From 9a2d09588580ab2d4147f9a21542b810d2850083 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Sat, 9 May 2020 15:23:03 -0700 Subject: [PATCH] Add support to match domainComponent (DC) in RDNSequence with TLS Auth Currently when using TLS based authentication, any domain components that could be present in the cert will be omitted since Go's ToRDNSequence is not including them: https://github.com/golang/go/blob/202c43b2ad3fca2cdcaff0d0720de5c99030b638/src/crypto/x509/pkix/pkix.go#L226-L245 This commit adds support to include the domain components in case present, also roughly following the order suggested at: https://tools.ietf.org/html/rfc2253 Signed-off-by: Waldemar Quevedo --- server/auth.go | 38 ++++++++ test/configs/certs/rdns/ca.key | 27 ++++++ test/configs/certs/rdns/ca.pem | 22 +++++ test/configs/certs/rdns/client-a.key | 27 ++++++ test/configs/certs/rdns/client-a.pem | 21 +++++ test/configs/certs/rdns/client-b.key | 27 ++++++ test/configs/certs/rdns/client-b.pem | 20 ++++ test/configs/certs/rdns/client-c.key | 27 ++++++ test/configs/certs/rdns/client-c.pem | 21 +++++ test/configs/certs/rdns/server.key | 27 ++++++ test/configs/certs/rdns/server.pem | 20 ++++ test/tls_test.go | 135 +++++++++++++++++++++++++++ 12 files changed, 412 insertions(+) create mode 100644 test/configs/certs/rdns/ca.key create mode 100644 test/configs/certs/rdns/ca.pem create mode 100644 test/configs/certs/rdns/client-a.key create mode 100644 test/configs/certs/rdns/client-a.pem create mode 100644 test/configs/certs/rdns/client-b.key create mode 100644 test/configs/certs/rdns/client-b.pem create mode 100644 test/configs/certs/rdns/client-c.key create mode 100644 test/configs/certs/rdns/client-c.pem create mode 100644 test/configs/certs/rdns/server.key create mode 100644 test/configs/certs/rdns/server.pem diff --git a/server/auth.go b/server/auth.go index 9bc96ac94f..a585725011 100644 --- a/server/auth.go +++ b/server/auth.go @@ -15,6 +15,8 @@ package server import ( "crypto/tls" + "crypto/x509/pkix" + "encoding/asn1" "encoding/base64" "fmt" "net" @@ -527,6 +529,26 @@ func (s *Server) processClientOrLeafAuthentication(c *client) bool { return false } +func getTLSAuthDCs(rdns *pkix.RDNSequence) string { + dcOID := asn1.ObjectIdentifier{0, 9, 2342, 19200300, 100, 1, 25} + dcs := []string{} + for _, rdn := range *rdns { + if len(rdn) == 0 { + continue + } + for _, atv := range rdn { + value, ok := atv.Value.