On Thu, Feb 16, 2023 at 09:17:51PM +0000, Jeremy Harris via Exim-users wrote:
> On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:
> > Some applications (want to) only accept client certificates issued by a
> > dedicated non-public CA, which amounts to an authorisation server
>
> In exim usage that's a test on a certextract of the issuer of
> $tls_in_peercert, either just in ACL or as part of the
> serer_condition for an authenticator using the tls driver.
>
> For either, the TLS session has to have been accepted first.
The problem is that any root CA can issue a subCA with any subject DN it
wants. So just checking issuer names, and expecting these to uniquely
identify a private dedicated CA is not "safe".
There is no global X.500 namespace that ensures uniqueness of CA
"distinguished names", they're just made up.
So, if I can't bypass the system trust store, I would be more inclined
to check the issuer public key, not the issuer DN. That said, an
OpenSSL application can just set the environemt and get a non-default
trust store location:
https://www.openssl.org/docs/manmaster/man3/X509_get_default_cert_dir_env.html
const char *X509_get_default_cert_dir_env(void);
const char *X509_get_default_cert_file_env(void);
Just set those enviroment variables (just between us friends, those
are "SSL_CERT_DIR" and "SSL_CERT_FILE") to a directory and file that
hold only the application-specific trust anchors, and the system
trust store would no longer be loaded by default. This works
for OpenSSL, can't speak to GnuTLS...
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
