Enhanced mapping of an X509Certificate to the underlying identity
Overview
Elytron provides support for X509PeerCertificateChainEvidence, i.e., evidence that is composed of a
verified X509 certificate chain. Currently, the principal that is associated with this type of evidence
is hard-coded to be the subject from the first certificate in the certificate chain, as an X500Principal.
This principal then gets mapped/rewritten using the configured principal decoders and principal transformers
to obtain the name that should be used when locating and loading the identity from the underlying identity store.
The X509 v3 Subject Alternative Name extension provides the ability
to specify one or more alternative non-X500 names that can be used in addition to or instead of the
certificate’s subject name. It should be possible to specify that one of these alternative names should be
used as the principal associated with X509PeerCertificateChainEvidence. This principal will then get
mapped/rewritten using the configured principal decoders and principal transformers to obtain the name that
should be used when locating and loading the identity from the underlying identity store.
Issue Metadata
Issue
Related Issues
Dev Contacts
QE Contacts
Testing By
[ ] Engineering
[x] QE
Affected Projects or Components
-
WildFly, Security
Other Interested Projects
Requirements
Hard Requirements
-
A new
org.wildfly.security.evidence-decodercapability will be added. -
It should be possible to configure an
x509-subject-alt-name-evidence-decoderin themappersconfiguration in the Elytron subsystem. This evidence decoder will be used to decode the principal that should be associated with the givenX509PeerCertificateChainEvidence. In particular, this new resource will have the following two attributes:-
alt-name-type- The subject alternative name type to decode from the givenX509PeerCertificateChainEvidenceevidence. This attribute is required. Must be one of the subject alternative name types that can be represented as aString:-
rfc822Name -
dNSName -
uniformResourceIdentifier -
iPAddress -
registeredID -
directoryName
-
-
segment- The 0-based occurrence of the subject alternative name to map. This attribute is optional and only used when there is more than one subject alternative name of the givenalt-name-type. The default value is0.
-
For example, consider the following X509 v3 Subject Alternative Name extension from the first certificate in an
X509PeerCertificateChainEvidence:
X509v3 Subject Alternative Name:
DNS:one.example.org, IP Address:127.0.0.1To associate the evidence with the principal "one.example.org", the following x509-subject-alt-name-evidence-decoder
could be configured:
<mappers>
...
<x509-subject-alt-name-evidence-decoder name="dnsDecoder" alt-name-type="dNSName"/>
...
</mappers>Next, consider following X509 v3 Subject Alternative Name extension from the first certificate in an X509PeerCertificateChainEvidence:
X509v3 Subject Alternative Name:
DNS:one.example.org, DNS:two.example.org, IP Address:127.0.0.1To associate the evidence with the principal "two.example.org", the following x509-subject-alt-name-evidence-decoder
could be configured:
<mappers>
...
<x509-subject-alt-name-evidence-decoder name="dnsDecoder" alt-name-type="dNSName" segement="1"/>
...
</mappers>-
It should be possible to configure an
x500-subject-evidence-decoderin themappersconfiguration in the Elytron subsystem. This evidence decoder will be used to decode the principal that should be associated with the givenX509PeerCertificateChainEvidence.This evidence decoder will extract the subject from the first certificate in the certificate chain, as anX500Principal. Example configuration:
<mappers>
...
<x500-subject-evidence-decoder name="subjectDecoder"/>
...
</mappers>-
It should be possible to configure a
custom-evidence-decoderin themappersconfiguration in the Elytron subsystem in order to make use of a customEvidenceDecoderimplementation. This will have the same attributes as any other Elytron custom component. -
It should be possible to configure an
aggregate-evidence-decoderin themappersconfiguration in the Elytron subsystem. This will consist of two or moreevidence-decoderelements where each element will contain a reference to a configured evidence decoder. Given evidence, these evidence decoders will be attempted in order until one returns a non-null principal or until there are no more evidence decoders left to try.
Example configuration:
<mappers>
...
<x509-subject-alt-name-evidence-decoder name="emailDecoder" alt-name-type="rfc822Name"/>
<x509-subject-alt-name-evidence-decoder name="dnsDecoder" alt-name-type="dNSName"/>
<x500-subject-evidence-decoder name="subjectDecoder" />
<aggregate-evidence-decoder name="aggregateDecoder">
<evidence-decoder name="emailDecoder"/>
<evidence-decoder name="subjectDecoder"/>
<evidence-decoder name="dnsDecoder"/>
</aggregate-evidence-decoder>
...
</mappers>-
It should be possible to configure an
evidence-decoderfor asecurity-domainin the Elytron subsystem. This optional attribute will be a reference to an evidence decoder that has been configured in themappersconfiguration in the Elytron subsystem.-
If no
evidence-decoderis specified for asecurity-domain, then the principal associated with the evidence will just be the default principal for the evidence type, i.e., forX509PeerCertificateChainEvidence, this would continue to default to the subject from the first certificate in the certificate chain, as anX500Principal.
-
Nice-to-Have Requirements
Non-Requirements
Test Plan
Elytron subsystem parsing and transformer tests will be added. Tests will be added to both the Elytron testsuite and the
Elytron subsystem tests to ensure that the correct principal is extracted from X509PeerCertificateChainEvidence based
on the configured evidence decoders.
Community Documentation
Documentation on evidence decoders will be added to the "Elytron Subsystem" section in the WildFly documentation.