(string) + if !ok { + continue + } + if atv.Type.Equal(dcOID) { + dcs = append(dcs, "DC="+value) + } + } + } + return strings.Join(dcs, ",") +} + func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { tlsState := c.GetTLSConnectionState() if tlsState == nil { @@ -568,6 +590,22 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool { } } + // Try to get the full RDN Sequence that includes the domain components. + var rdns pkix.RDNSequence + if _, err := asn1.Unmarshal(cert.RawSubject, &rdns); err == nil { + // If found domain components then include roughly following + // the order from https://tools.ietf.org/html/rfc2253 + rdn := cert.Subject.ToRDNSequence().String() + dcs := getTLSAuthDCs(&rdns) + if len(dcs) > 0 { + u := strings.Join([]string{rdn, dcs}, ",") + if fn(u) { + c.Debugf("Using RDNSequence for auth [%q]", u) + return true + } + } + } + // Use the subject of the certificate. u := cert.Subject.String() c.Debugf("Using certificate subject for auth [%q]", u) diff --git a/test/configs/certs/rdns/ca.key b/test/configs/certs/rdns/ca.key new file mode 100644 index 0000000000..887e9972bf --- /dev/null +++ b/test/configs/certs/rdns/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEAwIYeRgshZUbWnsnVFYqJvMlRwmYKpHGq1cxG2HIKJZMMJO4c +Tipguyt0bPJMQiGzsPUpzUIi3m1tNlQnQhmpBo4C1NSSRhx8My4z1796OkzerCMV +MKEP8weC9Vhz2mUMBQbrRvAcNJhoPksWJ2kSGxdUdKIqoFGDMu40ir5zxHyCA410 +vG7IIJlaDKpwuXl1IFjEaI5DWnDUAvSxciG86yZVaekRYEJNSPSPL1Er5ee40ukP +C66JCYas9a+4Lk5rQhlYSoUsimPebagKP99T+oNVyQSSQ0rqaNNV+7i0uEx9KH+7 +OC8B8+fUlE891hjnAJ20P0wJnMC/pFzzsvI8rQIDAQABAoIBAQCrKJFRhCO0fj3f +/V/LPtclV3WwdjeP6t4OJQX296u9q/Vn/6h6dYJ55DAli2PwhzXRZKQ9L0cAqBgn +7LjaMyXqBebOgA1q93gTqEe+zyRDIIP2VVpJWWdskIkExhZ5WsxMy9HvxxfMSpKi +ju6rKuZF33/eES4ESXNynANqNdeGHf5ZWI2BI8ekPLbS6EE+PcJPq2vK8gkhFFyb +ie9qqgU9DthSwJhqT7dilTllLz6gOj3dtYODaji4yLNkalRWe6JGO1v/ZxqWgpnk +ZHTATxgiyjWJ0AJGH1tqxHBU1MmKHEEsc3lXdxC+FWbAnfbMgQq+BZSBjcyAOip6 +0FHdrvKhAoGBAPWI7b1Yo2Ov2iJtH4VJh2vqX5q+EQchO9XCKW82lOfoXXCGrG7g +n5uuQuCAfEHzkeHDMVzDvoLJAHUz74eLuYm1voKLW+CjT+L9LYZMvLs3ygJvq5g9 +5pYPZbP2bax2sV2coXs/tv2gyMIYyrsPtln6ngW9y/SrC13j7ibffaJ/AoGBAMi6 +xzH8n2Fz2y76Vw3/JwFQNJY3qZy7jjcFd3KCTSzbDAHzMOpwRjSrecacF//G/bn+ +BaeOWowFZSh6ps7g3jyLWIpWS1Azk9t9+8sbt4bcX5XV92GeCu91X5gjSfwiXfJ7 +Ar7itX5zFMl74jBoJcd7ikS1BUZozcOon6x2F7LTAoGBAOqXYU4/mhxsr+WkjTE0 +B4c77wxR/MLrJdgeIqh3Zd4NTPluMuHdC6Ia5RrKp+37Ya5qaIdRHnymvyE79edz +wFmqo9Lmg2olnvYpH43pU4kszH13ZGOZAO7u1yUSlcbpwJzIQiEXxyacsDOCrG/9 +myRtJv4lUPD7W2jhlXDep5LRAoGBAKuEJXcJ9CnyNCRVFpPIJM0Teous7koVXPSY +wDLhMg6U8RKteWupGeQhbYGOmVcd8mm9q5k7oxUn+wL2opf9PwgezT4PdHUITVvs +r30iptQec7J1TNdlktR/x3oZFTvTJdFu2K7AyvJMZUOwjlpsc3OblU8WGnbKUJ/R +8vYLRj6vAoGBANoD3vrUz4Zq0tAfn31X4iNBe8TF6c0lx+NOcQ4IJHKHulxx+rHS +h8UjublG5rx8qL62D4SiVp+m12ibSrLaJpC5IqSy6cFjHNUzXcok4Oou7dpMsMkn +2uHsmL4iJJkUBIowADJ2mAyPnnOj0yQilna9o+pDqoW+bG0+7NoyHcV0 +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/ca.pem b/test/configs/certs/rdns/ca.pem new file mode 100644 index 0000000000..97526cf802 --- /dev/null +++ b/test/configs/certs/rdns/ca.