diff --git a/server/auth.go b/server/auth.go index 9bc96ac94f..a585725011 100644 --- a/server/auth.go +++ b/server/auth.go @@ -15,6 +15,8 @@ package server import ( "crypto/tls" + "crypto/x509/pkix" + "encoding/asn1" "encoding/base64" "fmt" "net" @@ -527,6 +529,26 @@ func (s *Server) processClientOrLeafAuthentication(c *client) bool { return false } +func getTLSAuthDCs(rdns *pkix.RDNSequence) string { + dcOID := asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25} + dcs := []string{} + for _, rdn := range *rdns { + if len(rdn) == 0 { + continue + } + for _, atv := range rdn { + value, ok := atv.Value.(string) + if !ok { + continue + } + if atv.Type.Equal(dcOID) { + dcs = append(dcs, "DC="+value) + } + } + } + return strings.Join(dcs, ",") +} + func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { tlsState := c.GetTLSConnectionState() if tlsState == nil { @@ -568,6 +590,22 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { } } + // Try to get the full RDN Sequence that includes the domain components. + var rdns pkix.RDNSequence + if _, err := asn1.Unmarshal(cert.RawSubject, &rdns); err == nil { + // If found domain components then include roughly following + // the order from https://tools.ietf.org/html/rfc2253 + rdn := cert.Subject.ToRDNSequence().String() + dcs := getTLSAuthDCs(&rdns) + if len(dcs) > 0 { + u := strings.Join([]string{rdn, dcs}, ",") + if fn(u) { + c.Debugf("Using RDNSequence for auth [%q]", u) + return true + } + } + } + // Use the subject of the certificate. u := cert.Subject.String() c.Debugf("Using certificate subject for auth [%q]", u) diff --git a/test/configs/certs/rdns/ca.key b/test/configs/certs/rdns/ca.key new file mode 100644 index 0000000000..887e9972bf --- /dev/null +++ b/test/configs/certs/rdns/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAwIYeRgshZUbWnsnVFYqJvMlRwmYKpHGq1cxG2HIKJZMMJO4c +Tipguyt0bPJMQiGzsPUpzUIi3m1tNlQnQhmpBo4C1NSSRhx8My4z1796OkzerCMV +MKEP8weC9Vhz2mUMBQbrRvAcNJhoPksWJ2kSGxdUdKIqoFGDMu40ir5zxHyCA410 +vG7IIJlaDKpwuXl1IFjEaI5DWnDUAvSxciG86yZVaekRYEJNSPSPL1Er5ee40ukP +C66JCYas9a+4Lk5rQhlYSoUsimPebagKP99T+oNVyQSSQ0rqaNNV+7i0uEx9KH+7 +OC8B8+fUlE891hjnAJ20P0wJnMC/pFzzsvI8rQIDAQABAoIBAQCrKJFRhCO0fj3f +/V/LPtclV3WwdjeP6t4OJQX296u9q/Vn/6h6dYJ55DAli2PwhzXRZKQ9L0cAqBgn +7LjaMyXqBebOgA1q93gTqEe+zyRDIIP2VVpJWWdskIkExhZ5WsxMy9HvxxfMSpKi +ju6rKuZF33/eES4ESXNynANqNdeGHf5ZWI2BI8ekPLbS6EE+PcJPq2vK8gkhFFyb +ie9qqgU9DthSwJhqT7dilTllLz6gOj3dtYODaji4yLNkalRWe6JGO1v/ZxqWgpnk +ZHTATxgiyjWJ0AJGH1tqxHBU1MmKHEEsc3lXdxC+FWbAnfbMgQq+BZSBjcyAOip6 +0FHdrvKhAoGBAPWI7b1Yo2Ov2iJtH4VJh2vqX5q+EQchO9XCKW82lOfoXXCGrG7g +n5uuQuCAfEHzkeHDMVzDvoLJAHUz74eLuYm1voKLW+CjT+L9LYZMvLs3ygJvq5g9 +5pYPZbP2bax2sV2coXs/tv2gyMIYyrsPtln6ngW9y/SrC13j7ibffaJ/AoGBAMi6 +xzH8n2Fz2y76Vw3/JwFQNJY3qZy7jjcFd3KCTSzbDAHzMOpwRjSrecacF//G/bn+ +BaeOWowFZSh6ps7g3jyLWIpWS1Azk9t9+8sbt4bcX5XV92GeCu91X5gjSfwiXfJ7 +Ar7itX5zFMl74jBoJcd7ikS1BUZozcOon6x2F7LTAoGBAOqXYU4/mhxsr+WkjTE0 +B4c77wxR/MLrJdgeIqh3Zd4NTPluMuHdC6Ia5RrKp+37Ya5qaIdRHnymvyE79edz +wFmqo9Lmg2olnvYpH43pU4kszH13ZGOZAO7u1yUSlcbpwJzIQiEXxyacsDOCrG/9 +myRtJv4lUPD7W2jhlXDep5LRAoGBAKuEJXcJ9CnyNCRVFpPIJM0Teous7koVXPSY +wDLhMg6U8RKteWupGeQhbYGOmVcd8mm9q5k7oxUn+wL2opf9PwgezT4PdHUITVvs +r30iptQec7J1TNdlktR/x3oZFTvTJdFu2K7AyvJMZUOwjlpsc3OblU8WGnbKUJ/R +8vYLRj6vAoGBANoD3vrUz4Zq0tAfn31X4iNBe8TF6c0lx+NOcQ4IJHKHulxx+rHS +h8UjublG5rx8qL62D4SiVp+m12ibSrLaJpC5IqSy6cFjHNUzXcok4Oou7dpMsMkn +2uHsmL4iJJkUBIowADJ2mAyPnnOj0yQilna9o+pDqoW+bG0+7NoyHcV0 +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/ca.pem b/test/configs/certs/rdns/ca.pem new file mode 100644 index 0000000000..97526cf802 --- /dev/null +++ b/test/configs/certs/rdns/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUd2k/q8WQFq6AZFyTtYu651Ds+cgwDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM +C0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYD +VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5MjEwNTExWhcNMjUwNTA5MjEwNTExWjBq +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9z +IEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMxDTALBgNVBAsMBE5BVFMxEjAQBgNVBAMM +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCGHkYL +IWVG1p7J1RWKibzJUcJmCqRxqtXMRthyCiWTDCTuHE4qYLsrdGzyTEIhs7D1Kc1C +It5tbTZUJ0IZqQaOAtTUkkYcfDMuM9e/ejpM3qwjFTChD/MHgvVYc9plDAUG60bw +HDSYaD5LFidpEhsXVHSiKqBRgzLuNIq+c8R8ggONdLxuyCCZWgyqcLl5dSBYxGiO +Q1pw1AL0sXIhvOsmVWnpEWBCTUj0jy9RK+XnuNLpDwuuiQmGrPWvuC5Oa0IZWEqF +LIpj3m2oCj/fU/qDVckEkkNK6mjTVfu4tLhMfSh/uzgvAfPn1JRPPdYY5wCdtD9M +CZzAv6Rc87LyPK0CAwEAAaNTMFEwHQYDVR0OBBYEFJQ0pEcUeNZleMh6GxA51NW4 +7MsIMB8GA1UdIwQYMBaAFJQ0pEcUeNZleMh6GxA51NW47MsIMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABluyDWCpMpIZxCO223YsqVLCFAA+3Ns +ZAFLRyurMfZrBp7lJdrcZzkPcp6Hea0WJ9Rif/7gBGSYdVqlyPNj4W8nfJfys9Vr +X9xfO4PyWE89Sa8aH1JQUifDeK0SMsj9HBRAiFqNuLdC6a2plQvQHhIyN/mnfQZs +a0EVC09zEBrlZaXlZpf/cUok6VLEPmBqL4Y4IJFAFHPSMZRigXL/We7x+Dsumzkh +5szEvBbktZNteZZcxnikBcS1ezmbGnz3l5OI65KM5JSkyxlvX5LnCNUl84z4dk/i +1CTi8YUaJtSfe1lfUlDZY/QKPCLKgwz/DQqhnwsWC8uplJtiN9lIOtU= +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-a.key b/test/configs/certs/rdns/client-a.key new file mode 100644 index 0000000000..b40632e633 --- /dev/null +++ b/test/configs/certs/rdns/client-a.