diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 53832d0..11c5961 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -563,10 +563,17 @@ hostnossl database user
In addition to the method-specific options listed below, there is one
method-independent authentication option clientcert, which
- can be specified in any hostssl record. When set
- to 1, this option requires the client to present a valid
- (trusted) SSL certificate, in addition to the other requirements of the
- authentication method.
+ can be specified in any hostssl record.
+ This option can be set to verify-ca or
+ verify-full. Both options require the client
+ to present a valid (trusted) SSL certificate, while
+ verify-full additionally enforces that the
+ CN (Common Name) in the certificate matches
+ the username or an applicable mapping.
+ This behaviour is similar to the cert autentication method
+ ( See ) but enables pairing
+ the verification of client certificates with any authentication
+ method that supports hostssl entries.
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 587b430..a3eb180 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2263,13 +2263,24 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
(CAs) you trust in a file in the data
directory, set the parameter in
postgresql.conf to the new file name, and add the
- authentication option clientcert=1 to the appropriate
+ authentication option clientcert=verify-ca or
+ clientcert=verify-full to the appropriate
hostssl line(s) in pg_hba.conf.
A certificate will then be requested from the client during SSL
connection startup. (See for a description
- of how to set up certificates on the client.) The server will
- verify that the client's certificate is signed by one of the trusted
- certificate authorities.
+ of how to set up certificates on the client.)
+
+
+
+ For a hostssl entry with
+ clientcert=verify-ca, the server will verify
+ that the client's certificate is signed by one of the trusted
+ certificate authorities. If clientcert=verify-full
+ is specified, the server will not only verify the certificate
+ chain, but it will also check whether the username or it's
+ mapping match the common name (CN) of the provided certificate.
+ Note that this is always ensured when cert
+ authentication method is used (See ).
@@ -2293,14 +2304,33 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
client certificates against its CA file, if one is configured — but
it will not insist that a client certificate be presented.
+
+
+ Enforcing Client Certificates
- If you are setting up client certificates, you may wish to use
- the cert authentication method, so that the certificates
- control user authentication as well as providing connection security.
- See for details. (It is not necessary to
- specify clientcert=1 explicitly when using
- the cert authentication method.)
+ There are two approaches to enforce that users provide a certificate during login.
+
+
+
+ The first approach makes use of the cert authentication
+ method for hostssl entries in pg_hba.conf,
+ such that the certificate itself is used for authentication while also
+ providing ssl connection security. See for details.
+ (It is not necessary to specify any clientcert
+ options explicitly when using the cert authentication method.)
+ In this case, the CN (Common Name) provided in
+ the certificate is checked against the user name or an applicable mapping.
+
+
+
+ The second approach combines any authentication method for hostssl
+ entries with the verification of client certificates by setting the
+ clientcert authentication option to verify-ca
+ or verify-full. The former option only enforces that
+ the certificate is valid, while the latter also ensures that the
+ CN (Common Name) in the certificate matches
+ the user name or an applicable mapping.
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3014b17..86da258 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -347,6 +347,7 @@ void
ClientAuthentication(Port *port)
{
int status = STATUS_ERROR;
+ int status_verify_cert_full = STATUS_ERROR;
char *logdetail = NULL;
/*
@@ -600,10 +601,23 @@ ClientAuthentication(Port *port)
break;
}
+ if(port->hba->clientcert_verify_full && port->hba->auth_method!=uaCert)
+ {
+#ifdef USE_SSL
+ status_verify_cert_full = CheckCertAuth(port);
+#else
+ Assert(false);
+#endif
+ }
+ else
+ {
+ status_verify_cert_full = STATUS_OK;
+ }
+
if (ClientAuthentication_hook)
(*ClientAuthentication_hook) (port, status);
- if (status == STATUS_OK)
+ if (status == STATUS_OK && status_verify_cert_full == STATUS_OK)
sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
else
auth_failed(port, status, logdetail);
@@ -2756,6 +2770,7 @@ errdetail_for_ldap(LDAP *ldap)
static int
CheckCertAuth(Port *port)
{
+ int status_check_usermap = STATUS_ERROR;
Assert(port->ssl);
/* Make sure we have received a username in the certificate */
@@ -2769,7 +2784,19 @@ CheckCertAuth(Port *port)
}
/* Just pass the certificate CN to the usermap check */
- return check_usermap(port->hba->usermap, port->user_name, port->peer_cn, false);
+ status_check_usermap = check_usermap(port->hba->usermap, port->user_name, port->peer_cn, false);
+ if (status_check_usermap != STATUS_OK)
+ {
+ /* If clientcert=verify-full was specified and the authentication method
+ * is other than uaCert, give a hint about clientcert=verify-full. */
+ if (port->hba->clientcert_verify_full && port->hba->auth_method!=uaCert)
+ {
+ ereport(LOG,
+ (errmsg("certificate validation failed for user \"%s\": common name in client certificate does not match user name or mapping, but clientcert=verify-full is enabled.",
+ port->user_name)));
+ }
+ }
+ return status_check_usermap;
}
#endif
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index acf625e..a5b0683 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -1675,10 +1675,17 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline,
*err_msg = "clientcert can only be configured for \"hostssl\" rows";
return false;
}
- if (strcmp(val, "1") == 0)
+ if (strcmp(val, "1") == 0
+ || strcmp(val, "verify-ca") == 0)
{
hbaline->clientcert = true;
}
+ else if(strcmp(val, "2") == 0
+ || strcmp(val, "verify-full") == 0)
+ {
+ hbaline->clientcert = true;
+ hbaline->clientcert_verify_full = true;
+ }
else
{
if (hbaline->auth_method == uaCert)
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 5f68f4c..309db47 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -87,6 +87,7 @@ typedef struct HbaLine
char *ldapprefix;
char *ldapsuffix;
bool clientcert;
+ bool clientcert_verify_full;
char *krb_realm;
bool include_realm;
bool compat_realm;