check all SAN types against regex

Signed-off-by: chodges15 <[email protected]>

web/testdata/web_config_auth_client_san_dns.bad.yaml → web/testdata/web_config_auth_client_san.bad.yaml

@@ -3,4 +3,4 @@ tls_server_config:
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
   client_ca_file: "client2_selfsigned.pem"
-  client_cert_allowed_san_dns: "bad"
+  client_allowed_san_regex: "bad"

web/testdata/web_config_auth_client_san_dns.good.yaml → web/testdata/web_config_auth_client_san.good.yaml

@@ -3,4 +3,4 @@ tls_server_config:
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
   client_ca_file: "client2_selfsigned.pem"
-  client_cert_allowed_san_dns: "test3"
+  client_allowed_san_regex: "test3"

web/testdata/web_config_auth_client_san_dns_regex.bad.yaml → web/testdata/web_config_auth_client_san_regex.bad.yaml

@@ -3,4 +3,4 @@ tls_server_config:
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
   client_ca_file: "client2_selfsigned.pem"
-  client_cert_allowed_san_dns: ".+test.+"
+  client_allowed_san_regex: ".+test.+"

web/testdata/web_config_auth_client_san_dns_regex.good.yaml → web/testdata/web_config_auth_client_san_regex.good.yaml

@@ -3,4 +3,4 @@ tls_server_config:
   key_file: "server.key"
   client_auth_type: "RequireAndVerifyClientCert"
   client_ca_file: "client2_selfsigned.pem"
-  client_cert_allowed_san_dns: (test\d|dns)
+  client_allowed_san_regex: (test\d|dns)

web/tls_config.go

@@ -52,8 +52,7 @@ type TLSConfig struct {
 	MinVersion               TLSVersion `yaml:"min_version"`
 	MaxVersion               TLSVersion `yaml:"max_version"`
 	PreferServerCipherSuites bool       `yaml:"prefer_server_cipher_suites"`
-	// regular expression to match the SAN DNS entries of the client cert
-	ClientCertAllowedSanDNSRegex string `yaml:"client_cert_allowed_san_dns"`
+	ClientAllowedSanRegex    string     `yaml:"client_allowed_san_regex"`
 }
 
 type FlagConfig struct {
@@ -69,21 +68,34 @@ func (t *TLSConfig) SetDirectory(dir string) {
 	t.ClientCAs = config_util.JoinDir(dir, t.ClientCAs)
 }
 
-// VerifyPeerCertificate will check the DNS SAN entries of the client cert if there is configuration for it
+// VerifyPeerCertificate will check the SAN entries of the client cert if there is configuration for it
 func (t *TLSConfig) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	// sender cert comes first, see https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2
 	cert, err := x509.ParseCertificate(rawCerts[0])
 	if err != nil {
 		return fmt.Errorf("error parsing client certificate: %s", err)
 	}
 
-	for _, san := range cert.DNSNames {
-		if matched, _ := regexp.MatchString(t.ClientCertAllowedSanDNSRegex, san); matched {
+	// Build up a slice of strings with all Subject Alternate Name values
+	sanValues := append(cert.DNSNames, cert.EmailAddresses...)
+
+	for _, ip := range cert.IPAddresses {
+		sanValues = append(sanValues, ip.String())
+	}
+
+	for _, uri := range cert.URIs {
+		sanValues = append(sanValues, uri.String())
+	}
+
+	for _, sanValue := range sanValues {
+		if matched, _ := regexp.MatchString(t.ClientAllowedSanRegex, sanValue); matched {
 			return nil
 		}
 	}
 
-	return fmt.Errorf("could not find configured SAN DNS in client cert: %s", t.ClientCertAllowedSanDNSRegex)
+	//todo: check other fields of the cert
+
+	return fmt.Errorf("could not find configured SAN in client cert: %s", t.ClientAllowedSanRegex)
 }
 
 type HTTPConfig struct {
@@ -183,7 +195,7 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
 		cfg.ClientCAs = clientCAPool
 	}
 
-	if c.ClientCertAllowedSanDNSRegex != "" {
+	if c.ClientAllowedSanRegex != "" {
 		// verify that the client cert contains the allowed domain name
 		cfg.VerifyPeerCertificate = c.VerifyPeerCertificate
 	}

web/tls_config_test.go

@@ -350,28 +350,28 @@ func TestServerBehaviour(t *testing.T) {
 		},
 		{
 			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present good SAN DNS entry)`,
-			YAMLConfigPath:    "testdata/web_config_auth_client_san_dns.good.yaml",
+			YAMLConfigPath:    "testdata/web_config_auth_client_san.good.yaml",
 			UseTLSClient:      true,
 			ClientCertificate: "client2_selfsigned",
 			ExpectedError:     nil,
 		},
 		{
 			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present invalid SAN DNS entries)`,
-			YAMLConfigPath:    "testdata/web_config_auth_client_san_dns.bad.yaml",
+			YAMLConfigPath:    "testdata/web_config_auth_client_san.bad.yaml",
 			UseTLSClient:      true,
 			ClientCertificate: "client2_selfsigned",
 			ExpectedError:     ErrorMap["Invalid client cert"],
 		},
 		{
 			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present SAN DNS entry that matches configured regex)`,
-			YAMLConfigPath:    "testdata/web_config_auth_client_san_dns_regex.good.yaml",
+			YAMLConfigPath:    "testdata/web_config_auth_client_san_regex.good.yaml",
 			UseTLSClient:      true,
 			ClientCertificate: "client2_selfsigned",
 			ExpectedError:     nil,
 		},
 		{
 			Name:              `valid tls config yml and tls client with VerifyPeerCertificate (present SAN DNS entry that does not match configured regex)`,
-			YAMLConfigPath:    "testdata/web_config_auth_client_san_dns_regex.bad.yaml",
+			YAMLConfigPath:    "testdata/web_config_auth_client_san_regex.bad.yaml",
 			UseTLSClient:      true,
 			ClientCertificate: "client2_selfsigned",
 			ExpectedError:     ErrorMap["Invalid client cert"],