How to check the Extended Key Usage in freeradius?

Mon Feb 27 18:34:02 UTC 2023

On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer at cpa.de> wrote:
> It seems that this doesn't work for me. 

   Read the debug log.  If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.

  If there's no extended key usage OID, them it won't show up.

> In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version.
> But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.

  Does it exist?

  Does it show up in the debug log?

  The debug log shows every TLS related attribute it creates.

> Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID 
> - in the session-state

  Does it exist?

>  (see below ' (11)     policy debug_session_state {')
> Or
> - like TLS-Client-Cert-Issuer to use it directly

  Does TLS-Client-Cert-Issuer exist?

> ...
> freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate
> freeradius | (10) eap_tls:   TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002"
> freeradius | (10) eap_tls:   TLS-Cert-Expiration := "20511007092213Z"
> freeradius | (10) eap_tls:   TLS-Cert-Valid-Since := "211007115340Z"
> freeradius | (10) eap_tls:   TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls:   TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> freeradius | (10) eap_tls:   TLS-Cert-Common-Name := "XY Sub CA"
> freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate
> freeradius | (10) eap_tls:   TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Expiration := "240209105026Z"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Valid-Since := "230209105026Z"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA"
> freeradius | (10) eap_tls:   TLS-Client-Cert-Subject-Alt-Name-Dns := "host1.XY.example.org"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> freeradius | (10) eap_tls:   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"

  OK, that's good.  For the initial creation, those attributes are in the request.  For subsequent packets, they should be in the session-state list.

> ...
> freeradius | (11) Restoring &session-state
> freeradius | (11)   &session-state:Framed-MTU = 1014
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
> freeradius | (11)   &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
> freeradius | (11)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> freeradius | (11)   &session-state:TLS-Session-Version = "TLS 1.2"

  Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored.

  I'll have to check what's going on behind the scenes.  It's been a while since I used v3 like this.

  Alan DeKok.