[defect]: Missing support for directoryName in subjectAltName's in tls/pair.c

[Firstyear]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

Using a certificate with a subjectAltName:dirName set, FreeRADIUS does not extract the value.

This can be seen by the comment here:

freeradius-server/src/lib/tls/pairs.c

Line 98 in 6e67eea

#endif /* GEN_OTHERNAME */

For example, a certificate with:

Certificate:
    Data:
        Version: 3 (0x2)
        ....
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DirName:/CN=886b45ce-98b2-4d79-9069-c9ff25bc0232

The DirName is not extracted. I expected a field like TLS-Client-Cert-Subject-Alt-Name or TLS-Client-Cert-Subject-Alt-Name-Common-Name to be extracted.

Log output from the FreeRADIUS daemon

(65)   TLS-Cert-Serial := "1001"
(65)   TLS-Cert-Expiration := "311219083442Z"
(65)   TLS-Cert-Valid-Since := "231221083442Z"
(65)   TLS-Cert-Subject := "/C=AU/ST=Queensland/O=Blackhats/CN=Blackhats Intermediate CA VPN R1"
(65)   TLS-Cert-Issuer := "/C=AU/ST=Queensland/O=Blackhats/CN=Blackhats Root CA R2"
(65)   TLS-Cert-Common-Name := "..."
(65)   TLS-Client-Cert-Serial := "..."
(65)   TLS-Client-Cert-Expiration := "..."
(65)   TLS-Client-Cert-Valid-Since := "..."
(65)   TLS-Client-Cert-Subject := "/C=AU/..."
(65)   TLS-Client-Cert-Issuer := "/C=AU/..."
(65)   TLS-Client-Cert-Common-Name := "..."
(65)   TLS-Client-Cert-X509v3-Basic-Constraints += "CA:FALSE"
(65)   TLS-Client-Cert-X509v3-Subject-Key-Identifier += "..."
(65)   TLS-Client-Cert-X509v3-Authority-Key-Identifier += "..."
(65)   TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication"
(65)   TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"


Note the absence of a subjectAltName field.

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

[alandekok]

This isn't a defect, it's a feature request.

It would help if you could send a patch to add this functionality. Until then, this is a low priority for us.

[Firstyear]

This isn't a defect, it's a feature request.

Your github templates don't have a "feature request" option. Only defect.

It would help if you could send a patch to add this functionality. Until then, this is a low priority for us.

Okay, I will have a look.

[Firstyear]

#5703

I will add support for 4.x once the 3.2.x PR is reviewed.