Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config: support client certificate SAN match #4453

Merged
merged 2 commits into from Aug 11, 2023
Merged

config: support client certificate SAN match #4453

merged 2 commits into from Aug 11, 2023

Conversation

kenjenkins
Copy link
Contributor

Summary

Add a new match_subject_alt_names option to the downstream_mtls settings group. This setting can be used to further constrain the allowed client certificates by requiring that certificates contain a Subject Alternative Name of a particular type, matching a particular regex.

When set, populate the corresponding match_typed_subject_alt_names setting within Envoy, and also implement a corresponding check in the authorize service (owing to #4396).

Related issues

#4353

User Explanation

Add a new match_subject_alt_names option to the downstream mTLS settings, which accepts a list of Subject Alternative Name (SAN) match conditions. This can be used to further constrain the set of trusted client certificates. Each SAN match condition consists of a SAN type (one of dns, email, ip_address, or uri) and a regular expression match pattern (using RE2 syntax). When this option is set, Pomerium will additionally require that client certificates contain at least one SAN entry that satisfies any one of the match conditions.

Checklist

  • reference any related issues
  • updated docs
  • updated unit tests
  • updated UPGRADING.md
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@kenjenkins
config: support client certificate SAN match
1e3c777 
Add a new match_subject_alt_names option to the downstream_mtls settings
group. This setting can be used to further constrain the allowed client
certificates by requiring that certificates contain a Subject
Alternative Name of a particular type, matching a particular regex.

When set, populate the corresponding match_typed_subject_alt_names
setting within Envoy, and also implement a corresponding check in the
authorize service.
@kenjenkins kenjenkins requested a review from a team as a code owner August 10, 2023 20:32
@coveralls
Copy link

coveralls commented Aug 10, 2023
edited

Coverage Status

coverage: 63.997% (+0.05%) from 63.951% when pulling 94efdc1 on kenjenkins/mtls-san-match into ed9a93f on main.

@kenjenkins kenjenkins merged commit 5568606 into main Aug 11, 2023
9 checks passed
@kenjenkins kenjenkins deleted the kenjenkins/mtls-san-match branch August 11, 2023 20:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebdoxsey calebdoxsey calebdoxsey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@kenjenkins @coveralls @calebdoxsey