Forum Discussion

Jason_41583's avatar
Jason_41583
Icon for Nimbostratus rankNimbostratus
Jul 16, 2013

Parse machine Cert for subjectaltname

Hello all,     We are trying to use machine cert authentication with the APM, so far we only have a the APM checking for the machine cert, but would like to be able to pull the computer name...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 29, 2013
Having not used this feature much, I was a little surprised to see that the machine cert auth doesn't expose the x509 extensions field where the subjectAltName (SAN) lives. To get to the SAN then, you need an iRule.

1. Directly after the Machine Cert Auth "Successful" branch, create an iRule event agent. Give it an arbitrary ID value (ex. "MACHINECERTPROC")

2. Create the following LTM iRule and apply it to the VIP: 


when ACCESS_POLICY_AGENT_EVENT {
   switch [ACCESS::policy agent_id] {
      "MACHINECERTPROC" {
         set strippedcert [findstr [ACCESS::session data get session.windows_check_machinecert.last.cert.cert] "-----BEGIN CERTIFICATE-----" 27 "-----END CERTIFICATE-----"]
         if { [catch { b64decode $strippedcert } string_b64decoded] == 0 and $string_b64decoded ne "" } {
            if { [catch {
                UPN OID=1.3.6.1.4.1.311.20.2.3 - HEX=\x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x03 - LENGTH=15 (add 3 to hex count)
               set offset [string first \x06\x0A\x2B\x06\x01\x04\x01\x82\x37\x14\x02\x03 $string_b64decoded]
               set newoffset [expr $offset + 15]
                the last value in the decoded string (up to the new offset and converted to an integer) indicates the length of the UPN value
               binary scan [string index $string_b64decoded $newoffset] c upnlengthinteger
               set upn [string range $string_b64decoded [expr $newoffset + 1] [expr $upnlengthinteger + $newoffset]]
               ACCESS::session data set session.custom.machcertupn $upn
            } error] 
            } {
               ACCESS::session data set session.custom.machcertupn "FAIL"
            }
         }
      }
   }
}

This iRule decodes the base64-encoded session.windows_check_machinecert.last.cert.cert session variable and digs into it with a binary scan command to get the SAN value from the certificate. If it succeeds it will have created a new session variable: session.custom.machcertupn with the SAN UPN. You can then use that value in a subsequent LDAP query.

As for CRLDP, it expects the certificate in the session.ssl.cert.whole session variable, so you can do a quick variable assign from the existing session.windows_check_machinecert.last.cert.cert value right before going into the CRLDP Auth agent.