4
>                Policy: 1.3.6.1.4.1.25178.3.1.1
>                Policy: 1.3.6.1.4.1.25178.3.1.2
>                Policy: 1.3.6.1.4.1.27262.1.13.2.1.1.8
>
>
> But:
>
>
> (0) (TLS) Creating attributes from client certificate
> (0)   TLS-Client-Cert-Serial := "244f65593e791e5064b98342"
> (0)   TLS-Client-Cert-Expiration := "260218163105Z"
> (0)   TLS-Client-Cert-Valid-Since := "210219163105Z"
> (0)   TLS-Client-Cert-Subject := 
> "/DC=net/DC=geant/DC=edsuroam/C=LU/O=Fondation 
> Restena/CN=tld1.eduroam.lu"
> (0)   TLS-Client-Cert-Issuer := "/DC=org/DC=edupki/CN=eduPKI CA G 01"
> (0)   TLS-Client-Cert-Common-Name := "tld1.eduroam.lu"
> (0)   TLS-Client-Cert-Subject-Alt-Name-Dns := "tld1.eduroam.lu"
> (0)   TLS-Client-Cert-Subject-Alt-Name-Dns := "tld2.eduroam.lu"
> (0)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
> (0)   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client 
> Authentication, TLS Web Server Authentication"
> (0)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += 
> "48:5B:A9:3C:94:AF:72:C7:0D:B8:9A:8B:4E:0D:25:0A:13:7B:DE:36"
> (0)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += 
> "keyid:D2:F2:23:BD:4A:A1:7F:CF:A0:58:84:EB:FC:E6:5B:08:B3:CD:B4:E4\n"
> (0)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += 
> "1.3.6.1.5.5.7.3.2"
> (0)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += 
> "1.3.6.1.5.5.7.3.1"
>
>
> ... but no "TLS-Client-Cert-X509v3-Certificate-Policy"
Not all TLS attributes are directly available, you must add this 
attribute in the dictionary to
see it in debug mode and use it with unlang :
ATTRIBUTE       TLS-Client-Cert-X509v3-Certificate-Policies 3000    string

But yes, it's probably a good idea to have it by default.

Regards,

Arnaud