Extracting username from X.509 certificate

Answered Question
Nov 11th, 2010
User Badges:

Dear all,


We are using the following subject in our X.509 certificate:


cn=Jack Sparrow,cn=CSN123875,cn=Users,dc=dacomp,dc=cz


I would like to use the second cn as a value for ldap search. I have thought that username-from-certificate command in tunnel-group could do the trick, but If I use "username-from-certificate CN" only the last cn from certificate is returned (in the case of the above mentioned example it is "Users" string). I also tried to use lua stcript, but with no avail. Is ther any lua variable like "return cert.subject.dn" that contain whole distinguished name from subject or any other possibility that could help me to use any CN from certificate subject as a user name? We are using asa822-k8.bin (ASDM 6.3(1)) software version. Any answer would be very appreciated. Thank you very much.


Yours sincerely,


Zdenek Rottenberg

Correct Answer by Herbert Baerten about 6 years 8 months ago

Hi Zdenek


great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!


cheers

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Herbert Baerten Tue, 11/16/2010 - 02:42
User Badges:
  • Cisco Employee,

Hi Zdenek,


have you tried using a LUA regular expression, i.e. something like


cn=%a+,cn=(%a+),cn=%a+



hth

Herbert

rottenberg Tue, 11/16/2010 - 15:20
User Badges:

Hi Herbert,


first of all thank you very much for your answer.


Yes, it is true that I can use regular expressions, but regular expressions must be applied to a variable. The following table represents lists of supported variables (this is for ASA sw 8.2(2) and ASDM 6.3.(1)):



cert.subject.c

Country

cert.subject.cn

Common Name

cert.subject.dnq

DN qualifier

cert.subject.ea

Email Address

cert.subject.genq

Generational qualified

cert.subject.gn

Given Name

cert.subject.i

Initials

cert.subject.l

Locality

cert.subject.n

Name

cert.subject.o

Organization

cert.subject.ou

Organization Unit

cert.subject.ser

Subject Serial Number

cert.subject.sn

Surname

cert.subject.sp

State/Province

cert.subject.t

Title

cert.subject.uid

User ID

cert.issuer.c

Country

cert.issuer.cn

Common Name

cert.issuer.dnq

DN qualifier

cert.issuer.ea

Email Address

cert.issuer.genq

Generational qualified

cert.issuer.gn

Given Name

cert.issuer.i

Initials

cert.issuer.l

Locality

cert.issuer.n

Name

cert.issuer.o

Organization

cert.issuer.ou

Organization Unit

cert.issuer.ser

Issuer Serial Number

cert.issuer.sn

Surname

cert.issuer.sp

State/Province

cert.issuer.t

Title

cert.issuer.uid

User ID

cert.serialnumber

Certificate Serial Number

cert.subjectaltname.upn

User Principal Name


As you can see there are no variable which represents the complete subject.

The variable cert.subject.cn return the last CN in the subject. So, a regular expression would be applied to string "Users" if the certificate subject is CN=rotten,CN=Users,DC=test,DC=cz. I have not find the way to apply the regular expression on the whole distinguished name yet. I tryed to use some lua functions like "return findpattern(cert.subject.cn,"%a+")" and it does not work.


Take care,


Zdenek

Herbert Baerten Sun, 11/21/2010 - 13:44
User Badges:
  • Cisco Employee,

Can't try this out in the lab right now, but maybe you can try using just "cert.subject" ?

rottenberg Sun, 11/21/2010 - 23:59
User Badges:

I have already tried to use the cert.subject variable and it did not work. I think it could not be serious problem because moust certificate subjects have one CN. In case of more than one CNs, choosing the last CN is not good behaviour of course (it is my opinion). I am going to try upgrade from 8.2.2 to the latest version (within one or two weeks) and give it one more try to find the solution. Then let you know the result.


Take care


Zdenek Rottenberg

Herbert Baerten Wed, 11/24/2010 - 07:18
User Badges:
  • Cisco Employee,

Hi Zdenek,


I think I found the solution, there is a variable cert.subject.fulldn that you can use, e.g.


local a,b,c;
a,b,c = string.find( cert.subject.fulldn, ',cn=(.+),cn=Users' );
return c;


hth

Herbert

rottenberg Wed, 11/24/2010 - 11:10
User Badges:

Hi Herbert,


The variable cert.subject.fulldn is valid variable and if you write script:


return cert.subject.fulldn


you will see (in wireshark) valid LDAP query with search string containing whole DN. This is incredible result. By the way, where did you find this variable?The script itself did not worked, but I think I have enought information to complete the script by myself.


I am, of course, going to inform you about the results of my ongoing tests.


Thank you very much for your help.


Take care,


Zdenek Rottenberg

Herbert Baerten Wed, 11/24/2010 - 13:33
User Badges:
  • Cisco Employee,

Hi Zdenek,


strange, the script worked ok for me. My test certificate has:


  cn=John Doe,cn=jdoe,cn=users,ou=employees


and with the script I posted (except with 'users' instead of 'Users' in the pattern, I just changed that to match your example) I get 'jdoe' as result.

Anyway have fun debugging the script and let me know if I can still help


And to answer your question: I used internal Cisco resources ;-)


cheers

Herbert

rottenberg Sun, 11/28/2010 - 15:03
User Badges:

Hi Herbert,


Finally I managed to find out where the problem was. The problem was in asa822-k8.bin or asdm-631.bin (or in both of them) software. After migrating to asa832-4-k8.bin and asdm-634-53.bin everything starts to work correctly. Thank you very much for your help.


take care,


Zdenek

Correct Answer
Herbert Baerten Mon, 11/29/2010 - 01:08
User Badges:
  • Cisco Employee,

Hi Zdenek


great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!


cheers

Herbert

Actions

This Discussion