[Architecture] Fwd: X509 authenticator configuration to support 'X509v3 Subject Alternative Name' and extract specific string value of certificate's 'Subject' attribute RDN

[Buddhima Udaranga]

*Buddhima Udaranga*|Software Engineer| WSO2 Inc. <http://wso2.com/>
(M)+94 714742094 | (E) buddhi...@wso2.com
<https://wso2.com/signature>


---------- Forwarded message ---------
From: Buddhima Udaranga <buddhi...@wso2.com>
Date: Wed, May 15, 2019 at 9:39 PM
Subject: X509 authenticator configuration to support 'X509v3 Subject
Alternative Name' and extract specific string value of certificate's
'Subject' attribute RDN
To: <architecture-requ...@wso2.org>


Hi All,

I'm working on developing a new feature for WSO2 Identity Server to
provide support for using regex to get specific string value of
certificate's 'Subject' attribute RDN and to get certificate's 'X509v3
Subject Alternative Name' attribute value. You can find the details in the
following Github issue [1].

With this feature two new configurations will be added to the
application-authentication.xml.

   -  <Parameter name="UsernameRegex">[a-zA-Z]{3}</Parameter>
   -  <Parameter name="AlternativeNamesRegex">^[a-zA-Z]{3}$</Parameter>

These will be added under Authenticator Config name
x509CertificateAuthenticator.

With respect to [2] and [3]. Alternative names will have the priority in
the authentication process. After this feature system if there is a pattern
configured for alternative names then user will be authenticated using the
matching alternative name for that pattern.There cannot be more than one
match or no matches for a given regex. If alternative names regex pattern
is not configured then will check for username regex. If regex is
configured and there is only one match the authentication will be happen
using that match.

For any given regex for both configurations if no matches found or more
than one match found the the system will throw an error.

If this both configurations are not there in the
application-authentication.xml the system will use the configured username
attribute of the certificate to authenticate which is the CN value of the
certificate in the default application-authentication.xml configuration.

Please find the attached flow diagram relevant to above description.

I would really appreciate any feedback. Thank you.

[image: X509FlowDiagram (1).jpg]

[1] - https://github.com/wso2/product-is/issues/5057
[2] - https://tools.ietf.org/html/rfc5280#section-4.1.2.6
[3] -  https://tools.ietf.org/html/rfc6125#section-6.4.4
<https://tools.ietf.org/html/rfc6125#section-6.4.4>

Best Regards,
Buddhima

*Buddhima Udaranga*|Software Engineer| WSO2 Inc. <http://wso2.com/>
(M)+94 714742094 | (E) buddhi...@wso2.com
<https://wso2.com/signature>

_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture