Added TLS-Client-Cert-Subject-Alt-Name-Upn and TLS-Client-Cert-Subjec…

…t-Alt-Name-Dns attributes (intended for use with EAP-TLS and checking certificates)
FreeRADIUS · May 8, 2014 · b484c05 · b484c05
1 parent ed5c71b
commit b484c05
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 6 deletions.
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
@@ -490,7 +490,9 @@ ATTRIBUTE	TLS-Cert-Issuer				1912	string
 ATTRIBUTE	TLS-Cert-Subject			1913	string
 ATTRIBUTE	TLS-Cert-Common-Name			1914	string
 ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Email		1915	string
-# 1916 - 1919: reserved for future cert attributes
+ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Dns		1916	string
+ATTRIBUTE	TLS-Cert-Subject-Alt-Name-Upn   	1917	string
+# 1918 - 1919: reserved for future cert attributes
 ATTRIBUTE	TLS-Client-Cert-Serial			1920	string
 ATTRIBUTE	TLS-Client-Cert-Expiration		1921	string
 ATTRIBUTE	TLS-Client-Cert-Issuer			1922	string
@@ -502,8 +504,10 @@ ATTRIBUTE	TLS-Client-Cert-X509v3-Extended-Key-Usage 1927	string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Subject-Key-Identifier 1928	string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Authority-Key-Identifier 1929	string
 ATTRIBUTE	TLS-Client-Cert-X509v3-Basic-Constraints 1930	string
+ATTRIBUTE	TLS-Client-Cert-Subject-Alt-Name-Dns	1931	string
+ATTRIBUTE	TLS-Client-Cert-Subject-Alt-Name-Upn	1932	string
 
-# 1931 - 1939: reserved for future cert attributes
+# 1933 - 1939: reserved for future cert attributes
 
 #
 #	Range:	1940-2099

diff --git a/src/main/tls.c b/src/main/tls.c
@@ -1451,13 +1451,15 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 /*
  *	For creating certificate attributes.
  */
-static char const *cert_attr_names[6][2] = {
+static char const *cert_attr_names[8][2] = {
   { "TLS-Client-Cert-Serial",		"TLS-Cert-Serial" },
   { "TLS-Client-Cert-Expiration",	"TLS-Cert-Expiration" },
   { "TLS-Client-Cert-Subject",		"TLS-Cert-Subject" },
   { "TLS-Client-Cert-Issuer",		"TLS-Cert-Issuer" },
   { "TLS-Client-Cert-Common-Name",	"TLS-Cert-Common-Name" },
-  { "TLS-Client-Cert-Subject-Alt-Name-Email",	"TLS-Cert-Subject-Alt-Name-Email" }
+  { "TLS-Client-Cert-Subject-Alt-Name-Email",	"TLS-Cert-Subject-Alt-Name-Email" },
+  { "TLS-Client-Cert-Subject-Alt-Name-Dns",	"TLS-Cert-Subject-Alt-Name-Dns" },
+  { "TLS-Client-Cert-Subject-Alt-Name-Upn",	"TLS-Cert-Subject-Alt-Name-Upn" }
 };
 
 #define FR_TLS_SERIAL		(0)
@@ -1466,6 +1468,8 @@ static char const *cert_attr_names[6][2] = {
 #define FR_TLS_ISSUER		(3)
 #define FR_TLS_CN		(4)
 #define FR_TLS_SAN_EMAIL       	(5)
+#define FR_TLS_SAN_DNS          (6)
+#define FR_TLS_SAN_UPN          (7)
 
 /*
  *	Before trusting a certificate, you must make sure that the
@@ -1615,7 +1619,6 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		pairmake(NULL, certs, cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET);
 	}
 
-#ifdef GEN_EMAIL
 	/*
 	 *	Get the RFC822 Subject Alternative Name
 	 */
@@ -1631,10 +1634,34 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 				GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
 
 				switch (name->type) {
+#ifdef GEN_EMAIL
 				case GEN_EMAIL:
 					pairmake(NULL, certs, cert_attr_names[FR_TLS_SAN_EMAIL][lookup],
 						 (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET);
 					break;
+#endif	/* GEN_EMAIL */
+#ifdef GEN_DNS
+				case GEN_DNS:
+					pairmake(NULL, certs, cert_attr_names[FR_TLS_SAN_DNS][lookup],
+						 (char *) ASN1_STRING_data(name->d.dNSName), T_OP_SET);
+					break;
+#endif	/* GEN_DNS */
+#ifdef GEN_OTHERNAME
+				case GEN_OTHERNAME:
+                                        /* look for a MS UPN */
+                                        if (NID_ms_upn == OBJ_obj2nid(name->d.otherName->type_id)) {
+                                            /* we've got a UPN - Must be ASN1-encoded UTF8 string */
+                                            if (name->d.otherName->value->type == V_ASN1_UTF8STRING) {
+                                                pairmake(NULL, certs, cert_attr_names[FR_TLS_SAN_UPN][lookup],
+                                                         (char *) ASN1_STRING_data(name->d.otherName->value->value.utf8string), T_OP_SET);
+                                                break;
+                                            } else {
+                                                RWARN("Invalid UPN in Subject Alt Name (should be UTF-8)\n");
+                                                break;
+                                            }
+                                        }
+					break;
+#endif	/* GEN_OTHERNAME */
 				default:
 					/* XXX TODO handle other SAN types */
 					break;
@@ -1644,7 +1671,6 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
 		if (names != NULL)
 			sk_GENERAL_NAME_free(names);
 	}
-#endif	/* GEN_EMAIL */
 
 	/*
 	 *	If the CRL has expired, that might still be OK.