Fix TLS Client Certificate Verify Not Applied

2022-05-03 15:23:33 +01:00 · 2022-05-03 15:23:33 +01:00 · 52ea2b0146
parent c93ad2fc1c
commit 52ea2b0146
3 changed files with 16 additions and 5 deletions
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@ -30,11 +30,13 @@ func ParseCertificate(c *cert.Certificate) *Certificate {
 	return nil
 }

-func (c *Config) loadSelfCertPool() (*x509.CertPool, error) {
+func (c *Config) loadSelfCertPool(usage Certificate_Usage) (*x509.CertPool, error) {
 	root := x509.NewCertPool()
 	for _, cert := range c.Certificate {
-		if !root.AppendCertsFromPEM(cert.Certificate) {
-			return nil, newError("failed to append cert").AtWarning()
+		if cert.Usage == usage {
+			if !root.AppendCertsFromPEM(cert.Certificate) {
+				return nil, newError("failed to append cert").AtWarning()
+			}
 		}
 	}
 	return root, nil
@ -209,6 +211,11 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		}
 	}

+	clientRoot, err := c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY_CLIENT)
+	if err != nil {
+		newError("failed to load client root certificate").AtError().Base(err).WriteToLog()
+	}
+
 	config := &tls.Config{
 		ClientSessionCache:     globalSessionCache,
 		RootCAs:                root,
@ -216,6 +223,7 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		NextProtos:             c.NextProtocol,
 		SessionTicketsDisabled: !c.EnableSessionResumption,
 		VerifyPeerCertificate:  c.verifyPeerCert,
+		ClientCAs:              clientRoot,
 	}

 	for _, opt := range opts {
@ -238,6 +246,9 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		config.NextProtos = []string{"h2", "http/1.1"}
 	}

+	if c.VerifyClientCertificate {
+		config.ClientAuth = tls.RequireAndVerifyClientCert
+	}
 	return config
 }

--- a/transport/internet/tls/config_other.go
+++ b/transport/internet/tls/config_other.go
@ -33,7 +33,7 @@ var rootCerts rootCertsCache

 func (c *Config) getCertPool() (*x509.CertPool, error) {
 	if c.DisableSystemRoot {
-		return c.loadSelfCertPool()
+		return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)
 	}

 	if len(c.Certificate) == 0 {
--- a/transport/internet/tls/config_windows.go
+++ b/transport/internet/tls/config_windows.go
@ -7,7 +7,7 @@ import "crypto/x509"

 func (c *Config) getCertPool() (*x509.CertPool, error) {
 	if c.DisableSystemRoot {
-		return c.loadSelfCertPool()
+		return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)
 	}

 	return nil, nil