TLS Certificate auth method, and policy templates referring to OID extensions

absltkaos · February 10, 2020, 9:33pm

So I’m trying to use the cert auth method and assign a policy to clients that authenticate with it. All of the valid certs I want to work should have a specific required_extension, and I would like to have access to those extensions to insert into a policy.

I know there are are metadata attributes available in identity.entity.aliases.<mount accessor>.metadata.<metadata key> But there doesn’t appear to be any other data populated into the entities created from my TLS cert auth.

Is there a general approach for this that I am missing?

jeff · February 10, 2020, 9:46pm

Those extensions are not currently populated into metadata. But you also can’t put metadata into a policy. What are you trying to do?

absltkaos · February 10, 2020, 9:52pm

Using certs that are generate and signed by a puppet server’s CA with the PP_ENVIRONMENT (oid: 1.3.6.1.4.1.34380.1.1.12) extension embedded.

After authenticating with a valid cert I want to only allow it to read from a specific kv backend path. Something like this (Replace {{environment}} with the PP_ENVIRONMENT value embedded in the cert):

#Access to certname specific data
path "secret/puppet/{{environment}}/certname/{{identity.entity.aliases.<mount accessor>.name}}/*" {
    capabilities = [ "read", "list" ]
}
#Access to environment specific data
path "secret/puppet/{{environment}}/environment/*" {
    capabilities = [ "read" ]
}
#Access to general data
path "secret/puppet/common/*" {
    capabilities = [ "read" ]
}

According to: Policies | Vault | HashiCorp Developer metadata should be available in policy templates:

identity.entity.aliases.<mount accessor>.metadata.<metadata key> Metadata associated with the alias for the given mount and metadata key

jeff · February 10, 2020, 11:55pm

What’s available there is what the auth method actually writes into metadata; I do not believe the contents of OID extensions is one of those values. It potentially could be – you could propose a PR on the issue tracker and see if that change would be accepted.

rgevaert · December 28, 2020, 2:35pm

@absltkaos did you find a solution to your problem? I would like to do a similar thing…

And looking at the code this is the place it should go:

github.com

hashicorp/vault/blob/0bd85cc890bc77a6a4e289d1a90bd6d25d392124/builtin/credential/cert/path_login.go#L98-L103


		Metadata: map[string]string{
			"cert_name":        matched.Entry.Name,
			"common_name":      clientCerts[0].Subject.CommonName,
			"serial_number":    clientCerts[0].SerialNumber.String(),
			"subject_key_id":   certutil.GetHexFormatted(clientCerts[0].SubjectKeyId, ":"),
			"authority_key_id": certutil.GetHexFormatted(clientCerts[0].AuthorityKeyId, ":"),

As the OID extensions aren’t generic there will is some converting needed. e.g. the oid into a string representation. Also, how to decided which ones to add to the metadata. Or just all of them?

absltkaos · January 18, 2021, 8:58pm

Yeah, never got it fixed …

I don’t even know that I would need the string representation of the oid. Just having the oid accessible would be good with me.

As for which OID, if there doesn’t need to be any kind of conversion, I’d just say include all of the OIDs present in the cert.

Thanks for find that code reference, maybe I’ll take a peak at this some more in the future.