dovecot - Jan 2018 - Send full X.509 client certificate to custom authentication policy server

I'm working with Dovecot 2.3 and I'm wondering if I could send the full
X.509 client certificate to my custom authentication policy server.

I'm actually aware that I can send the client certificate validity status
with something like:

auth_policy_request_attributes = ... cert=%{cert}

But I want the full X.509 certificate to be able to decide over the basis
of certificate extensions, e.g. Certificate Policies extension.

Is it currently possible?, what about Lua based authentication?, does Lua
currently receive the full client certificate?.
-- 
Jaime Hablutzel -  RPC 994690880
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180126/a75f41be/attachment.html>

> On January 26, 2018 at 7:15 PM Jaime Hablutzel Egoavil <hablutzel1 at
gmail.com> wrote:
> 
> 
> I'm working with Dovecot 2.3 and I'm wondering if I could send the
full
> X.509 client certificate to my custom authentication policy server.
> 
> I'm actually aware that I can send the client certificate validity
status
> with something like:
> 
> auth_policy_request_attributes = ... cert=%{cert}
> 
> But I want the full X.509 certificate to be able to decide over the basis
> of certificate extensions, e.g. Certificate Policies extension.
> 
> Is it currently possible?, what about Lua based authentication?, does Lua
> currently receive the full client certificate?.
> -- 
> Jaime Hablutzel -  RPC 994690880
The cert is only received by the login process, validated and some details
picked up, and then discarded. Unfortunately what you want is not really
possible currently.

Auth process gets only the details that are picked up by login process.

Aki