External SASL Authentication with X.509 Certificates

MDC · November 21, 2022, 7:03pm

Hello,

i’m using x509 certificates to authenticate. I was using some old version of Openfire. After upgrade is problem that Openfire is using CN but before was using SAN (subject alternative name).

Certificate before (older version):

 Subject: C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = XX, UID = 66070202-05ff-7196-7924-070308197241
            X509v3 Subject Alternative Name: 
                othername: XmppAddr::66070202-05ff-7196-7924-070308197241@ZZ

Certificate now:

 Subject: C = XX, ST = XX, L = XX, O = XX, OU = XX, CN = 66070202-05ff-7196-7924-070308197241, UID = 66070202-05ff-7196-7924-070308197241
            X509v3 Subject Alternative Name: 
                othername: XmppAddr::66070202-05ff-7196-7924-070308197241@ZZ

Is there some option or other way to use SAN or UID in my case ?

Thank you for your help.

guus · November 22, 2022, 10:43am

I believe that even after the upgrade, the SAN should still be used, if it is detected in the certificate that you are using.

Exactly what behavior are you seeing, in what functionality?

MDC · November 22, 2022, 11:16am

Users are unable to log, they doesn’t exist in DB because main identificator is SAN.

2022.11.22 08:36:17 org.apache.mina.core.filterchain.IoFilterEvent - Firing a MESSAGE_RECEIVED event for session 747
2022.11.22 08:36:17 org.apache.mina.filter.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 747
2022.11.22 08:36:17 org.jivesoftware.util.CertificateManager - CertificateManager: Common Name Mapping returned [FName SName]
2022.11.22 08:36:17 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: Trying Default Mapping.map(FName SName)
2022.11.22 08:36:17 org.jivesoftware.openfire.auth.DefaultAuthorizationMapping - DefaultAuthorizationMapping: No realm found
2022.11.22 08:36:17 org.jivesoftware.openfire.sasl.ExternalClientSaslServer - No username requested, using: FName SName
2022.11.22 08:36:17 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: Trying Default Policy.authorize(FName SName , FName SName)
2022.11.22 08:36:17 org.jivesoftware.openfire.auth.DefaultAuthorizationPolicy - DefaultAuthorizationPolicy: Checking authenID realm
2022.11.22 08:36:17 org.jivesoftware.openfire.auth.AuthorizationManager - AuthorizationManager: User FName SName not found org.jivesoftware.openfire.user.UserNotFoundException

org.jivesoftware.util.CertificateManager - CertificateManager: Common Name Mapping returned [FName SName] - value FName SName is from certificate CN - first name and surname of user

guus · November 22, 2022, 9:19pm

I think that the last time that this was modified was in 2015. How old was the server that you were using before?!

I believe that you can modify the behavior by setting the system property provider.clientCertIdentityMap.classList

Try using this value:
org.jivesoftware.util.cert.SANCertificateIdentityMapping

You will need to restart Openfire for the change to take effect.

MDC · November 23, 2022, 7:00am

We started about 2010, then there was crash server about 2013. So it’s very old instalation. But it was working…

Logs before:

2022.11.23 07:43:09 .[36mDEBUG.[m [main]: org.jivesoftware.util.CertificateManager - CertificateManager: No server CertificateIdentityMapping's found. Loading default mappings
2022.11.23 07:43:09 .[36mDEBUG.[m [main]: org.jivesoftware.util.CertificateManager - CertificateManager: No client CertificateIdentityMapping's found. Loading default mappings
2022.11.23 07:43:09 .[36mDEBUG.[m [pool-4-thread-1]: org.jivesoftware.util.CertificateManager - CertificateManager: Subject Alternative Name Mapping returned [www.example.org]
2022.11.23 07:43:11 .[36mDEBUG.[m [socket_c2s-thread-3]: org.jivesoftware.util.CertificateManager - CertificateManager: Common Name Mapping returned [FName Sname]

Logs after config change:

2022.11.23 07:49:40 .[36mDEBUG.[m [main]: org.jivesoftware.util.CertificateManager - CertificateManager: No server CertificateIdentityMapping's found. Loading default mappings
2022.11.23 07:49:40 .[36mDEBUG.[m [main]: org.jivesoftware.util.CertificateManager - CertificateManager: Loaded client identity mapping org.jivesoftware.util.cert.SANCertificateIdentityMapping
2022.11.23 07:49:40 .[36mDEBUG.[m [pool-4-thread-1]: org.jivesoftware.util.CertificateManager - CertificateManager: Subject Alternative Name Mapping returned [www.example.org]
2022.11.23 07:49:46 .[36mDEBUG.[m [socket_c2s-thread-2]: org.jivesoftware.util.CertificateManager - CertificateManager: Subject Alternative Name Mapping returned [f7c7ed99-36d1-4e7f-a987-1feead8e2b06@www.example.org]

and users are online.

So there perhpas was some change in behavior ?

But thank you very much for help.