Merge pull request #1389 from wallyqs/tls-spiffe-auth

Support for SPIFFE x.509 SVIDs for client auth
2026-04-14 02:07:59 -07:00 · 2020-05-27 14:07:30 -07:00
parent a34fb0836b 625dd18974
commit d72dff4e0f
10 changed files with 310 additions and 1 deletions
--- a/server/auth.go
+++ b/server/auth.go
@@ -573,7 +573,8 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool {
 	hasSANs := len(cert.DNSNames) > 0
 	hasEmailAddresses := len(cert.EmailAddresses) > 0
 	hasSubject := len(cert.Subject.String()) > 0
-	if !hasEmailAddresses && !hasSubject {
+	hasURIs := len(cert.URIs) > 0
+	if !hasEmailAddresses && !hasSubject && !hasURIs {
 		c.Debugf("User required in cert, none found")
 		return false
 	}
@@ -594,6 +595,13 @@ func checkClientTLSCertSubject(c *client, fn func(string) bool) bool {
 				return true
 			}
 		}
+	case hasURIs:
+		for _, u := range cert.URIs {
+			if fn(u.String()) {
+				c.Debugf("Using URI found in cert for auth [%q]", u)
+				return true
+			}
+		}
 	}

 	// Try to get the full RDN Sequence that includes the domain components.
--- a/test/configs/certs/svid/ca.key
+++ b/test/configs/certs/svid/ca.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEAwIYeRgshZUbWnsnVFYqJvMlRwmYKpHGq1cxG2HIKJZMMJO4c
+Tipguyt0bPJMQiGzsPUpzUIi3m1tNlQnQhmpBo4C1NSSRhx8My4z1796OkzerCMV
+MKEP8weC9Vhz2mUMBQbrRvAcNJhoPksWJ2kSGxdUdKIqoFGDMu40ir5zxHyCA410
+vG7IIJlaDKpwuXl1IFjEaI5DWnDUAvSxciG86yZVaekRYEJNSPSPL1Er5ee40ukP
+C66JCYas9a+4Lk5rQhlYSoUsimPebagKP99T+oNVyQSSQ0rqaNNV+7i0uEx9KH+7
+OC8B8+fUlE891hjnAJ20P0wJnMC/pFzzsvI8rQIDAQABAoIBAQCrKJFRhCO0fj3f
+/V/LPtclV3WwdjeP6t4OJQX296u9q/Vn/6h6dYJ55DAli2PwhzXRZKQ9L0cAqBgn
+7LjaMyXqBebOgA1q93gTqEe+zyRDIIP2VVpJWWdskIkExhZ5WsxMy9HvxxfMSpKi
+ju6rKuZF33/eES4ESXNynANqNdeGHf5ZWI2BI8ekPLbS6EE+PcJPq2vK8gkhFFyb
+ie9qqgU9DthSwJhqT7dilTllLz6gOj3dtYODaji4yLNkalRWe6JGO1v/ZxqWgpnk
+ZHTATxgiyjWJ0AJGH1tqxHBU1MmKHEEsc3lXdxC+FWbAnfbMgQq+BZSBjcyAOip6
+0FHdrvKhAoGBAPWI7b1Yo2Ov2iJtH4VJh2vqX5q+EQchO9XCKW82lOfoXXCGrG7g
+n5uuQuCAfEHzkeHDMVzDvoLJAHUz74eLuYm1voKLW+CjT+L9LYZMvLs3ygJvq5g9
+5pYPZbP2bax2sV2coXs/tv2gyMIYyrsPtln6ngW9y/SrC13j7ibffaJ/AoGBAMi6
+xzH8n2Fz2y76Vw3/JwFQNJY3qZy7jjcFd3KCTSzbDAHzMOpwRjSrecacF//G/bn+
+BaeOWowFZSh6ps7g3jyLWIpWS1Azk9t9+8sbt4bcX5XV92GeCu91X5gjSfwiXfJ7
+Ar7itX5zFMl74jBoJcd7ikS1BUZozcOon6x2F7LTAoGBAOqXYU4/mhxsr+WkjTE0
+B4c77wxR/MLrJdgeIqh3Zd4NTPluMuHdC6Ia5RrKp+37Ya5qaIdRHnymvyE79edz
+wFmqo9Lmg2olnvYpH43pU4kszH13ZGOZAO7u1yUSlcbpwJzIQiEXxyacsDOCrG/9
+myRtJv4lUPD7W2jhlXDep5LRAoGBAKuEJXcJ9CnyNCRVFpPIJM0Teous7koVXPSY
+wDLhMg6U8RKteWupGeQhbYGOmVcd8mm9q5k7oxUn+wL2opf9PwgezT4PdHUITVvs
