Hey All -- Not sure if you saw this or if it got blocked by spam filter... TL;DR how can I access extended PKI attributes for use in HTTP header? ---------- Forwarded message ---------- From: Matt Park <matthew.james.p...@gmail.com> Date: Fri, Jun 17, 2016 at 5:19 PM Subject: Capture and forward extended PKI cert attributes (e.g. UPN) using HAProxy To: haproxy@formilux.org
Hey All, I'm guessing it's a terrible idea to submit to the mailing list on the Friday before Father's day weekend (could just be US-centric thinking though) At any rate -- to the dad's out there, Happy Father's Day. I've put about 20 hours into this and I'm pretty familiar with HAProxy, PKI and mutual auth in general. The only difference is that I need a v3 attribute off a smart card vs a soft cert. I'm shamelessly ripping this from my Server Fault post <http://serverfault.com/questions/783906/capture-and-forward-extended-pki-cert-attributes-e-g-upn-using-haproxy>, so synopsis is below: I'm trying to pull an attribute from a client certificate in a mutual authentication scenario and set it as a HTTP header in the request to backend. See fig 1 below. fig1 [user with correct certificate] | | 1. presents cert with normal v1 attributes | has additional "extension" attributes | incl. "Subject Alt Name" which contains | "User Principal Name" ( UPN looks like an email addr) | [example.com:443 haproxy] --app1 / app2 CNAMEd to example.com | | 2. read Subject Alternative Name | 3. regex or parse out UPN | 4. set REMOTE_USER header to be UPN | 5. pass to backend(s) | ┌------------------┬ | | | | | | | | V V [app1svr:80] [app2svr:80] Normally, it's easy, you would just pull the attribute you want using the built in functionality like so: frontend https bind *:443 name https ssl crt ./server.pem ca-file ./ca.crt verify required http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn] http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn] http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] http-request set-header X-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] default_backend app1svr backend app1svr server app1 app1svr.example.com:80 backend app2svr server app2 app2svr.example.com:80 List of attributes here: https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.4 Unfortunately, missing from the list of attributes are any of the COMMON extension attributes such as: - Subject alternative name - RFC822 Name - Other Name - Principal Name - CRL Distribution Points I can't seem to figure out the right way to access these attributes. Looking at the code (below line 5815) https://github.com/haproxy/haproxy/blob/master/src/ssl_sock.c it doesn't seem to be *just* a documentation issue. Any thoughts here? (possibly related issue): http://stackoverflow.com/questions/22966461/reading-an-othername-value-from-a-subjectaltname-certificate-extension Thanks for reading if you made it this far. R, Matt