Solved: Extracting username from X.509 certificate

rottenberg · ‎11-11-2010

Dear all,

We are using the following subject in our X.509 certificate:

cn=Jack Sparrow,cn=CSN123875,cn=Users,dc=dacomp,dc=cz

I would like to use the second cn as a value for ldap search. I have thought that username-from-certificate command in tunnel-group could do the trick, but If I use "username-from-certificate CN" only the last cn from certificate is returned (in the case of the above mentioned example it is "Users" string). I also tried to use lua stcript, but with no avail. Is ther any lua variable like "return cert.subject.dn" that contain whole distinguished name from subject or any other possibility that could help me to use any CN from certificate subject as a user name? We are using asa822-k8.bin (ASDM 6.3(1)) software version. Any answer would be very appreciated. Thank you very much.

Yours sincerely,

Zdenek Rottenberg

Herbert Baerten · ‎11-29-2010

Hi Zdenek

great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!

cheers

Herbert

View solution in original post

Herbert Baerten · ‎11-16-2010

Hi Zdenek,

have you tried using a LUA regular expression, i.e. something like

cn=%a+,cn=(%a+),cn=%a+

hth

Herbert

rottenberg · ‎11-16-2010

Hi Herbert,

first of all thank you very much for your answer.

Yes, it is true that I can use regular expressions, but regular expressions must be applied to a variable. The following table represents lists of supported variables (this is for ASA sw 8.2(2) and ASDM 6.3.(1)):

cert.subject.c	Country
cert.subject.cn	Common Name
cert.subject.dnq	DN qualifier
cert.subject.ea	Email Address
cert.subject.genq	Generational qualified
cert.subject.gn	Given Name
cert.subject.i	Initials
cert.subject.l	Locality
cert.subject.n	Name
cert.subject.o	Organization
cert.subject.ou	Organization Unit
cert.subject.ser	Subject Serial Number
cert.subject.sn	Surname
cert.subject.sp	State/Province
cert.subject.t	Title
cert.subject.uid	User ID
cert.issuer.c	Country
cert.issuer.cn	Common Name
cert.issuer.dnq	DN qualifier
cert.issuer.ea	Email Address
cert.issuer.genq	Generational qualified
cert.issuer.gn	Given Name
cert.issuer.i	Initials
cert.issuer.l	Locality
cert.issuer.n	Name
cert.issuer.o	Organization
cert.issuer.ou	Organization Unit
cert.issuer.ser	Issuer Serial Number
cert.issuer.sn	Surname
cert.issuer.sp	State/Province
cert.issuer.t	Title
cert.issuer.uid	User ID
cert.serialnumber	Certificate Serial Number
cert.subjectaltname.upn	User Principal Name

As you can see there are no variable which represents the complete subject.

The variable cert.subject.cn return the last CN in the subject. So, a regular expression would be applied to string "Users" if the certificate subject is CN=rotten,CN=Users,DC=test,DC=cz. I have not find the way to apply the regular expression on the whole distinguished name yet. I tryed to use some lua functions like "return findpattern(cert.subject.cn,"%a+")" and it does not work.

Take care,

Zdenek

Herbert Baerten · ‎11-21-2010

Can't try this out in the lab right now, but maybe you can try using just "cert.subject" ?

rottenberg · ‎11-21-2010

I have already tried to use the cert.subject variable and it did not work. I think it could not be serious problem because moust certificate subjects have one CN. In case of more than one CNs, choosing the last CN is not good behaviour of course (it is my opinion). I am going to try upgrade from 8.2.2 to the latest version (within one or two weeks) and give it one more try to find the solution. Then let you know the result.

Take care

Zdenek Rottenberg

Herbert Baerten · ‎11-24-2010

Hi Zdenek,

I think I found the solution, there is a variable cert.subject.fulldn that you can use, e.g.

local a,b,c;
a,b,c = string.find( cert.subject.fulldn, ',cn=(.+),cn=Users' );
return c;

hth

Herbert

rottenberg · ‎11-24-2010

Hi Herbert,

The variable cert.subject.fulldn is valid variable and if you write script:

return cert.subject.fulldn

you will see (in wireshark) valid LDAP query with search string containing whole DN. This is incredible result. By the way, where did you find this variable?The script itself did not worked, but I think I have enought information to complete the script by myself.

I am, of course, going to inform you about the results of my ongoing tests.

Thank you very much for your help.

Take care,

Zdenek Rottenberg

Herbert Baerten · ‎11-24-2010

Hi Zdenek,

strange, the script worked ok for me. My test certificate has:

cn=John Doe,cn=jdoe,cn=users,ou=employees

and with the script I posted (except with 'users' instead of 'Users' in the pattern, I just changed that to match your example) I get 'jdoe' as result.

Anyway have fun debugging the script and let me know if I can still help

And to answer your question: I used internal Cisco resources ;-)

cheers

Herbert

rottenberg · ‎11-28-2010

Hi Herbert,

Finally I managed to find out where the problem was. The problem was in asa822-k8.bin or asdm-631.bin (or in both of them) software. After migrating to asa832-4-k8.bin and asdm-634-53.bin everything starts to work correctly. Thank you very much for your help.

take care,

Zdenek

Herbert Baerten · ‎11-29-2010

Hi Zdenek

great, thanks for letting us know!

BTW please mark the thread as resolved, thanks!

cheers

Herbert