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIUd2k/q8WQFq6AZFyTtYu651Ds+cgwDQYJKoZIhvcNAQEL +BQAwajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM +C0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYD +VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5MjEwNTExWhcNMjUwNTA5MjEwNTExWjBq +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9z +IEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMxDTALBgNVBAsMBE5BVFMxEjAQBgNVBAMM +CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCGHkYL +IWVG1p7J1RWKibzJUcJmCqRxqtXMRthyCiWTDCTuHE4qYLsrdGzyTEIhs7D1Kc1C +It5tbTZUJ0IZqQaOAtTUkkYcfDMuM9e/ejpM3qwjFTChD/MHgvVYc9plDAUG60bw +HDSYaD5LFidpEhsXVHSiKqBRgzLuNIq+c8R8ggONdLxuyCCZWgyqcLl5dSBYxGiO +Q1pw1AL0sXIhvOsmVWnpEWBCTUj0jy9RK+XnuNLpDwuuiQmGrPWvuC5Oa0IZWEqF +LIpj3m2oCj/fU/qDVckEkkNK6mjTVfu4tLhMfSh/uzgvAfPn1JRPPdYY5wCdtD9M +CZzAv6Rc87LyPK0CAwEAAaNTMFEwHQYDVR0OBBYEFJQ0pEcUeNZleMh6GxA51NW4 +7MsIMB8GA1UdIwQYMBaAFJQ0pEcUeNZleMh6GxA51NW47MsIMA8GA1UdEwEB/wQF +MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABluyDWCpMpIZxCO223YsqVLCFAA+3Ns +ZAFLRyurMfZrBp7lJdrcZzkPcp6Hea0WJ9Rif/7gBGSYdVqlyPNj4W8nfJfys9Vr +X9xfO4PyWE89Sa8aH1JQUifDeK0SMsj9HBRAiFqNuLdC6a2plQvQHhIyN/mnfQZs +a0EVC09zEBrlZaXlZpf/cUok6VLEPmBqL4Y4IJFAFHPSMZRigXL/We7x+Dsumzkh +5szEvBbktZNteZZcxnikBcS1ezmbGnz3l5OI65KM5JSkyxlvX5LnCNUl84z4dk/i +1CTi8YUaJtSfe1lfUlDZY/QKPCLKgwz/DQqhnwsWC8uplJtiN9lIOtU= +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-a.key b/test/configs/certs/rdns/client-a.key new file mode 100644 index 0000000000..b40632e633 --- /dev/null +++ b/test/configs/certs/rdns/client-a.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA05xm/LJ7bvzFltT1sHSfSSmqAqhgKLwLB4f49bYn7vvfz2tR +BY9N8ecPGh9s3ZYjEAFiLIGGhLDtShdHQxvXoM3V1N9VpFXFe5FzOrSe5ZVx71BS +GZbWKJijtjDHq+OH7RF62d9+p6jvJT/DEGzpHGS33GAoiBBnSBYfp8uio4F/v1o8 +4qaK1iTjaWa1E2SbUor3Zl88IK9olXrsX8P8wYflaxIlSD5KBXJoXIyY6SFNwklj +qPq1Cq0gS0axcVU+osCt/iClunF6kV9r4www88w4XRPCFJM+QyYtPFy+CUR0BOua +XbWs1hCyNeTrk1efQjY1qJOahZG+qdbiFt8lAwIDAQABAoIBAEjQfaOgatbTBc6T +8wLH7nOHcae+dnAt3IG36RPrnSwf4XCHFfcay5BcmJa9j4FkAyajwztbSoVoOA6R +mgTelMERcu3v95E3rl+JuiPOOQr49J6LfeSuQXzwoQy1Fk/wWDpcFHDZ9cQNXlTr +7tw9Da2mfpnHQMspEdD9Q+FCMfGeoq8A4aSm0KDXqChB+HhPZlPNt9TA8/It8imN +NzniziQ797QicD7i7Yy9OeJEzQ+mUY3Sew1yxI4wmF+vsv2NAqgQgTMKyQ0Vv5js +aqR0URD182qDLbJ5PvmYyLc+TJyaixU0Qf5PgIbrBirBuV7UBOfraFkOXuV6Iyd6 +i/nt8CECgYEA74Tr5YyAciH0xpBza8PLoxnxP1UQDsp+sDL4STR8Y/lOUX/yYiqq +om2NNM4FauEB63GqoYFqnEwTXwy4yU4vaOhjg86098mp2BdPo6ANLO+maK7+YvvW +uAQwy25wG1IjqBH3yltOiOx/zCwoIfr1+xbbx68JiPCzLrUFn0YC3DMCgYEA4ivh +9FRLESLMjiRQq+CnzKweTcAWfQbLmovFTJMSMkufpQ8TCyblE/PQvOkwZql3BP/f +ZfzzB5p6B+Vzhz6nXue/YTPQZM0AHV3OZj/lw0ifgDuuohD45p2ASDpY+y7VbDKI +Bcn3W8hJcqWf/0umBIa2AOYnOhlEllz8uQrBw/ECgYB7T2dTCn6mQ60M/RkvBeI0 +2gpFnLljpASNGfCRX6AaqCMV+lUDDQxECzqDUP2hBK5EVISQGVyVkuT2LkqD+OiX +jeyN00F/wCbcxUOO7btawxZdFpqIwzbMDfxA/15f8m3A/V8gotlPzNIOfz06IUW6 +Ow5zQz4ZbjIRfcijMxwN2QKBgCcIB7CQs3u7k62cGsfut0adFYW5dqgQ+iYrpNr4 +LpW7c0ua9GBiT/pHg2h2ncG50S5tsfH52z8eq5ydPnjCmUPJnr95n6clsbVfsPT4 +ZgBzkgMhSZvybeHuoGrWlvCSPoazmcHV/vg58mL0rk3yki4JyXMSRQbDwZBpb7vH +XXUhAoGBAOkqak1DcPZVSinpb/irgvBPd2GzeWyaNh9MKBcGMeG7h3w6Dy/0Gkv3 +DyyEf4BLxPKZ3QNx0Ni2lJ810Al2Kd7j4esDzTZDNmv8buC2jXV+aIL3XvfYjyix +SDyE50LcqLiPJwmADpoHMDYvO6sOm8RmhbzbkdJgwZOvh/so3CZX +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-a.pem b/test/configs/certs/rdns/client-a.pem new file mode 100644 index 0000000000..620337dac9 --- /dev/null +++ b/test/configs/certs/rdns/client-a.