Open rakichinni opened 3 months ago
Hello,
our understanding of the cert-to-name
process is that the client's username is always determined from the client's (peer's) certificate. The YANG description is not very clear in this regard. Furthermore, with your expectations different clients would be able to share the same username and we did not think this was an actual use case. Also you are using quite an old version and if I recall correctly there have been some improvements to the cert-to-name
mechanism, yet this logic of obtaining the username solely from the peer's certificate remains.
We may have interpreted the YANG description incorrectly and you may be right. My question is why would you need to obtain the username from a CA certificate instead of the peer's? Are there any resources that would further support your expectations?
Thank you for response.
Security administrators are encouraged to make use of
certificates with subjectAltName fields that can be mapped to
names so that a single root CA certificate can allow all
child certificates' subjectAltName fields to map directly to
a name via a 1:1 transformation.";
RFC 6353 (section 7) and cert-to-name
yang pointing to use CA to have all child certificates to have common username/privileges.
Use case is to have a common privileges if child certificates signed by CA1 for example.
@Roytak Pls let us know if you have any comments or suggestions.
Making changes in nc_tls_cert_to_name
and nc_tlsclb_verify
to derive name as per the RFC 6353 (section 7) and cert-to-name yang description. I will update once validated.
Hi, seems like you are right and it should work like you expected. I started working on the changes and they should be in the devel
branch soon.
@Roytak
Hello. Excuse me, I check this changes and can't understand. How I can get username from client certificate if it's fingerprint is absent on server?
libnetconf2 tried to get SAN from CA certificate, because I use it's fingerprint in cert-to-name
. And this CA certificate don't contains SAN in my case.
But I want to have possibility to connect from different clients with different usernames.
Then you should use a different cert-to-name mapping. If nothing else, you can always use specified
and just set a specific username for each client certificate.
Thanks, but all of this cases of cert-to-name
mapping expect information about client certificates. If I have only CA certificate on server before client will be connected, in this case I can't get different username for different clients, right?
No, it seems with the current YANG modules you cannot.
Thank you
Hi,
Below snippet taken from ietf-x509-cert-to-name@2014-12-10.yang. It says, Once a matching cert-to-name list entry has been found, the map-type is used to determine how the name associated with the certificate should be determined
We generated certificates for ca, client and server. certs.zip CA and client certificates are generated with subjectAltName's rfc822Name and outputs as below.
tls-keystore.xml, tls-truststore.xml and tls-listen.xml are zipped and attached here. certs-conf.zip
ietf-netconf-server
is configured with ca certificate's fingerprint.Logs from netopeer2-server
From logs (and ietf-netconf-monitoring data dumps) it is clear that, 'username' is derived from client certificate as client@abc.com
Expectation: 'username' must be derived from ca certificate which is
ca@abc.com
which is as per yang statements mentioned above.Please clarify if our understanding of cert-to-name is not correct.
Versions used libnetconf2: 2.1.25 netopeer2-server: 2.1.41 sysrepo: 2.27 libyang: 2.0.263