Skip to content

Handle client certificate chain #3

Description

@Klaus-Tockloth

The client should send the full certificate chain to the server (best practice) and not only the (single) client certificate. This use case is currently not handled. The defect is here:

func GetClientCertificate(clientCertPath string, clientKeyPath string) (*tls.Certificate, error) {
	fmt.Printf("Server requested certificate\n")
	if clientCertPath == "" || clientKeyPath == "" {
		return nil, errors.New("client certificate and key are required")
	}
	clientBytes, err := os.ReadFile(clientCertPath)
	if err != nil {
		return nil, fmt.Errorf("error reading client certificate: %w", err)
	}
	var cert *x509.Certificate
	for block, rest := pem.Decode(clientBytes); block != nil; block, rest = pem.Decode(rest) {
		if block.Type == "CERTIFICATE" {
			cert, err = x509.ParseCertificate(block.Bytes)
			if err != nil {
				return nil, fmt.Errorf("error parsing client certificate: %v", err)
			}
		}
	}

	certificate := tls.Certificate{
		Certificate: [][]byte{cert.Raw},
		PrivateKey: &CustomSigner{
			x509Cert:       cert,
			clientCertPath: clientCertPath,
			clientKeyPath:  clientKeyPath,
		},
	}
	return &certificate, nil
}

In case of a chain: cert contains the last certificate in the chain.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions