From e91e9003dc87d5bcaa1a345e0e4fe3a442fa8fd7 Mon Sep 17 00:00:00 2001 From: Frank Schroeder Date: Tue, 7 Jun 2016 16:55:51 +0200 Subject: [PATCH] Issue #108: Mark ApiGateway certificates as CA certs AWS API Gateway certficates are self-signed but don't have the IsCA flag set to true and also don't mark the certificate as to be used for certificate signing. This prevents Go to accept the certificate for client-cert authentication. Since it isn't possible to use a custom certificate for client authentication in the AWS API Gateway we need to patch the certificate on the fly. This is a preliminary patch to verify that the approach works but has the the certificate detection hard-coded and permanent. This should be configurable and off by default. --- listen.go | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/listen.go b/listen.go index 527e70f6b..9ffc35266 100644 --- a/listen.go +++ b/listen.go @@ -3,7 +3,7 @@ package main import ( "crypto/tls" "crypto/x509" - "errors" + "encoding/pem" "io/ioutil" "log" "net" @@ -89,10 +89,23 @@ func newServer(l config.Listen, h http.Handler) (*http.Server, error) { if err != nil { return nil, err } + + // Issue #108: Temp patch to allow generated AWS API Gateway certs to be + // used for client cert authentication pool := x509.NewCertPool() - if !pool.AppendCertsFromPEM(pemBlock) { - return nil, errors.New("failed to add client auth certs") + for p, rest := pem.Decode(pemBlock); p != nil; p, rest := pem.Decode(rest) { + cert, err := x509.ParseCertificate(p.Bytes) + if err != nil { + return nil, err + } + if cert.Issuer.CommonName == "ApiGateway" { + cert.BasicConstraintsValid = true + cert.IsCA = true + cert.KeyUsage = x509.KeyUsageCertSign + } + pool.AddCert(cert) } + srv.TLSConfig.ClientCAs = pool srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert }