Jaime Hablutzel Egoavil
2018-Jan-26 17:15 UTC
Send full X.509 client certificate to custom authentication policy server
I'm working with Dovecot 2.3 and I'm wondering if I could send the full
X.509 client certificate to my custom authentication policy server.
I'm actually aware that I can send the client certificate validity status
with something like:
auth_policy_request_attributes = ... cert=%{cert}
But I want the full X.509 certificate to be able to decide over the basis
of certificate extensions, e.g. Certificate Policies extension.
Is it currently possible?, what about Lua based authentication?, does Lua
currently receive the full client certificate?.
--
Jaime Hablutzel - RPC 994690880
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180126/a75f41be/attachment.html>
Aki Tuomi
2018-Jan-26 17:45 UTC
Send full X.509 client certificate to custom authentication policy server
> On January 26, 2018 at 7:15 PM Jaime Hablutzel Egoavil <hablutzel1 at gmail.com> wrote: > > > I'm working with Dovecot 2.3 and I'm wondering if I could send the full > X.509 client certificate to my custom authentication policy server. > > I'm actually aware that I can send the client certificate validity status > with something like: > > auth_policy_request_attributes = ... cert=%{cert} > > But I want the full X.509 certificate to be able to decide over the basis > of certificate extensions, e.g. Certificate Policies extension. > > Is it currently possible?, what about Lua based authentication?, does Lua > currently receive the full client certificate?. > -- > Jaime Hablutzel - RPC 994690880The cert is only received by the login process, validated and some details picked up, and then discarded. Unfortunately what you want is not really possible currently. Auth process gets only the details that are picked up by login process. Aki