+r30iptQec7J1TNdlktR/x3oZFTvTJdFu2K7AyvJMZUOwjlpsc3OblU8WGnbKUJ/R
+8vYLRj6vAoGBANoD3vrUz4Zq0tAfn31X4iNBe8TF6c0lx+NOcQ4IJHKHulxx+rHS
+h8UjublG5rx8qL62D4SiVp+m12ibSrLaJpC5IqSy6cFjHNUzXcok4Oou7dpMsMkn
+2uHsmL4iJJkUBIowADJ2mAyPnnOj0yQilna9o+pDqoW+bG0+7NoyHcV0
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/svid/ca.pem
+++ b/test/configs/certs/svid/ca.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUd2k/q8WQFq6AZFyTtYu651Ds+cgwDQYJKoZIhvcNAQEL
+BQAwajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcM
+C0xvcyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYD
+VQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5MjEwNTExWhcNMjUwNTA5MjEwNTExWjBq
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9z
+IEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMxDTALBgNVBAsMBE5BVFMxEjAQBgNVBAMM
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMCGHkYL
+IWVG1p7J1RWKibzJUcJmCqRxqtXMRthyCiWTDCTuHE4qYLsrdGzyTEIhs7D1Kc1C
+It5tbTZUJ0IZqQaOAtTUkkYcfDMuM9e/ejpM3qwjFTChD/MHgvVYc9plDAUG60bw
+HDSYaD5LFidpEhsXVHSiKqBRgzLuNIq+c8R8ggONdLxuyCCZWgyqcLl5dSBYxGiO
+Q1pw1AL0sXIhvOsmVWnpEWBCTUj0jy9RK+XnuNLpDwuuiQmGrPWvuC5Oa0IZWEqF
+LIpj3m2oCj/fU/qDVckEkkNK6mjTVfu4tLhMfSh/uzgvAfPn1JRPPdYY5wCdtD9M
+CZzAv6Rc87LyPK0CAwEAAaNTMFEwHQYDVR0OBBYEFJQ0pEcUeNZleMh6GxA51NW4
+7MsIMB8GA1UdIwQYMBaAFJQ0pEcUeNZleMh6GxA51NW47MsIMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBABluyDWCpMpIZxCO223YsqVLCFAA+3Ns
+ZAFLRyurMfZrBp7lJdrcZzkPcp6Hea0WJ9Rif/7gBGSYdVqlyPNj4W8nfJfys9Vr
+X9xfO4PyWE89Sa8aH1JQUifDeK0SMsj9HBRAiFqNuLdC6a2plQvQHhIyN/mnfQZs
+a0EVC09zEBrlZaXlZpf/cUok6VLEPmBqL4Y4IJFAFHPSMZRigXL/We7x+Dsumzkh
+5szEvBbktZNteZZcxnikBcS1ezmbGnz3l5OI65KM5JSkyxlvX5LnCNUl84z4dk/i
+1CTi8YUaJtSfe1lfUlDZY/QKPCLKgwz/DQqhnwsWC8uplJtiN9lIOtU=
+-----END CERTIFICATE-----
--- a/test/configs/certs/svid/server.key
+++ b/test/configs/certs/svid/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxFbauT5Ge2uniUGkZwu3/3pH03DbIjZe7FfukBnD7DbEcOJT
+M1w9uTzh6bOIpX7VLVifWk64w62bELCX+g7Bp1zKy0htsdmnDh6OH4m0lOwcpT77
+ZxCbnRNrwzLoia+hSIyyyMIPUPPJMm3BblGasU1K5P4c957wLbPal+83ipTa4anM
+IQWcqPpoPGlcxJcB5Xw6rb8cLlju5hZLlaKkmxZrmuEu4KX3waKeNsY0eoDJwpSn
+nbfuyOxVreHE/GclxPzODnx0UZh8zGKcxL/Yq+YaF+OsL/oPfh0igPARMmOua25V
+n0Ra+f9CsvM4lt3giZ3mKLHJ2TsObohIw6qUzQIDAQABAoIBAGppqKI93nWGI4eA
+zFoNP+x3mfY/dIVWcpwmDGaNkGK2TEHiaLWtiMac+NRxOd54n5G0Nqn7gKiNrz2c
+eMJOvSa4ZDFJUCrUjHZamSz+taEBV4U4XYm+tpirrfxd2yrExeVMXJnyk9qMRr/O
+PMhN8kmmWrFCCPEsc4BRumgefzvb/W+4CqmY1CYCEV+Lmwwr+ur6ADDfz2dAfHtr
+UGkixUrzFO684qSTGTyn5oUdc4qN1XR63V/o411zbVfXIWMmiiVKv5ctq/RfshHD
+h9700/RAo0j08iwqDtLXyx1eolnIO6AfLzYcLrPzHFv460HPa3AIoQVfBs0IM2TJ