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTE2WhcNMzAwNTA3MjEwNTE2WjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM +CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT +MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is +ZAEZFgRmb28xMRQwEgYKCZImiZPyLGQBGRYEZm9vMjCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBANOcZvyye278xZbU9bB0n0kpqgKoYCi8CweH+PW2J+77 +389rUQWPTfHnDxofbN2WIxABYiyBhoSw7UoXR0Mb16DN1dTfVaRVxXuRczq0nuWV +ce9QUhmW1iiYo7Ywx6vjh+0Retnffqeo7yU/wxBs6Rxkt9xgKIgQZ0gWH6fLoqOB +f79aPOKmitYk42lmtRNkm1KK92ZfPCCvaJV67F/D/MGH5WsSJUg+SgVyaFyMmOkh +TcJJY6j6tQqtIEtGsXFVPqLArf4gpbpxepFfa+MMMPPMOF0TwhSTPkMmLTxcvglE +dATrml21rNYQsjXk65NXn0I2NaiTmoWRvqnW4hbfJQMCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEArO7c3bIBfy/U0HOiqiWkFrfly/tbOSQecdV8PW3SaY2P/VLINi67 +NLfe4dhWw6nRE8zdLCOoXc5F60cfx1jYZd7vF44q6Mwn52atcoX49m17+1EmDeOS +TJFkm3FU993O8jTSTRO6ysoiuIHImHWrWCnEY8lhhQoHQVDWiCtdxTkahqXvS+VD +5xcxGWG2uY9sJx0ISXpyYkcoh24H92xEaswGlYFQEUEmf1tLRRbRqkq93qqlfHrn +VPRQ4y/sINmBMwk+ftMhZtKiDu5xb1yP+ePoczgkKfsbJy8rh7rZJPvor4avX+7F +9dn3Vm8IGdmqrNp2K9Du/zIWyXtkVJ7Wyw== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-b.key b/test/configs/certs/rdns/client-b.key new file mode 100644 index 0000000000..02d15b80d5 --- /dev/null +++ b/test/configs/certs/rdns/client-b.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtnCJemodpMZaQ0HecKito1c2uVz/FNg4k2PlRHy5QVqVtQ10 +/KosU5UR/IdKQim+DXwpE1rs199aZG/JR6uo8wZlOdLFEzAI4OHRT9Gh0VNaldbV +BeEB/HL7icXMJuBjoO4+XandE6XYRxWIxODfjSfLfFe7Hf1XUNQoemJNU8QYPBuS +al8YaqnxLHp/7ZW6u+EnKJUdjF4t6Q4UF9tXELeXG5BgHkCUjFlfJtepEebdktUJ +0Gfmopa/apLAHjH2nOSs9/02UPZEWOXNeQ0S/C+KhMdagBfrKQi17x7CtFptP2zp +icvZNmt8Lup+JBbr1w8Im6tgr5tFz+Bodm7KywIDAQABAoIBAGHfIYGQZ/K7jjTC +o2hgtTYJVYw/fYBbNo6rapVBK8kJpYKJg5cAW+NC93E3yviPmCt3zjlZ7/EnG0EC +T0KprmshpTBOB/dxL3Ik8rsVRPAc/V2g8IrE2OHrdVHF0O2SNyBgbwikVbtynwIT +ZVnpIUSCcsFz9yfxfuQXzNdK4RzsDxG1uMBQh4BdD67s0wO4bp8XIMbCezIKPsU+ +fDco7g8jJgei4YAujAEWYRT3Cw6sTHyCmyTbGcdh1QMoFYdY5HKf842ihkRXRLgq +jDfy6bvUH2Vu1fXvgykaIdgnHEl9TzoAtOPffnCsbrym9wRP8kRhNTBNcHnHa9Xp +NmuQgQECgYEA7ObxBZ9AiIOBev2YaaW9uV0B3BA/UrynDxkwTLW++W2mGhXNABin +pKttfIGcR7lqCVAP6UMZ84mudG7cO3Jfru5PoZ0tNPmVN2KybyoH8B9BfWJuaI4M +r490Su/MhyMvWHbKsBnAdO9QttbtkIpHUKELx/c94w0/TXv5fHlGH4sCgYEAxSWg +m4QlN/sL+fZYt17mmEYs7cM/+jljJSpDYzy79ywjsq5KzRb4dAn4pCHJdH9yp+WE +KjYHFQ3mlg/f3yd4qW5i5zo0rcYELP1QCjCtbTNrae6H/MoHcEEwQzHvRml5ExIA +cHsfv45tTX+OsJ3wlj4gxkY+y/G6OTXDj5UDacECgYBl1fCNxiNri3xBbnnyEDk6 +UWzXOHTAEDCQIPfOQeJSPnxEglKZU//cnYR3HRAdFOssDaqJTzr8oZbInk81jrjq +7a51fqdMOm2WXWrutlarNgRk7ccgUs/JOBV5kROOk+VqVcZTZP6CRc2gi0ub8pUt +Z800rGeCDtPDbyOUCl3GeQKBgCSm0i0XbDP0IE3gVq4Anq5Anam2WvaSJLSMHusc +J3XUZu6ZKJ7oXlh0Yh1hiqp150L/kIqocLihVPUhDmXWWMBnHUwPriuAXNZgYbkD +Q7rBjH6tMer1RFzCQc68Qde9VB0Pg7VlrolWWUvHIygCtO+5rS4vcQ1Ja22naSwQ +cAoBAoGARzbjMI91d647stZN7zynPg9081XZmr0oqLaXStl0GudZXMxu4B6V+dlp +g9EBCUDi8XuM/5hv8kgc+QjTqe5Vtea+h8u3jHs4+u9pYdInBDY7dY4SoFbpBeb7 +zPpzGxgxgANDUceTlYdXZFURrefVcqxzz/ar94dkv1RAjilVoN8= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-b.pem b/test/configs/certs/rdns/client-b.pem new file mode 100644 index 0000000000..53a3117722 --- /dev/null +++ b/test/configs/certs/rdns/client-b.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTE5WhcNMzAwNTA3MjEwNTE5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK +Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx +DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALZwiXpqHaTGWkNB3nCoraNXNrlc/xTYOJNj5UR8 +uUFalbUNdPyqLFOVEfyHSkIpvg18KRNa7NffWmRvyUerqPMGZTnSxRMwCODh0U/R +odFTWpXW1QXhAfxy+4nFzCbgY6DuPl2p3ROl2EcViMTg340ny3xXux39V1DUKHpi +TVPEGDwbkmpfGGqp8Sx6f+2VurvhJyiVHYxeLekOFBfbVxC3lxuQYB5AlIxZXybX +qRHm3ZLVCdBn5qKWv2qSwB4x9pzkrPf9NlD2RFjlzXkNEvwvioTHWoAX6ykIte8e +wrRabT9s6YnL2TZrfC7qfiQW69cPCJurYK+bRc/gaHZuyssCAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAXqrZXT2sWalVn8n7pBsK7KMLtECyhYNMtfLRwkJvjA691DDZ +6/w402H3tl2+dfU8CYkB/kx2rVATiQCl7aYcJnIHthNYN2YBU99w8+7r9xYIHye4 +3ErtsgSuAtxmxKGHk/FeR4mqzuRfsv7NGuKqZRspEMH3c2sTgA0mnkBjfjuZo4wf +K8u77kFAMrwVl4Jr5sgXgjS4xCJVEGhvjrrLWfOrP4Cj6apd8ZFT7LQ2iDuSH73v +596HEPVO2nb5ONbWsbTtqbxldyTA/v7TGKBIncEzDnkHC0DLEscqkNBV+/yzCDk4 +3gt8QB1W0IrfVnC2y9odAPuZige8nqUIBMsdog== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/client-c.key b/test/configs/certs/rdns/client-c.key new file mode 100644 index 0000000000..ae54782495 --- /dev/null +++ b/test/configs/certs/rdns/client-c.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAsF8xq2j6IKnpLC038+BTOUNJsP5shUWY0c/nAXHHHlksGJNa +rmmnf8AuScWqRlu8VtG4SYosxLDR+wC6+rdrk1sUiGDNBOk8BppdhHHh362UKuqn +TtKttuI9Bz+qoP9zA9qXdRCuVURYHgu9Xo9mrTDvg5w7Af2dVZeMbzk2jf8eZbpk +cz7DmqVsChj3t/F2dxGmzqaYrophO1ubP27CfCyeMSyNagzU3UJwR/PQ+3rJnPxx +dBZxqVjRJdjIHXeagldxYAO9RL0HDfVPI3sahAGnNatPWFUlr9tvRtWU9n2QmnVT +86O3jT/cHb7bmtajg01a3DUrYmSd2XR733PjGQIDAQABAoIBADKcPm6Hgy8YUrbA +iwvKVVdbPawydgWQQRgD5q/9bDwDLqomrqDZ5Jy+EwpMVF44OMVZDN7dbZdLfhXe +0cjcFVyFiFDSJkLAgt8KMMeuvjgnYRsnlrcBsaOHLCgGVvo4E1MJyOhozv3czMRi +bgbSc45DOpeznyMlGZ7UDBJmgocgMhCJhQlP7GXWlblAjlHdKLFDPeETrD2jU389 +7VLllVHyfdsbWDrnyYdNVOsNsVKheHHHwhbk4ycuQHtezwvmfhXsseqHsBkrGRV0 +sSBZklDS5bX8gKISl6GbIWEDsYp+3LwJ0+apHBvgnC4/Be5uzdSgKpt2FxLBv5N9 +EgNzk/kCgYEA3jFK0l8RBtfyuEW0KKWF/NI6+lmI3M2UKL7fsUzncbJN+Ei1OB7D +wG00JipY3yppbnYWsX1z8i9+ngCgidBg60GNZZMtxhgYMN1xhh+wA9TStHcsGWZG +ZDaMv3QG/kQJ7kNblPqwxpN2YBYtSgmHLcMEBGN/o+xHJhfNLAMrDD8CgYEAyzUf +QvpUKAEjv3L1fX/DkZ+qqXVXDXSObBIRZovuXE+vVUWkZnFRrVkC7vy1bgOrPxDJ +p7JeFHq7Tbj0QYgCs4yL+XX3ECDdwu8Dfc3gq1RQ3R17t6qg/LaptwlFM7P/gFLR +i5B4t1p7UdiIt8ym0pHy71jRl1l2fXvyprq/mqcCgYAkfzpIFf+I/T3MUP7H0nCQ +18OCTeSySD529utthzFZNq2iA+dogX0sBYQUZM5WUfQhhdoya2X5OR32PCoimQzi +d9EPBz70lA6dMDKuklPqPTIjHJQs0+TqHx+9bwSbDXgIIB5R+V/CLoS6QcpMqAYB +WVA2nFViCrShKDW2bgrLJwKBgGO4WPQEZoIPNRzBbGk+5pky8owgUiz/Mtkj8LgT +GVDhpdhBydCf8YYQ9ViUWPB5CnNzaJJL/NEt/XbBudPiy/iSkypDUo/uoQUFSABX +pNZPFTO9QTY7nK8HcLeq6/PYdBzkB4Lmzeakl3ntugIAgyk4iDAetRQByh0AU26w +nFBnAoGAJk48iCBKwffii65B6HehKGD8thmum9CkJz/qnNNqMTDpXJshpTlStfGl +23KPuzs9GYD4QQGePHvCexcIlrZ7ah3HDXc1viRgxABOr1In3KuthxyA/QcCEZjB +SUZwe0qjrgsuWzr3zqIFjNtUU2znqpuMrDGRZp/PMe8qAEZlH5g= +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/client-c.pem b/test/configs/certs/rdns/client-c.pem new file mode 100644 index 0000000000..e03a847865 --- /dev/null +++ b/test/configs/certs/rdns/client-c.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdTCCAl0CAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNjUxWhcNMzAwNTA3MjEwNjUxWjCBljELMAkGA1UEBhMCVVMxEzARBgNVBAgM +CkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRT +MQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QxFDASBgoJkiaJk/Is +ZAEZFgRmb28zMRQwEgYKCZImiZPyLGQBGRYEZm9vNDCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALBfMato+iCp6SwtN/PgUzlDSbD+bIVFmNHP5wFxxx5Z +LBiTWq5pp3/ALknFqkZbvFbRuEmKLMSw0fsAuvq3a5NbFIhgzQTpPAaaXYRx4d+t +lCrqp07SrbbiPQc/qqD/cwPal3UQrlVEWB4LvV6PZq0w74OcOwH9nVWXjG85No3/ +HmW6ZHM+w5qlbAoY97fxdncRps6mmK6KYTtbmz9uwnwsnjEsjWoM1N1CcEfz0Pt6 +yZz8cXQWcalY0SXYyB13moJXcWADvUS9Bw31TyN7GoQBpzWrT1hVJa/bb0bVlPZ9 +kJp1U/Ojt40/3B2+25rWo4NNWtw1K2Jkndl0e99z4xkCAwEAATANBgkqhkiG9w0B +AQsFAAOCAQEACO/mR49RwjJ9pDbo2ioffxe+1R7DBFhx8NGkb+ISZGArOPlC+Uee +2oEs5ejDhTu4SuU1ODJ/asMCQxHfHZ2US1EwajFNw0ZYUTrQiiI1aamMZ/XIwUrA ++i+Z5s4Ne8AsZQMAGZLfNXpNUMRKSfOK37SlCa0eqAoJhzoqzYxQ9JgSLJhEo5id +8dAfICsShye1irzKXZ/QwLNHG/gS9SGfzf54B9sQRT3OOYr4eyEqcS2pmdQDyV4T +6OtWcaXGzxSPmJNcaI25RW2F+DWyF+mS8y8XhQZd2nG8ET0FWAFCDX3eT4W5MRmn +pglI/8UnHuseZos7GwHo80eTiUyBzvspYw== +-----END CERTIFICATE----- diff --git a/test/configs/certs/rdns/server.key b/test/configs/certs/rdns/server.key new file mode 100644 index 0000000000..a782f3fdd7 --- /dev/null +++ b/test/configs/certs/rdns/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxFbauT5Ge2uniUGkZwu3/3pH03DbIjZe7FfukBnD7DbEcOJT +M1w9uTzh6bOIpX7VLVifWk64w62bELCX+g7Bp1zKy0htsdmnDh6OH4m0lOwcpT77 +ZxCbnRNrwzLoia+hSIyyyMIPUPPJMm3BblGasU1K5P4c957wLbPal+83ipTa4anM +IQWcqPpoPGlcxJcB5Xw6rb8cLlju5hZLlaKkmxZrmuEu4KX3waKeNsY0eoDJwpSn +nbfuyOxVreHE/GclxPzODnx0UZh8zGKcxL/Yq+YaF+OsL/oPfh0igPARMmOua25V +n0Ra+f9CsvM4lt3giZ3mKLHJ2TsObohIw6qUzQIDAQABAoIBAGppqKI93nWGI4eA +zFoNP+x3mfY/dIVWcpwmDGaNkGK2TEHiaLWtiMac+NRxOd54n5G0Nqn7gKiNrz2c +eMJOvSa4ZDFJUCrUjHZamSz+taEBV4U4XYm+tpirrfxd2yrExeVMXJnyk9qMRr/O +PMhN8kmmWrFCCPEsc4BRumgefzvb/W+4CqmY1CYCEV+Lmwwr+ur6ADDfz2dAfHtr +UGkixUrzFO684qSTGTyn5oUdc4qN1XR63V/o411zbVfXIWMmiiVKv5ctq/RfshHD +h9700/RAo0j08iwqDtLXyx1eolnIO6AfLzYcLrPzHFv460HPa3AIoQVfBs0IM2TJ +8aAyFQECgYEA+L+5FvywmVKUJBc9XHJ/sTkGVL4i4I6TWbGTSN0urlAe1IEgq8Cq +VYLZiOZkuh47uJ76HjFJMo7SQrLot92ofhz3506ZSa4d3LVLEAbaxKgOHDHfM9XP +U4ZHEZdzj2s1IdW3v73NnIv2gnKVbL7gpIpeX0rhxHeFgAFwzykSolcCgYEAyhAG +43yjcZZay/mavjBeTFtbwaYKAtaMIP8uDaS2DJCsLMRKTda3YgQydWSlzC02E22/ +xTHOp2ytI4Eq6pEUlZT08+Gxyf1XStyWNjzD9jK+c+mIbQsWeZGef7FfcxKFksBq +0/9dG/MYUPqQBYoTDH24QR13XwKUzcGFjg6S83sCgYEAp+dZ+08zsTqRbk8Vhypu +UOTqBheVmTgD9D4t6bgKw3Snas+CiwxwrWm2hnbltM+lhjghInIoM20+NfFnrnx7 +OC07lLF0PMy/sXPaKAZIcwfxBk0PmYCQApQXsqMlSMCXy6/j6RQoDqxXB7Rqck3h +eo8/plj4TdJTlZTjXaIext8CgYEAxqcRDq+nxHFMXMLNlnPZEXqz7+M8bmPdqkcW +UMWBUUMecnickIArFEsKDI3hzqUYR+ubINSB1eorIf/IYIo30YN7exWFhA70th29 +9B6zjaV/xldvD71Z4DUAvYt1Sp2IAqn3nOqu8F6DpoFf/IItjhc/gYzlodvYzZyX +n/zGDmcCgYAumnP2HqQr0fFrHc/p+KWP3+YXi9b/gUiMK/i7k2r/vf4SbStogKJf +SlFD2S+H+FJxVRxUhssz4SH3PYZJwAMX0DP9ZNpwa5rwSbx0a7H72u0O3r42nFXi +LNt+4To/VB7frJsNKl4Oh46gUHMsMyoqsF5FNQpPQ4zTEio3U0FASQ== +-----END RSA PRIVATE KEY----- diff --git a/test/configs/certs/rdns/server.pem b/test/configs/certs/rdns/server.pem new file mode 100644 index 0000000000..823f34fe20 --- /dev/null +++ b/test/configs/certs/rdns/server.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO +QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5 +MjEwNTI0WhcNMzAwNTA3MjEwNTI0WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK +Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx +DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAMRW2rk+Rntrp4lBpGcLt/96R9Nw2yI2XuxX7pAZ +w+w2xHDiUzNcPbk84emziKV+1S1Yn1pOuMOtmxCwl/oOwadcystIbbHZpw4ejh+J +tJTsHKU++2cQm50Ta8My6ImvoUiMssjCD1DzyTJtwW5RmrFNSuT+HPee8C2z2pfv +N4qU2uGpzCEFnKj6aDxpXMSXAeV8Oq2/HC5Y7uYWS5WipJsWa5rhLuCl98GinjbG +NHqAycKUp5237sjsVa3hxPxnJcT8zg58dFGYfMxinMS/2KvmGhfjrC/6D34dIoDw +ETJjrmtuVZ9EWvn/QrLzOJbd4Imd5iixydk7Dm6ISMOqlM0CAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEArl6zUvvu+RF6tqAiHqN5d/mmuhiczsaRReNXe1yJ7llXuDzl +jS/GAYu4nkDX/ejyWAwEnNOhjqNI5LMKNVJo+ZfOVH4jgiGZHaHzL6tY8tI6RYdO +ZUL5aLLDIGNYgR4BWFP2b6dk767iBOsmzB/gjGNi/ROAPQOw72vdXuxFL0xVwIG7 +Dk2u5f3B9nVdJz5gWFMHTE/cSSbyYJ1zZhwauzDaeploSTFlDsjPWUpCWCiE1jKh +jsgeF+HtlHcWlLhAAX/181SUoUilb9FBFCRLpPOuGYiKZ3KSQYzISkzvfE0u6/bs +uGL3UWDsGNQe6AhKMp9V2LxDq+fRIa9pTklb7g== +-----END CERTIFICATE----- diff --git a/test/tls_test.go b/test/tls_test.go index a28f6ce11c..7a0ed1bc8a 100644 --- a/test/tls_test.go +++ b/test/tls_test.go @@ -17,6 +17,7 @@ import ( "bufio" "crypto/tls" "crypto/x509" + "errors" "fmt" "io/ioutil" "net" @@ -1128,3 +1129,137 @@ func TestTLSHandshakeFailureMemUsage(t *testing.T) { }) } } + +func TestTLSClientAuthWithRDNSequence(t *testing.T) { + for _, test := range []struct { + name string + config