cloudfoundry · plowin · May 7, 2024 · Apr 30, 2024 · May 3, 2024 · May 6, 2024
@@ -111,6 +111,7 @@ var _ = Describe("forwarded_client_cert", func() {
 		"X-SSL-Client-Subject-Cn": "app.mycert.com",
 		"X-SSL-Client-Issuer-Dn":  "ACME inc, USA",
 		"X-SSL-Client-Issuer-Cn":  "mycert.com",
+		"X-SSL-Client-Root-CA-DN": "/C=X/ST=Y/L=xyz/O=ABC/CN=*.example.com"
 		"X-SSL-Client-Notbefore":  "Wednesday",
 		"X-SSL-Client-Notafter":   "Thursday",
 		"X-SSL-Client-Cert":       "ABC",
@@ -304,6 +305,7 @@ func checkXFCCHeadersMatchCert(expectedCert *x509.Certificate, headers http.Head
 	Expect(base64Decode(headers.Get("X-SSL-Client-Subject-Dn"))).To(Equal("/C=Vatican City/O=Víkî's Vergnügungspark/CN=haproxy.client"))
 	Expect(base64Decode(headers.Get("X-SSL-Client-Subject-CN"))).To(Equal("haproxy.client"))
 	Expect(base64Decode(headers.Get("X-SSL-Client-Issuer-Dn"))).To(Equal("/C=Palau/O=Pete's Café"))
+	Expect(base64Decode(headers.Get("X-SSL-Client-Root-CA-DN"))).To(Equal("/C=X/ST=Y/L=xyz/O=ABC/CN=*.example.com"))
 	Expect(headers.Get("X-SSL-Client-Notbefore")).To(Equal(expectedCert.NotBefore.UTC().Format("060102150405Z"))) //YYMMDDhhmmss[Z]
 	Expect(headers.Get("X-SSL-Client-Notafter")).To(Equal(expectedCert.NotAfter.UTC().Format("060102150405Z")))   //YYMMDDhhmmss[Z]
 

@@ -410,6 +410,8 @@ properties:
 
             - X-SSL-Client-Issuer-DN: Contains the base64-encoded issuer distinguished name of the client certificate
 
+            - X-SSL-Client-Root-CA-DN: X-SSL-Client-Root-CA-DN: Contains base64-encoded subject DN of the root CA which signed the client certificate
+
             - X-SSL-Client-NotBefore: Contains the start date of the client certificate in YYMMDDhhmmss[Z] format.
 
             - X-SSL-Client-NotAfter: Contains the expiration date of the client certificate in YYMMDDhhmmss[Z] format.

@@ -561,10 +561,12 @@ frontend https-in
     http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }
     http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }
     http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn]            if { ssl_c_used }
     <%- else %>
-    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }
-    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
-    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64]        if { ssl_c_used }
+    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64]            if { ssl_c_used }
     <%- end %>
   <%- end -%>
 
@@ -714,10 +716,12 @@ frontend wss-in
     http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }
     http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }
     http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn]            if { ssl_c_used }
     <%- else %>
-    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }
-    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }
-    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64]        if { ssl_c_used }
+    http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]            if { ssl_c_used }
+    http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64]            if { ssl_c_used }
     <%- end %>
   <%- end -%>
 

@@ -259,15 +259,16 @@
         end
 
         it 'writes mTLS headers when mTLS is used' do
-          expect(frontend_https).to include('http-request set-header X-Forwarded-Client-Cert %[ssl_c_der,base64]          if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client            %[ssl_c_used]                if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Session-ID %[ssl_fc_session_id,hex]     if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]              if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]       if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]        if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-Forwarded-Client-Cert %[ssl_c_der,base64]                 if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client            %[ssl_c_used]                       if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Session-ID %[ssl_fc_session_id,hex]            if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]                     if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]              if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]               if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]            if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN %{+Q}[ssl_c_i_dn,base64]             if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64]        if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64]           if { ssl_c_used }')
         end
 
         context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
@@ -279,6 +280,7 @@
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn]            if { ssl_c_used }')
           end
         end
       end
@@ -329,15 +331,16 @@
         end
 
         it 'overwrites mTLS headers when mTLS is used' do
-          expect(frontend_https).to include('http-request set-header X-Forwarded-Client-Cert %[ssl_c_der,base64]          if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client            %[ssl_c_used]                if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Session-ID %[ssl_fc_session_id,hex]     if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]              if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]       if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]        if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]     if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64] if { ssl_c_used }')
-          expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]     if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-Forwarded-Client-Cert %[ssl_c_der,base64]                 if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client            %[ssl_c_used]                       if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Session-ID %[ssl_fc_session_id,hex]            if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Verify     %[ssl_c_verify]                     if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotBefore  %{+Q}[ssl_c_notbefore]              if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-NotAfter   %{+Q}[ssl_c_notafter]               if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn,base64]            if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn),base64]        if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn,base64]            if { ssl_c_used }')
+          expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn,base64]            if { ssl_c_used }')
         end
 
         context 'when ha_proxy.legacy_xfcc_header_mapping is true' do
@@ -353,6 +356,7 @@
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-DN %{+Q}[ssl_c_s_dn]            if { ssl_c_used }')
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Subject-CN %{+Q}[ssl_c_s_dn(cn)]        if { ssl_c_used }')
             expect(frontend_https).to include('http-request set-header X-SSL-Client-Issuer-DN  %{+Q}[ssl_c_i_dn]            if { ssl_c_used }')
+            expect(frontend_https).to include('http-request set-header X-SSL-Client-Root-CA-DN %{+Q}[ssl_c_r_dn]            if { ssl_c_used }')
           end
         end
       end