+8aAyFQECgYEA+L+5FvywmVKUJBc9XHJ/sTkGVL4i4I6TWbGTSN0urlAe1IEgq8Cq
+VYLZiOZkuh47uJ76HjFJMo7SQrLot92ofhz3506ZSa4d3LVLEAbaxKgOHDHfM9XP
+U4ZHEZdzj2s1IdW3v73NnIv2gnKVbL7gpIpeX0rhxHeFgAFwzykSolcCgYEAyhAG
+43yjcZZay/mavjBeTFtbwaYKAtaMIP8uDaS2DJCsLMRKTda3YgQydWSlzC02E22/
+xTHOp2ytI4Eq6pEUlZT08+Gxyf1XStyWNjzD9jK+c+mIbQsWeZGef7FfcxKFksBq
+0/9dG/MYUPqQBYoTDH24QR13XwKUzcGFjg6S83sCgYEAp+dZ+08zsTqRbk8Vhypu
+UOTqBheVmTgD9D4t6bgKw3Snas+CiwxwrWm2hnbltM+lhjghInIoM20+NfFnrnx7
+OC07lLF0PMy/sXPaKAZIcwfxBk0PmYCQApQXsqMlSMCXy6/j6RQoDqxXB7Rqck3h
+eo8/plj4TdJTlZTjXaIext8CgYEAxqcRDq+nxHFMXMLNlnPZEXqz7+M8bmPdqkcW
+UMWBUUMecnickIArFEsKDI3hzqUYR+ubINSB1eorIf/IYIo30YN7exWFhA70th29
+9B6zjaV/xldvD71Z4DUAvYt1Sp2IAqn3nOqu8F6DpoFf/IItjhc/gYzlodvYzZyX
+n/zGDmcCgYAumnP2HqQr0fFrHc/p+KWP3+YXi9b/gUiMK/i7k2r/vf4SbStogKJf
+SlFD2S+H+FJxVRxUhssz4SH3PYZJwAMX0DP9ZNpwa5rwSbx0a7H72u0O3r42nFXi
+LNt+4To/VB7frJsNKl4Oh46gUHMsMyoqsF5FNQpPQ4zTEio3U0FASQ==
+-----END RSA PRIVATE KEY-----
--- a/test/configs/certs/svid/server.pem
+++ b/test/configs/certs/svid/server.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDSDCCAjACAQEwDQYJKoZIhvcNAQELBQAwajELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xvcyBBbmdlbGVzMQ0wCwYDVQQKDARO
+QVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNTA5
+MjEwNTI0WhcNMzAwNTA3MjEwNTI0WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
+Q2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTALBgNVBAoMBE5BVFMx
+DTALBgNVBAsMBE5BVFMxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAMRW2rk+Rntrp4lBpGcLt/96R9Nw2yI2XuxX7pAZ
+w+w2xHDiUzNcPbk84emziKV+1S1Yn1pOuMOtmxCwl/oOwadcystIbbHZpw4ejh+J
+tJTsHKU++2cQm50Ta8My6ImvoUiMssjCD1DzyTJtwW5RmrFNSuT+HPee8C2z2pfv
+N4qU2uGpzCEFnKj6aDxpXMSXAeV8Oq2/HC5Y7uYWS5WipJsWa5rhLuCl98GinjbG
+NHqAycKUp5237sjsVa3hxPxnJcT8zg58dFGYfMxinMS/2KvmGhfjrC/6D34dIoDw
+ETJjrmtuVZ9EWvn/QrLzOJbd4Imd5iixydk7Dm6ISMOqlM0CAwEAATANBgkqhkiG
+9w0BAQsFAAOCAQEArl6zUvvu+RF6tqAiHqN5d/mmuhiczsaRReNXe1yJ7llXuDzl
+jS/GAYu4nkDX/ejyWAwEnNOhjqNI5LMKNVJo+ZfOVH4jgiGZHaHzL6tY8tI6RYdO
+ZUL5aLLDIGNYgR4BWFP2b6dk767iBOsmzB/gjGNi/ROAPQOw72vdXuxFL0xVwIG7
+Dk2u5f3B9nVdJz5gWFMHTE/cSSbyYJ1zZhwauzDaeploSTFlDsjPWUpCWCiE1jKh
+jsgeF+HtlHcWlLhAAX/181SUoUilb9FBFCRLpPOuGYiKZ3KSQYzISkzvfE0u6/bs
+uGL3UWDsGNQe6AhKMp9V2LxDq+fRIa9pTklb7g==
+-----END CERTIFICATE-----
--- a/test/configs/certs/svid/svid-user-a.key
+++ b/test/configs/certs/svid/svid-user-a.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgST6YP9hyfw/Vmoxo
+MFp6MJFZu4xaYK3OweYcANEFTkmhRANCAAQCY7xD5sWZDVSRmBu2l4sjJYzpGVqg
+d7M8I6LnFjkhkJFc0h9n8jPud8POip9BfXJyLBzmtW+CfZC84zlFSknN
+-----END PRIVATE KEY-----
