The client should send the full certificate chain to the server (best practice) and not only the (single) client certificate. This use case is currently not handled. The defect is here:
func GetClientCertificate(clientCertPath string, clientKeyPath string) (*tls.Certificate, error) {
fmt.Printf("Server requested certificate\n")
if clientCertPath == "" || clientKeyPath == "" {
return nil, errors.New("client certificate and key are required")
}
clientBytes, err := os.ReadFile(clientCertPath)
if err != nil {
return nil, fmt.Errorf("error reading client certificate: %w", err)
}
var cert *x509.Certificate
for block, rest := pem.Decode(clientBytes); block != nil; block, rest = pem.Decode(rest) {
if block.Type == "CERTIFICATE" {
cert, err = x509.ParseCertificate(block.Bytes)
if err != nil {
return nil, fmt.Errorf("error parsing client certificate: %v", err)
}
}
}
certificate := tls.Certificate{
Certificate: [][]byte{cert.Raw},
PrivateKey: &CustomSigner{
x509Cert: cert,
clientCertPath: clientCertPath,
clientKeyPath: clientKeyPath,
},
}
return &certificate, nil
}
In case of a chain: cert contains the last certificate in the chain.
The client should send the full certificate chain to the server (best practice) and not only the (single) client certificate. This use case is currently not handled. The defect is here:
In case of a chain: cert contains the last certificate in the chain.