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA05xm/LJ7bvzFltT1sHSfSSmqAqhgKLwLB4f49bYn7vvfz2tR +BY9N8ecPGh9s3ZYjEAFiLIGGhLDtShdHQxvXoM3V1N9VpFXFe5FzOrSe5ZVx71BS +GZbWKJijtjDHq+OH7RF62d9+p6jvJT/DEGzpHGS33GAoiBBnSBYfp8uio4F/v1o8 +4qaK1iTjaWa1E2SbUor3Zl88IK9olXrsX8P8wYflaxIlSD5KBXJoXIyY6SFNwklj +qPq1Cq0gS0axcVU+osCt/iClunF6kV9r4www88w4XRPCFJM+QyYtPFy+CUR0BOua +XbWs1hCyNeTrk1efQjY1qJOahZG+qdbiFt8lAwIDAQABAoIBAEjQfaOgatbTBc6T +8wLH7nOHcae+dnAt3IG36RPrnSwf4XCHFfcay5BcmJa9j4FkAyajwztbSoVoOA6R +mgTelMERcu3v95E3rl+JuiPOOQr49J6LfeSuQXzwoQy1Fk/wWDpcFHDZ9cQNXlTr +7tw9Da2mfpnHQMspEdD9Q+FCMfGeoq8A4aSm0KDXqChB+HhPZlPNt9TA8/It8imN +NzniziQ797QicD7i7Yy9OeJEzQ+mUY3Sew1yxI4wmF+vsv2NAqgQgTMKyQ0Vv5js +aqR0URD182qDLbJ5PvmYyLc+TJyaixU0Qf5PgIbrBirBuV7UBOfraFkOXuV6Iyd6 +i/nt8CECgYEA74Tr5YyAciH0xpBza8PLoxnxP1UQDsp+sDL4STR8Y/lOUX/yYiqq +om2NNM4FauEB63GqoYFqnEwTXwy4yU4vaOhjg86098mp2BdPo6ANLO+maK7+YvvW +uAQwy25wG1IjqBH3yltOiOx/zCwoIfr1+xbbx68JiPCzLrUFn0YC3DMCgYEA4ivh +9FRLESLMjiRQq+CnzKweTcAWfQbLmovFTJMSMkufpQ8TCyblE/PQvOkwZql3BP/f +ZfzzB5p6B+Vzhz6nXue/YTPQZM0AHV3OZj/lw0ifgDuuohD45p2ASDpY+y7VbDKI +Bcn3W8hJcqWf/0umBIa2AOYnOhlEllz8uQrBw/ECgYB7T2dTCn6mQ60M/RkvBeI0 +2gpFnLljpASNGfCRX6AaqCMV+lUDDQxECzqDUP2hBK5EVISQGVyVkuT2LkqD+OiX +jeyN00F/wCbcxUOO7btawxZdFpqIwzbMDfxA/15f8m3A/V8gotlPzNIOfz06IUW6 +Ow5zQz4ZbjIRfcijMxwN2QKBgCcIB7CQs3u7k62cGsfut0adFYW5dqgQ+iYrpNr4 +LpW7c0ua9GBiT/pHg2h2ncG50S5tsfH52z8eq5ydPnjCmUPJnr95n6clsbVfsPT4 +ZgBzkgMhSZvybeHuoGrWlvCSPoazmcHV/vg58mL0rk3yki4JyXMSRQbDwZBpb7vH +XXUhAoGBAOkqak1DcPZVSinpb/irgvBPd2GzeWyaNh9MKBcGMeG7h3w6Dy/0Gkv3 +DyyEf4BLxPKZ3QNx0Ni2lJ810Al2Kd7j4esDzTZDNmv8buC2jXV+aIL3XvfYjyix +SDyE50LcqLiPJwmADpoHMDYvO6sOm8RmhbzbkdJgwZOvh/so3CZX +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-a.pem b/test/configs/certs/rdns/client-a.pem new file mode 100644 index 0000000000..620337dac9 --- /dev/null +++ b/test/configs/certs/rdns/client-a.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTE2WhcNMzAwNTA3MjEwNTE2WjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM +CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT +MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is +ZAEZFgRmb28xMRQwEgYKCZImiZPyLGQBGRYEZm9vMjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANOcZvyye278xZbU9bB0n0kpqgKoYCi8CweH+PW2J+77 +389rUQWPTfHnDxofbN2WIxABYiyBhoSw7UoXR0Mb16DN1dTfVaRVxXuRczq0nuWV +ce9QUhmW1iiYo7Ywx6vjh+0Retnffqeo7yU/wxBs6Rxkt9xgKIgQZ0gWH6fLoqOB +f79aPOKmitYk42lmtRNkm1KK92ZfPCCvaJV67F/D/MGH5WsSJUg+SgVyaFyMmOkh +TcJJY6j6tQqtIEtGsXFVPqLArf4gpbpxepFfa+MMMPPMOF0TwhSTPkMmLTxcvglE +dATrml21rNYQsjXk65NXn0I2NaiTmoWRvqnW4hbfJQMCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEArO7c3bIBfy/U0HOiqiWkFrfly/tbOSQecdV8PW3SaY2P/VLINi67 +NLfe4dhWw6nRE8zdLCOoXc5F60cfx1jYZd7vF44q6Mwn52atcoX49m17+1EmDeOS +TJFkm3FU993O8jTSTRO6ysoiuIHImHWrWCnEY8lhhQoHQVDWiCtdxTkahqXvS+VD +5xcxGWG2uY9sJx0ISXpyYkcoh24H92xEaswGlYFQEUEmf1tLRRbRqkq93qqlfHrn +VPRQ4y/sINmBMwk+ftMhZtKiDu5xb1yP+ePoczgkKfsbJy8rh7rZJPvor4avX+7F +9dn3Vm8IGdmqrNp2K9Du/zIWyXtkVJ7Wyw== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-b.key b/test/configs/certs/rdns/client-b.key new file mode 100644 index 0000000000..02d15b80d5 --- /dev/null +++ b/test/configs/certs/rdns/client-b.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtnCJemodpMZaQ0HecKito1c2uVz/FNg4k2PlRHy5QVqVtQ10 +/KosU5UR/IdKQim+DXwpE1rs199aZG/JR6uo8wZlOdLFEzAI4OHRT9Gh0VNaldbV +BeEB/HL7icXMJuBjoO4+XandE6XYRxWIxODfjSfLfFe7Hf1XUNQoemJNU8QYPBuS +al8YaqnxLHp/7ZW6u+EnKJUdjF4t6Q4UF9tXELeXG5BgHkCUjFlfJtepEebdktUJ +0Gfmopa/apLAHjH2nOSs9/02UPZEWOXNeQ0S/C+KhMdagBfrKQi17x7CtFptP2zp +icvZNmt8Lup+JBbr1w8Im6tgr5tFz+Bodm7KywIDAQABAoIBAGHfIYGQZ/K7jjTC +o2hgtTYJVYw/fYBbNo6rapVBK8kJpYKJg5cAW+NC93E3yviPmCt3zjlZ7/EnG0EC +T0KprmshpTBOB/dxL3Ik8rsVRPAc/V2g8IrE2OHrdVHF0O2SNyBgbwikVbtynwIT +ZVnpIUSCcsFz9yfxfuQXzNdK4RzsDxG1uMBQh4BdD67s0wO4bp8XIMbCezIKPsU+ +fDco7g8jJgei4YAujAEWYRT3Cw6sTHyCmyTbGcdh1QMoFYdY5HKf842ihkRXRLgq +jDfy6bvUH2Vu1fXvgykaIdgnHEl9TzoAtOPffnCsbrym9wRP8kRhNTBNcHnHa9Xp +NmuQgQECgYEA7ObxBZ9AiIOBev2YaaW9uV0B3BA/UrynDxkwTLW++W2mGhXNABin +pKttfIGcR7lqCVAP6UMZ84mudG7cO3Jfru5PoZ0tNPmVN2KybyoH8B9BfWJuaI4M +r490Su/MhyMvWHbKsBnAdO9QttbtkIpHUKELx/c94w0/TXv5fHlGH4sCgYEAxSWg +m4QlN/sL+fZYt17mmEYs7cM/+jljJSpDYzy79ywjsq5KzRb4dAn4pCHJdH9yp+WE +KjYHFQ3mlg/f3yd4qW5i5zo0rcYELP1QCjCtbTNrae6H/MoHcEEwQzHvRml5ExIA +cHsfv45tTX+OsJ3wlj4gxkY+y/G6OTXDj5UDacECgYBl1fCNxiNri3xBbnnyEDk6 +UWzXOHTAEDCQIPfOQeJSPnxEglKZU//cnYR3HRAdFOssDaqJTzr8oZbInk81jrjq +7a51fqdMOm2WXWrutlarNgRk7ccgUs/JOBV5kROOk+VqVcZTZP6CRc2gi0ub8pUt +Z800rGeCDtPDbyOUCl3GeQKBgCSm0i0XbDP0IE3gVq4Anq5Anam2WvaSJLSMHusc +J3XUZu6ZKJ7oXlh0Yh1hiqp150L/kIqocLihVPUhDmXWWMBnHUwPriuAXNZgYbkD +Q7rBjH6tMer1RFzCQc68Qde9VB0Pg7VlrolWWUvHIygCtO+5rS4vcQ1Ja22naSwQ +cAoBAoGARzbjMI91d647stZN7zynPg9081XZmr0oqLaXStl0GudZXMxu4B6V+dlp +g9EBCUDi8XuM/5hv8kgc+QjTqe5Vtea+h8u3jHs4+u9pYdInBDY7dY4SoFbpBeb7 +zPpzGxgxgANDUceTlYdXZFURrefVcqxzz/ar94dkv1RAjilVoN8= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-b.pem b/test/configs/certs/rdns/client-b.pem new file mode 100644 index 0000000000..53a3117722 --- /dev/null +++ b/test/configs/certs/rdns/client-b.