--- a/test/configs/certs/svid/svid-user-a.pem
+++ b/test/configs/certs/svid/svid-user-a.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIICAzCCAamgAwIBAgIRAJXUSiQv6UVx+RHn17gl6xswCgYIKoZIzj0EAwIwMDEL
+MAkGA1UEBhMCVVMxDTALBgNVBAoTBE5BVFMxEjAQBgNVBAMTCWxvY2FsaG9zdDAe
+Fw0yMDA1MjcxODI3MTRaFw0yNTA1MDkyMTA1MTFaMB0xCzAJBgNVBAYTAlVTMQ4w
+DAYDVQQKEwVTUElSRTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJjvEPmxZkN
+VJGYG7aXiyMljOkZWqB3szwjoucWOSGQkVzSH2fyM+53w86Kn0F9cnIsHOa1b4J9
+kLzjOUVKSc2jgbYwgbMwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUF
+BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS9gO5XK6fzpkTH
+DuhPV7lB2AAbNjAfBgNVHSMEGDAWgBSeUg2uZMN8Eio3bHcxv7zJIzclhzA0BgNV
+HREELTArhilzcGlmZmU6Ly9sb2NhbGhvc3QvbXktbmF0cy1zZXJ2aWNlL3VzZXIt
+YTAKBggqhkjOPQQDAgNIADBFAiA2TvD3xhOCvn9E2QF42o7gTjqGicTeNInKTEKe
+A6AMzgIhAKdpmH5367YqHijKhtfklnM7g8WhdPhn38xWL7jG+5+a
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC3jCCAcagAwIBAgIRAP6sMTwSA5gCsJWO5fSCokUwDQYJKoZIhvcNAQELBQAw
+ajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xv
+cyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQD
+DAlsb2NhbGhvc3QwHhcNMjAwNTI3MTgxNzAyWhcNMjUwNTA5MjEwNTExWjAwMQsw
+CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJhF2UV33hUpg53uGmy/GkXEI2ZR8EQmp
+EHxG1GWbjHR7FBdVP/HmPyVKu5vfegXZp/hD3H7UYHjiNeKMYyGT4qOBgzCBgDAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnlINrmTD
+fBIqN2x3Mb+8ySM3JYcwHwYDVR0jBBgwFoAUlDSkRxR41mV4yHobEDnU1bjsywgw
+HQYDVR0RBBYwFIYSc3BpZmZlOi8vbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
+AQA7nxOrNqGZ4U72qkB9YYXSi89HNgYoz1R0sLdRuh0BDpSPLASNymZrzbw1CuZm
+pOJ6b6blxDlLKBx+tDBgYejRmVCZq+hD8mIVBT0Vg3uZhmPOo2URQmUcfsas9UXK
+dXGh/9FIqq4u3dBA1bCHlKk/bDIu/VkGMkTaHaDXNEcLBSWLdVkMOuuF6YHgKJh5
+UQEsbWt+kfL3MzeMuAQYVuskKWE19+oLfY41jTQUzPY83r9nJkEZaUyVBShj8CAw
+K8QHfKrQ1BE6ALrM1zvMS9zMopoalMtNJ1ILL1nYLD2teVv4iSRGyD7JgHUYYax6
+rnloUNEr2o9DlZp8EvK2I4dU
+-----END CERTIFICATE-----
--- a/test/configs/certs/svid/svid-user-b.key
+++ b/test/configs/certs/svid/svid-user-b.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEiQo4GXKbViodiF2
+LltOkXLauMoyKJu01c/FUoGpnXahRANCAASiSiVhimnedxcnXY1ffLWV6Ez9XIkq
+3pXxtk6q6jvDfn3OPPjIB47OH4KCqNaMoIsKxwK/mtOEETb0/gFqeQWa
+-----END PRIVATE KEY-----
--- a/test/configs/certs/svid/svid-user-b.pem
+++ b/test/configs/certs/svid/svid-user-b.pem
@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIICAjCCAaigAwIBAgIQUGwbDXAjCmdvfiGGjS/+PzAKBggqhkjOPQQDAjAwMQsw
+CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MB4X
+DTIwMDUyNzE4MjkxMFoXDTI1MDUwOTIxMDUxMVowHTELMAkGA1UEBhMCVVMxDjAM
+BgNVBAoTBVNQSVJFMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEokolYYpp3ncX
+J12NX3y1lehM/VyJKt6V8bZOquo7w359zjz4yAeOzh+CgqjWjKCLCscCv5rThBE2
+9P4BankFmqOBtjCBszAOBgNVHQ8BAf8EBAMCA6gwHQYDVR0lBBYwFAYIKwYBBQUH
+AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOZVW2w2T+3afeJU
+JMuZg6Q8FXc/MB8GA1UdIwQYMBaAFJ5SDa5kw3wSKjdsdzG/vMkjNyWHMDQGA1Ud
+EQQtMCuGKXNwaWZmZTovL2xvY2FsaG9zdC9teS1uYXRzLXNlcnZpY2UvdXNlci1i
+MAoGCCqGSM49BAMCA0gAMEUCIQD81ueLXy2MerMclzKoMnP9VDjOLuHVHf7RkLYb
+OdqBigIgH0XT2q5pVmDQgCBP2bKaWZndvXlb5kkPw17XcSD2cKs=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIC3jCCAcagAwIBAgIRAP6sMTwSA5gCsJWO5fSCokUwDQYJKoZIhvcNAQELBQAw
+ajELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFDASBgNVBAcMC0xv
+cyBBbmdlbGVzMQ0wCwYDVQQKDAROQVRTMQ0wCwYDVQQLDAROQVRTMRIwEAYDVQQD
+DAlsb2NhbGhvc3QwHhcNMjAwNTI3MTgxNzAyWhcNMjUwNTA5MjEwNTExWjAwMQsw
+CQYDVQQGEwJVUzENMAsGA1UEChMETkFUUzESMBAGA1UEAxMJbG9jYWxob3N0MFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJhF2UV33hUpg53uGmy/GkXEI2ZR8EQmp
+EHxG1GWbjHR7FBdVP/HmPyVKu5vfegXZp/hD3H7UYHjiNeKMYyGT4qOBgzCBgDAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnlINrmTD
+fBIqN2x3Mb+8ySM3JYcwHwYDVR0jBBgwFoAUlDSkRxR41mV4yHobEDnU1bjsywgw
+HQYDVR0RBBYwFIYSc3BpZmZlOi8vbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IB
+AQA7nxOrNqGZ4U72qkB9YYXSi89HNgYoz1R0sLdRuh0BDpSPLASNymZrzbw1CuZm
+pOJ6b6blxDlLKBx+tDBgYejRmVCZq+hD8mIVBT0Vg3uZhmPOo2URQmUcfsas9UXK
+dXGh/9FIqq4u3dBA1bCHlKk/bDIu/VkGMkTaHaDXNEcLBSWLdVkMOuuF6YHgKJh5
+UQEsbWt+kfL3MzeMuAQYVuskKWE19+oLfY41jTQUzPY83r9nJkEZaUyVBShj8CAw
+K8QHfKrQ1BE6ALrM1zvMS9zMopoalMtNJ1ILL1nYLD2teVv4iSRGyD7JgHUYYax6
+rnloUNEr2o9DlZp8EvK2I4dU
+-----END CERTIFICATE-----
--- a/test/tls_test.go
+++ b/test/tls_test.go
@@ -1263,3 +1263,136 @@ func TestTLSClientAuthWithRDNSequence(t *testing.T) {
 		})
 	}
 }
+
+func TestTLSClientSVIDAuth(t *testing.T) {
+	for _, test := range []struct {
+		name   string
+		config string
+		certs  nats.Option
+		err    error
+		rerr   error
+	}{
+		{
+			"connect with tls using certificate with URIs",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { 
+                                      user = "spiffe://localhost/my-nats-service/user-a"
+                                    }
+				  ]
+				}
+			`,
+			nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"),
+			nil,
+			nil,
+		},
+		{
+			"connect with tls using certificate with limited different permissions",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { 
+                                      user = "spiffe://localhost/my-nats-service/user-a"
+                                    },
+				    { 
+                                      user = "spiffe://localhost/my-nats-service/user-b"
+                                      permissions = { subscribe = { deny = ">" }} 
+                                    }
+				  ]
+				}
+			`,
+			nats.ClientCert("./configs/certs/svid/svid-user-b.pem", "./configs/certs/svid/svid-user-b.key"),
+			nil,
+			errors.New("nats: timeout"),
+		},
+		{
+			"connect with tls without URIs in permissions will still match SAN",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { 
+                                      user = "O=SPIRE,C=US" 
+                                    }
+				  ]
+				}
+			`,
+			nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"),
+			nil,
+			nil,
+		},
+		{
+			"connect with tls but no permissions",
+			`
+				port: -1
+				%s
+
+				authorization {
+				  users = [
+				    { 
+                                      user = "spiffe://localhost/my-nats-service/user-c"
+                                    }
+				  ]
+				}
+			`,
+			nats.ClientCert("./configs/certs/svid/svid-user-a.pem", "./configs/certs/svid/svid-user-a.key"),
+			errors.New("nats: Authorization Violation"),
+			nil,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			content := fmt.Sprintf(test.config, `
+				tls {
+					cert_file: "configs/certs/svid/server.pem"
+					key_file: "configs/certs/svid/server.key"
+					ca_file: "configs/certs/svid/ca.pem"
+					timeout: 5
+                                        insecure: true
+					verify_and_map: true
+				}
+			`)
+			conf := createConfFile(t, []byte(content))
+			defer os.Remove(conf)
+			s, opts := RunServerWithConfig(conf)
+			defer s.Shutdown()
+
+			nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port),
+				test.certs,
+				nats.RootCAs("./configs/certs/svid/ca.pem"),
+			)
+			if test.err == nil && err != nil {
+				t.Errorf("Expected to connect, got %v", err)
+			} else if test.err != nil && err == nil {
+				t.Errorf("Expected error on connect")
+			} else if test.err != nil && err != nil {
+				// Error on connect was expected
+				if test.err.Error() != err.Error() {
+					t.Errorf("Expected error %s, got: %s", test.err, err)
+				}
+				return
+			}
+			defer nc.Close()
+
+			nc.Subscribe("ping", func(m *nats.Msg) {
+				m.Respond([]byte("pong"))
+			})
+			nc.Flush()
+
+			_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
+			if test.rerr != nil && err == nil {
+				t.Errorf("Expected error getting response")
+			} else if test.rerr == nil && err != nil {
+				t.Errorf("Expected response")
+			}
+		})
+	}
+}