pgsql: Allow matching the DN of a client certificate for authentication
Allow matching the DN of a client certificate for authentication
Currently we only recognize the Common Name (CN) of a certificate's
subject to be matched against the user name. Thus certificates with
subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same
connection rights. This patch provides an option to match the whole
Distinguished Name (DN) instead of just the CN. On any hba line using
client certificate identity, there is an option 'clientname' which can
have values of 'DN' or 'CN'. The default is 'CN', the current procedure.
The DN is matched against the RFC2253 formatted DN, which looks like
'CN=fred,OU=eng'.
This facility of probably best used in conjunction with an ident map.
Discussion: /messages/by-id/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net
Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/6d7a6feac48b1970c4cd127ee65d4c487acbb5e9
Modified Files
--------------
doc/src/sgml/client-auth.sgml | 24 +++++++++++++-
src/backend/libpq/auth.c | 34 +++++++++++++++----
src/backend/libpq/be-secure-openssl.c | 61 ++++++++++++++++++++++++++++++++---
src/backend/libpq/be-secure.c | 5 +--
src/backend/libpq/hba.c | 31 ++++++++++++++++++
src/include/libpq/hba.h | 7 ++++
src/include/libpq/libpq-be.h | 1 +
src/test/ssl/Makefile | 9 +++++-
src/test/ssl/client-dn.config | 16 +++++++++
src/test/ssl/ssl/client-dn.crt | 19 +++++++++++
src/test/ssl/ssl/client-dn.key | 27 ++++++++++++++++
src/test/ssl/t/001_ssltests.pl | 34 +++++++++++++++++--
src/test/ssl/t/SSLServer.pm | 16 +++++++++
13 files changed, 266 insertions(+), 18 deletions(-)
On 3/29/21 3:50 PM, Andrew Dunstan wrote:
Allow matching the DN of a client certificate for authentication
Currently we only recognize the Common Name (CN) of a certificate's
subject to be matched against the user name. Thus certificates with
subjects '/OU=eng/CN=fred' and '/OU=sales/CN=fred' will have the same
connection rights. This patch provides an option to match the whole
Distinguished Name (DN) instead of just the CN. On any hba line using
client certificate identity, there is an option 'clientname' which can
have values of 'DN' or 'CN'. The default is 'CN', the current procedure.The DN is matched against the RFC2253 formatted DN, which looks like
'CN=fred,OU=eng'.This facility of probably best used in conjunction with an ident map.
Discussion: /messages/by-id/92e70110-9273-d93c-5913-0bccb6562740@dunslane.net
Reviewed-By: Michael Paquier, Daniel Gustafsson, Jacob Champion
Belated credit where it's due: this work was originally based on a patch
from Kosmas Valianos of AppGate.
cheers
andrew
On 29 Mar 2021, at 21:50, Andrew Dunstan <andrew@dunslane.net> wrote:
Allow matching the DN of a client certificate for authentication
A small typo snuck in with this commit:
diff --git a/src/test/ssl/Makefile b/src/test/ssl/Makefile
index 0d6d237e7c..ecc3fe1f2e 100644
--- a/src/test/ssl/Makefile
+++ b/src/test/ssl/Makefile
@@ -235,7 +235,7 @@ ssl/client.crt: ssl/client.key ssl/client_ca.crt
rm ssl/client.csr ssl/temp.crt-# Client certificate with multi-parth DN, signed by the client CA:
+# Client certificate with multi-part DN, signed by the client CA:
ssl/client-dn.crt: ssl/client-dn.key ssl/client_ca.crt
openssl req -new -key ssl/client-dn.key -out ssl/client-dn.csr -config client-dn.config
openssl ca -name client_ca -batch -out ssl/temp.crt -config cas.config -infiles ssl/client-dn.csr--
Daniel Gustafsson https://vmware.com/