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTE5WhcNMzAwNTA3MjEwNTE5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK +Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx +DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALZwiXpqHaTGWkNB3nCoraNXNrlc/xTYOJNj5UR8 +uUFalbUNdPyqLFOVEfyHSkIpvg18KRNa7NffWmRvyUerqPMGZTnSxRMwCODh0U/R +odFTWpXW1QXhAfxy+4nFzCbgY6DuPl2p3ROl2EcViMTg340ny3xXux39V1DUKHpi +TVPEGDwbkmpfGGqp8Sx6f+2VurvhJyiVHYxeLekOFBfbVxC3lxuQYB5AlIxZXybX +qRHm3ZLVCdBn5qKWv2qSwB4x9pzkrPf9NlD2RFjlzXkNEvwvioTHWoAX6ykIte8e +wrRabT9s6YnL2TZrfC7qfiQW69cPCJurYK+bRc/gaHZuyssCAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAXqrZXT2sWalVn8n7pBsK7KMLtECyhYNMtfLRwkJvjA691DDZ +6/w402H3tl2+dfU8CYkB/kx2rVATiQCl7aYcJnIHthNYN2YBU99w8+7r9xYIHye4 +3ErtsgSuAtxmxKGHk/FeR4mqzuRfsv7NGuKqZRspEMH3c2sTgA0mnkBjfjuZo4wf +K8u77kFAMrwVl4Jr5sgXgjS4xCJVEGhvjrrLWfOrP4Cj6apd8ZFT7LQ2iDuSH73v +596HEPVO2nb5ONbWsbTtqbxldyTA/v7TGKBIncEzDnkHC0DLEscqkNBV+/yzCDk4 +3gt8QB1W0IrfVnC2y9odAPuZige8nqUIBMsdog== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-c.key b/test/configs/certs/rdns/client-c.key new file mode 100644 index 0000000000..ae54782495 --- /dev/null +++ b/test/configs/certs/rdns/client-c.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsF8xq2j6IKnpLC038+BTOUNJsP5shUWY0c/nAXHHHlksGJNa +rmmnf8AuScWqRlu8VtG4SYosxLDR+wC6+rdrk1sUiGDNBOk8BppdhHHh362UKuqn +TtKttuI9Bz+qoP9zA9qXdRCuVURYHgu9Xo9mrTDvg5w7Af2dVZeMbzk2jf8eZbpk +cz7DmqVsChj3t/F2dxGmzqaYrophO1ubP27CfCyeMSyNagzU3UJwR/PQ+3rJnPxx +dBZxqVjRJdjIHXeagldxYAO9RL0HDfVPI3sahAGnNatPWFUlr9tvRtWU9n2QmnVT +86O3jT/cHb7bmtajg01a3DUrYmSd2XR733PjGQIDAQABAoIBADKcPm6Hgy8YUrbA +iwvKVVdbPawydgWQQRgD5q/9bDwDLqomrqDZ5Jy+EwpMVF44OMVZDN7dbZdLfhXe +0cjcFVyFiFDSJkLAgt8KMMeuvjgnYRsnlrcBsaOHLCgGVvo4E1MJyOhozv3czMRi +bgbSc45DOpeznyMlGZ7UDBJmgocgMhCJhQlP7GXWlblAjlHdKLFDPeETrD2jU389 +7VLllVHyfdsbWDrnyYdNVOsNsVKheHHHwhbk4ycuQHtezwvmfhXsseqHsBkrGRV0 +sSBZklDS5bX8gKISl6GbIWEDsYp+3LwJ0+apHBvgnC4/Be5uzdSgKpt2FxLBv5N9 +EgNzk/kCgYEA3jFK0l8RBtfyuEW0KKWF/NI6+lmI3M2UKL7fsUzncbJN+Ei1OB7D +wG00JipY3yppbnYWsX1z8i9+ngCgidBg60GNZZMtxhgYMN1xhh+wA9TStHcsGWZG +ZDaMv3QG/kQJ7kNblPqwxpN2YBYtSgmHLcMEBGN/o+xHJhfNLAMrDD8CgYEAyzUf +QvpUKAEjv3L1fX/DkZ+qqXVXDXSObBIRZovuXE+vVUWkZnFRrVkC7vy1bgOrPxDJ +p7JeFHq7Tbj0QYgCs4yL+XX3ECDdwu8Dfc3gq1RQ3R17t6qg/LaptwlFM7P/gFLR +i5B4t1p7UdiIt8ym0pHy71jRl1l2fXvyprq/mqcCgYAkfzpIFf+I/T3MUP7H0nCQ +18OCTeSySD529utthzFZNq2iA+dogX0sBYQUZM5WUfQhhdoya2X5OR32PCoimQzi +d9EPBz70lA6dMDKuklPqPTIjHJQs0+TqHx+9bwSbDXgIIB5R+V/CLoS6QcpMqAYB +WVA2nFViCrShKDW2bgrLJwKBgGO4WPQEZoIPNRzBbGk+5pky8owgUiz/Mtkj8LgT +GVDhpdhBydCf8YYQ9ViUWPB5CnNzaJJL/NEt/XbBudPiy/iSkypDUo/uoQUFSABX +pNZPFTO9QTY7nK8HcLeq6/PYdBzkB4Lmzeakl3ntugIAgyk4iDAetRQByh0AU26w +nFBnAoGAJk48iCBKwffii65B6HehKGD8thmum9CkJz/qnNNqMTDpXJshpTlStfGl +23KPuzs9GYD4QQGePHvCexcIlrZ7ah3HDXc1viRgxABOr1In3KuthxyA/QcCEZjB +SUZwe0qjrgsuWzr3zqIFjNtUU2znqpuMrDGRZp/PMe8qAEZlH5g= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-c.pem b/test/configs/certs/rdns/client-c.pem new file mode 100644 index 0000000000..e03a847865 --- /dev/null +++ b/test/configs/certs/rdns/client-c.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNjUxWhcNMzAwNTA3MjEwNjUxWjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM +CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT +MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is +ZAEZFgRmb28zMRQwEgYKCZImiZPyLGQBGRYEZm9vNDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALBfMato+iCp6SwtN/PgUzlDSbD+bIVFmNHP5wFxxx5Z +LBiTWq5pp3/ALknFqkZbvFbRuEmKLMSw0fsAuvq3a5NbFIhgzQTpPAaaXYRx4d+t +lCrqp07SrbbiPQc/qqD/cwPal3UQrlVEWB4LvV6PZq0w74OcOwH9nVWXjG85No3/ +HmW6ZHM+w5qlbAoY97fxdncRps6mmK6KYTtbmz9uwnwsnjEsjWoM1N1CcEfz0Pt6 +yZz8cXQWcalY0SXYyB13moJXcWADvUS9Bw31TyN7GoQBpzWrT1hVJa/bb0bVlPZ9 +kJp1U/Ojt40/3B2+25rWo4NNWtw1K2Jkndl0e99z4xkCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEACO/mR49RwjJ9pDbo2ioffxe+1R7DBFhx8NGkb+ISZGArOPlC+Uee +2oEs5ejDhTu4SuU1ODJ/asMCQxHfHZ2US1EwajFNw0ZYUTrQiiI1aamMZ/XIwUrA ++i+Z5s4Ne8AsZQMAGZLfNXpNUMRKSfOK37SlCa0eqAoJhzoqzYxQ9JgSLJhEo5id +8dAfICsShye1irzKXZ/QwLNHG/gS9SGfzf54B9sQRT3OOYr4eyEqcS2pmdQDyV4T +6OtWcaXGzxSPmJNcaI25RW2F+DWyF+mS8y8XhQZd2nG8ET0FWAFCDX3eT4W5MRmn +pglI/8UnHuseZos7GwHo80eTiUyBzvspYw== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/server.key b/test/configs/certs/rdns/server.key new file mode 100644 index 0000000000..a782f3fdd7 --- /dev/null +++ b/test/configs/certs/rdns/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxFbauT5Ge2uniUGkZwu3/3pH03DbIjZe7FfukBnD7DbEcOJT +M1w9uTzh6bOIpX7VLVifWk64w62bELCX+g7Bp1zKy0htsdmnDh6OH4m0lOwcpT77 +ZxCbnRNrwzLoia+hSIyyyMIPUPPJMm3BblGasU1K5P4c957wLbPal+83ipTa4anM +IQWcqPpoPGlcxJcB5Xw6rb8cLlju5hZLlaKkmxZrmuEu4KX3waKeNsY0eoDJwpSn +nbfuyOxVreHE/GclxPzODnx0UZh8zGKcxL/Yq+YaF+OsL/oPfh0igPARMmOua25V +n0Ra+f9CsvM4lt3giZ3mKLHJ2TsObohIw6qUzQIDAQABAoIBAGppqKI93nWGI4eA +zFoNP+x3mfY/dIVWcpwmDGaNkGK2TEHiaLWtiMac+NRxOd54n5G0Nqn7gKiNrz2c +eMJOvSa4ZDFJUCrUjHZamSz+taEBV4U4XYm+tpirrfxd2yrExeVMXJnyk9qMRr/O +PMhN8kmmWrFCCPEsc4BRumgefzvb/W+4CqmY1CYCEV+Lmwwr+ur6ADDfz2dAfHtr +UGkixUrzFO684qSTGTyn5oUdc4qN1XR63V/o411zbVfXIWMmiiVKv5ctq/RfshHD +h9700/RAo0j08iwqDtLXyx1eolnIO6AfLzYcLrPzHFv460HPa3AIoQVfBs0IM2TJ +8aAyFQECgYEA+L+5FvywmVKUJBc9XHJ/sTkGVL4i4I6TWbGTSN0urlAe1IEgq8Cq +VYLZiOZkuh47uJ76HjFJMo7SQrLot92ofhz3506ZSa4d3LVLEAbaxKgOHDHfM9XP +U4ZHEZdzj2s1IdW3v73NnIv2gnKVbL7gpIpeX0rhxHeFgAFwzykSolcCgYEAyhAG +43yjcZZay/mavjBeTFtbwaYKAtaMIP8uDaS2DJCsLMRKTda3YgQydWSlzC02E22/ +xTHOp2ytI4Eq6pEUlZT08+Gxyf1XStyWNjzD9jK+c+mIbQsWeZGef7FfcxKFksBq +0/9dG/MYUPqQBYoTDH24QR13XwKUzcGFjg6S83sCgYEAp+dZ+08zsTqRbk8Vhypu +UOTqBheVmTgD9D4t6bgKw3Snas+CiwxwrWm2hnbltM+lhjghInIoM20+NfFnrnx7 +OC07lLF0PMy/sXPaKAZIcwfxBk0PmYCQApQXsqMlSMCXy6/j6RQoDqxXB7Rqck3h +eo8/plj4TdJTlZTjXaIext8CgYEAxqcRDq+nxHFMXMLNlnPZEXqz7+M8bmPdqkcW +UMWBUUMecnickIArFEsKDI3hzqUYR+ubINSB1eorIf/IYIo30YN7exWFhA70th29 +9B6zjaV/xldvD71Z4DUAvYt1Sp2IAqn3nOqu8F6DpoFf/IItjhc/gYzlodvYzZyX +n/zGDmcCgYAumnP2HqQr0fFrHc/p+KWP3+YXi9b/gUiMK/i7k2r/vf4SbStogKJf +SlFD2S+H+FJxVRxUhssz4SH3PYZJwAMX0DP9ZNpwa5rwSbx0a7H72u0O3r42nFXi +LNt+4To/VB7frJsNKl4Oh46gUHMsMyoqsF5FNQpPQ4zTEio3U0FASQ== +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/server.pem b/test/configs/certs/rdns/server.pem new file mode 100644 index 0000000000..823f34fe20 --- /dev/null +++ b/test/configs/certs/rdns/server.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTI0WhcNMzAwNTA3MjEwNTI0WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK +Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx +DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMRW2rk+Rntrp4lBpGcLt/96R9Nw2yI2XuxX7pAZ +w+w2xHDiUzNcPbk84emziKV+1S1Yn1pOuMOtmxCwl/oOwadcystIbbHZpw4ejh+J +tJTsHKU++2cQm50Ta8My6ImvoUiMssjCD1DzyTJtwW5RmrFNSuT+HPee8C2z2pfv +N4qU2uGpzCEFnKj6aDxpXMSXAeV8Oq2/HC5Y7uYWS5WipJsWa5rhLuCl98GinjbG +NHqAycKUp5237sjsVa3hxPxnJcT8zg58dFGYfMxinMS/2KvmGhfjrC/6D34dIoDw +ETJjrmtuVZ9EWvn/QrLzOJbd4Imd5iixydk7Dm6ISMOqlM0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEArl6zUvvu+RF6tqAiHqN5d/mmuhiczsaRReNXe1yJ7llXuDzl +jS/GAYu4nkDX/ejyWAwEnNOhjqNI5LMKNVJo+ZfOVH4jgiGZHaHzL6tY8tI6RYdO +ZUL5aLLDIGNYgR4BWFP2b6dk767iBOsmzB/gjGNi/ROAPQOw72vdXuxFL0xVwIG7 +Dk2u5f3B9nVdJz5gWFMHTE/cSSbyYJ1zZhwauzDaeploSTFlDsjPWUpCWCiE1jKh +jsgeF+HtlHcWlLhAAX/181SUoUilb9FBFCRLpPOuGYiKZ3KSQYzISkzvfE0u6/bs +uGL3UWDsGNQe6AhKMp9V2LxDq+fRIa9pTklb7g== +-----END CERTIFICATE----- diff --git a/test/tls_test.go b/test/tls_test.go index a28f6ce11c..7a0ed1bc8a 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -17,6 +17,7 @@ import ( "bufio" "crypto/tls" "crypto/x509" + "errors" "fmt" "io/ioutil" "net" @@ -1128,3 +1129,137 @@ func TestTLSHandshakeFailureMemUsage(t *testing.T) { }) } } + +func TestTLSClientAuthWithRDNSequence(t *testing.T) { + for _, test := range []struct { + name string + config string + certs nats.Option + err error + rerr error + }{ + { + "connect with tls using full RDN sequence", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo1/DC=foo2 + nats.ClientCert("./configs/certs/rdns/client-a.pem", "./configs/certs/rdns/client-a.key"), + nil, + nil, + }, + { + "connect with tls using partial RDN sequence has different permissions", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" }, + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US", + permissions = { subscribe = { deny = ">" }} } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost + nats.ClientCert("./configs/certs/rdns/client-b.pem", "./configs/certs/rdns/client-b.key"), + nil, + errors.New("nats: timeout"), + }, + { + "connect with tls and RDN sequence partially matches", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US"}, + ] + } + `, + // + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4 + // + // but it will actually match the 2nd user so will not get an error (backwards compatible behavior) + // + // CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US + // + nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"), + nil, + nil, + }, + { + "connect with tls and RDN sequence does not match", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4 + // + nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"), + errors.New("nats: Authorization Violation"), + nil, + }, + } { + t.Run(test.name, func(t *testing.T) { + content := fmt.Sprintf(test.config, ` + tls { + cert_file: "configs/certs/rdns/server.pem" + key_file: "configs/certs/rdns/server.key" + ca_file: "configs/certs/rdns/ca.pem" + timeout: 5 + verify_and_map: true + } + `) + conf := createConfFile(t, []byte(content)) + defer os.Remove(conf) + s, opts := RunServerWithConfig(conf) + defer s.Shutdown() + + nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), + test.certs, + nats.RootCAs("./configs/certs/rdns/ca.pem"), + ) + if test.err == nil && err != nil { + t.Errorf("Expected to connect, got %v", err) + } else if test.err != nil && err == nil { + t.Errorf("Expected error on connect") + } else if test.err != nil && err != nil { + // Error on connect was expected + if test.err.Error() != err.Error() { + t.Errorf("Expected error %s, got: %s", test.err, err) + } + return + } + defer nc.Close() + + nc.Subscribe("ping", func(m *nats.Msg) { + m.Respond([]byte("pong")) + }) + nc.Flush() + + _, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond) + if test.rerr != nil && err == nil { + t.Errorf("Expected error getting response") + } else if test.rerr == nil && err != nil { + t.Errorf("Expected response") + } + }) + } +}