# Reply-Message += "%{TLS-Cert-Subject}"
# Reply-Message += "%{TLS-Cert-Issuer}"
# Reply-Message += "%{TLS-Cert-Common-Name}"
+# Reply-Message += "%{TLS-Cert-Subject-Alt-Name-Email}"
#
# Reply-Message += "%{TLS-Client-Cert-Serial}"
# Reply-Message += "%{TLS-Client-Cert-Expiration}"
# Reply-Message += "%{TLS-Client-Cert-Subject}"
# Reply-Message += "%{TLS-Client-Cert-Issuer}"
# Reply-Message += "%{TLS-Client-Cert-Common-Name}"
+# Reply-Message += "%{TLS-Client-Cert-Subject-Alt-Name-Email}"
# }
ATTRIBUTE TLS-Cert-Issuer 1912 string
ATTRIBUTE TLS-Cert-Subject 1913 string
ATTRIBUTE TLS-Cert-Common-Name 1914 string
-# 1915 - 1919: reserved for future cert attributes
+ATTRIBUTE TLS-Cert-Subject-Alt-Name-Email 1915 string
+# 1916 - 1919: reserved for future cert attributes
ATTRIBUTE TLS-Client-Cert-Serial 1920 string
ATTRIBUTE TLS-Client-Cert-Expiration 1921 string
ATTRIBUTE TLS-Client-Cert-Issuer 1922 string
ATTRIBUTE TLS-Client-Cert-Subject 1923 string
ATTRIBUTE TLS-Client-Cert-Common-Name 1924 string
ATTRIBUTE TLS-Client-Cert-Filename 1925 string
+ATTRIBUTE TLS-Client-Cert-Subject-Alt-Name-Email 1926 string
#
# Range: 1910-2099
/*
* For creating certificate attributes.
*/
-static const char *cert_attr_names[5][2] = {
+static const char *cert_attr_names[6][2] = {
{ "TLS-Client-Cert-Serial", "TLS-Cert-Serial" },
{ "TLS-Client-Cert-Expiration", "TLS-Cert-Expiration" },
{ "TLS-Client-Cert-Subject", "TLS-Cert-Subject" },
{ "TLS-Client-Cert-Issuer", "TLS-Cert-Issuer" },
- { "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" }
+ { "TLS-Client-Cert-Common-Name", "TLS-Cert-Common-Name" },
+ { "TLS-Client-Cert-Subject-Alt-Name-Email", "TLS-Cert-Subject-Alt-Name-Email" }
};
#define FR_TLS_SERIAL (0)
#define FR_TLS_SUBJECT (2)
#define FR_TLS_ISSUER (3)
#define FR_TLS_CN (4)
+#define FR_TLS_SAN_EMAIL (5)
/*
* Before trusting a certificate, you must make sure that the
char buf[64];
X509 *client_cert;
SSL *ssl;
- int err, depth, lookup;
+ int err, depth, lookup, loc;
fr_tls_server_conf_t *conf;
int my_ok = ok;
REQUEST *request;
pairmake(cert_attr_names[FR_TLS_CN][lookup], common_name, T_OP_SET));
}
+#ifdef GEN_EMAIL
+ /*
+ * Get the RFC822 Subject Alternative Name
+ */
+ loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, 0);
+ if (lookup <= 1 && loc >= 0) {
+ X509_EXTENSION *ext = NULL;
+ GENERAL_NAMES *names = NULL;
+ int i;
+
+ if ((ext = X509_get_ext(client_cert, loc)) &&
+ (names = X509V3_EXT_d2i(ext))) {
+ for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
+ GENERAL_NAME *name = sk_GENERAL_NAME_value(names, i);
+
+ switch (name->type) {
+ case GEN_EMAIL:
+ if (ASN1_STRING_length(name->d.rfc822Name) >= MAX_STRING_LEN)
+ break;
+
+ pairadd(certs,
+ pairmake(cert_attr_names[FR_TLS_SAN_EMAIL][lookup],
+ ASN1_STRING_data(name->d.rfc822Name), T_OP_SET));
+ break;
+ default:
+ /* XXX TODO handle other SAN types */
+ break;
+ }
+ }
+ }
+ if (names != NULL)
+ sk_GENERAL_NAME_free(names);
+ }
+#endif /* GEN_EMAIL */
+
/*
* If the CRL has expired, that might still be OK.
*/
projects / thirdparty / freeradius-server.git / commitdiff
