Бранко Мај
2012-Apr-09 13:51 UTC
[Dovecot] Username from rfc822Name subject alternative name
Hello, I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with OBJ_txt2nid). If I were to add this, it's bound to make the code a little bit more complicated since SAN's can't be retrieved in the same way. So far in terms of options I have, I can see the following: 1. Create a distinct configuration option for the ssl_cert_username_field (i.e. specify something like "sanrfc822Name" to have Dovecot extract the username from the designated alternative name). 2. Make the current code fail-over to rfc822Name SAN if emailAddress is provided for ssl_cert_username (less invasion in code, but less flexibility as well). Any input/recommendation/directioning is welcome. I've wanted to actually first write a patch, and then submit it, but I think it might be better to check what would be preferable by Dovecot maintainers/devs. Best regards -- Branko Majic Jabber: branko at majic.rs Please use only Free formats when sending attachments to me. ?????? ????? ?????: branko at majic.rs ????? ??? ?? ??????? ?????? ????????? ? ????????? ?????????.
Timo Sirainen
2012-Apr-10 16:10 UTC
[Dovecot] Username from rfc822Name subject alternative name
On 9.4.2012, at 16.51, ?????? ????? wrote:> I'm looking into adding support for extracting the username from client certificate's rfc822Name (from the subjectAltName extension). > > The question I have is what would be the best approach to do this? Current implementation has a kind of clean code since it just goes through the subject name, extracting the values with X509_NAME_get_text_by_NID (while NID is obtained with OBJ_txt2nid). If I were to add this, it's bound to make the code a little bit more complicated since SAN's can't be retrieved in the same way. > > So far in terms of options I have, I can see the following: > > 1. Create a distinct configuration option for the ssl_cert_username_field (i.e. specify something like "sanrfc822Name" to have Dovecot extract the username from the designated alternative name).I'm not sure if this is a good idea, but what about: ssl_cert_username_field = subjectAltName:rfc822Name> 2. Make the current code fail-over to rfc822Name SAN if emailAddress is provided for ssl_cert_username (less invasion in code, but less flexibility as well).Automatic failover seems dangerous.