string + certs nats.Option + err error + rerr error + }{ + { + "connect with tls using full RDN sequence", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo1/DC=foo2 + nats.ClientCert("./configs/certs/rdns/client-a.pem", "./configs/certs/rdns/client-a.key"), + nil, + nil, + }, + { + "connect with tls using partial RDN sequence has different permissions", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" }, + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US", + permissions = { subscribe = { deny = ">" }} } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost + nats.ClientCert("./configs/certs/rdns/client-b.pem", "./configs/certs/rdns/client-b.key"), + nil, + errors.New("nats: timeout"), + }, + { + "connect with tls and RDN sequence partially matches", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US"}, + ] + } + `, + // + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4 + // + // but it will actually match the 2nd user so will not get an error (backwards compatible behavior) + // + // CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US + // + nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"), + nil, + nil, + }, + { + "connect with tls and RDN sequence does not match", + ` + port: -1 + %s + + authorization { + users = [ + { user = "CN=localhost,OU=NATS,O=NATS,L=Los Angeles,ST=California,C=US,DC=foo1,DC=foo2" } + ] + } + `, + // C=US/ST=California/L=Los Angeles/O=NATS/OU=NATS/CN=localhost/DC=foo3/DC=foo4 + // + nats.ClientCert("./configs/certs/rdns/client-c.pem", "./configs/certs/rdns/client-c.key"), + errors.New("nats: Authorization Violation"), + nil, + }, + } { + t.Run(test.name, func(t *testing.T) { + content := fmt.Sprintf(test.config, ` + tls { + cert_file: "configs/certs/rdns/server.pem" + key_file: "configs/certs/rdns/server.key" + ca_file: "configs/certs/rdns/ca.pem" + timeout: 5 + verify_and_map: true + } + `) + conf := createConfFile(t, []byte(content)) + defer os.Remove(conf) + s, opts := RunServerWithConfig(conf) + defer s.Shutdown() + + nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), + test.certs, + nats.RootCAs("./configs/certs/rdns/ca.pem"), + ) + if test.err == nil && err != nil { + t.Errorf("Expected to connect, got %v", err) + } else if test.err != nil && err == nil { + t.Errorf("Expected error on connect") + } else if test.err != nil && err != nil { + // Error on connect was expected + if test.err.Error() != err.Error() { + t.Errorf("Expected error %s, got: %s", test.err, err) + } + return + } + defer nc.Close() + + nc.Subscribe("ping", func(m *nats.Msg) { + m.Respond([]byte("pong")) + }) + nc.Flush() + + _, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond) + if test.rerr != nil && err == nil { + t.Errorf("Expected error getting response") + } else if test.rerr == nil && err != nil { + t.Errorf("Expected response") + } + }) + } +}