Add serial number certificate to forward headers

docs/content/middlewares/passtlsclientcert.md

@@ -70,6 +70,7 @@ http:
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
+      - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
       - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"

docs/content/reference/dynamic-configuration/file.toml

@@ -196,6 +196,7 @@
           notAfter = true
           notBefore = true
           sans = true
+          serialNumber = true
           [http.middlewares.Middleware12.passTLSClientCert.info.subject]
             country = true
             province = true

docs/content/reference/dynamic-configuration/file.yaml

@@ -239,6 +239,7 @@ http:
             commonName: true
             serialNumber: true
             domainComponent: true
+          serialNumber: true
     Middleware13:
       rateLimit:
         average: 42

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -92,6 +92,7 @@
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/notAfter` | `true` |
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/notBefore` | `true` |
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/sans` | `true` |
+| `traefik/http/middlewares/Middleware12/passTLSClientCert/info/serialNumber` | `true` |
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/commonName` | `true` |
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/country` | `true` |
 | `traefik/http/middlewares/Middleware12/passTLSClientCert/info/subject/domainComponent` | `true` |

pkg/config/dynamic/middlewares.go

@@ -382,6 +382,7 @@ type TLSClientCertificateInfo struct {
 	Sans         bool                        `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty"`
 	Subject      *TLSCLientCertificateDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty"`
 	Issuer       *TLSCLientCertificateDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty"`
+	SerialNumber bool                        `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

pkg/config/label/label_test.go

@@ -84,6 +84,7 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.notafter":                    "true",
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.notbefore":                   "true",
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.sans":                        "true",
+		"traefik.http.middlewares.Middleware11.passTLSClientCert.info.serialNumber":                "true",
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.commonname":          "true",
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.country":             "true",
 		"traefik.http.middlewares.Middleware11.passtlsclientcert.info.subject.domaincomponent":     "true",
@@ -296,6 +297,7 @@ func TestDecodeConfiguration(t *testing.T) {
 						Info: &dynamic.TLSClientCertificateInfo{
 							NotAfter:     true,
 							NotBefore:    true,
+							SerialNumber: true,
 							Subject: &dynamic.TLSCLientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
@@ -701,6 +703,7 @@ func TestEncodeConfiguration(t *testing.T) {
 						Info: &dynamic.TLSClientCertificateInfo{
 							NotAfter:     true,
 							NotBefore:    true,
+							SerialNumber: true,
 							Subject: &dynamic.TLSCLientCertificateDNInfo{
 								Country:         true,
 								Province:        true,
@@ -1061,6 +1064,7 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotAfter":                    "true",
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.NotBefore":                   "true",
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Sans":                        "true",
+		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.SerialNumber":                "true",
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Country":             "true",
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Province":            "true",
 		"traefik.HTTP.Middlewares.Middleware11.PassTLSClientCert.Info.Subject.Locality":            "true",

pkg/middlewares/passtlsclientcert/pass_tls_client_cert.go

@@ -69,6 +69,7 @@ type tlsClientCertificateInfo struct {
 	sans         bool
 	subject      *DistinguishedNameOptions
 	issuer       *DistinguishedNameOptions
+	serialNumber bool
 }
 
 func newTLSClientCertificateInfo(info *dynamic.TLSClientCertificateInfo) *tlsClientCertificateInfo {
@@ -81,6 +82,7 @@ func newTLSClientCertificateInfo(info *dynamic.TLSClientCertificateInfo) *tlsCli
 		notAfter:     info.NotAfter,
 		notBefore:    info.NotBefore,
 		subject:      newDistinguishedNameOptions(info.Subject),
+		serialNumber: info.SerialNumber,
 		sans:         info.Sans,
 	}
 }
@@ -155,6 +157,13 @@ func (p *passTLSClientCert) getCertInfo(ctx context.Context, certs []*x509.Certi
 				values = append(values, fmt.Sprintf(`Issuer="%s"`, strings.TrimSuffix(issuer, subFieldSeparator)))
 			}
 
+			if p.info.serialNumber && peerCert.SerialNumber != nil {
+				sn := peerCert.SerialNumber.String()
+				if sn != "" {
+					values = append(values, fmt.Sprintf(`SerialNumber="%s"`, strings.TrimSuffix(sn, subFieldSeparator)))
+				}
+			}
+
 			if p.info.notBefore {
 				values = append(values, fmt.Sprintf(`NB="%d"`, uint64(peerCert.NotBefore.Unix())))
 			}

pkg/middlewares/passtlsclientcert/pass_tls_client_cert_test.go

@@ -345,6 +345,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 	minimalCheeseCertAllInfo := strings.Join([]string{
 		`Subject="C=FR,ST=Some-State,O=Cheese"`,
 		`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
+		`SerialNumber="481535886039632329873080491016862977516759989652"`,
 		`NB="1544094636"`,
 		`NA="1632568236"`,
 	}, fieldSeparator)
@@ -352,6 +353,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 	completeCertAllInfo := strings.Join([]string{
 		`Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com"`,
 		`Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2"`,
+		`SerialNumber="1"`,
 		`NB="1544094616"`,
 		`NA="1607166616"`,
 		`SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"`,
@@ -402,6 +404,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotAfter:     true,
 					NotBefore:    true,
 					Sans:         true,
+					SerialNumber: true,
 					Subject: &dynamic.TLSCLientCertificateDNInfo{
 						CommonName:      true,
 						Country:         true,
@@ -449,6 +452,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotAfter:     true,
 					NotBefore:    true,
 					Sans:         true,
+					SerialNumber: true,
 					Subject: &dynamic.TLSCLientCertificateDNInfo{
 						Country:         true,
 						Province:        true,
@@ -479,6 +483,7 @@ func TestPassTLSClientCert_certInfo(t *testing.T) {
 					NotAfter:     true,
 					NotBefore:    true,
 					Sans:         true,
+					SerialNumber: true,
 					Subject: &dynamic.TLSCLientCertificateDNInfo{
 						Country:         true,
 						Province:        true,