英文:
How can I make Go accept a self-signed certificate for TLS client authentication?
问题
我正在使用AWS API Gateway和Go后端进行工作。为了确保所有连接都通过API Gateway进行,我需要使用TLS客户端身份验证(也称为双向身份验证、互相认证)。
原则上,可以使用以下代码实现:
func enableClientAuth(server *http.Server, clientCertFile string) error {
clientCert, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
我遇到的问题是这个错误:
tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")
这似乎是因为客户端证书是自签名的,但不是CA证书,Go不会接受这个签名。(这不是自签名证书的目的吗?我见过的大多数自签名证书都不是CA证书。)不幸的是,我无法控制客户端证书的生成或发送;这一切都是由AWS完成的。有没有办法将一个证书添加到ClientCAs证书池中,以使Go接受API Gateway的客户端证书?
以下是示例客户端证书:
-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----
英文:
I'm working with AWS API Gateway and a Go back end. In order to ensure all connections are going through API Gateway, I need to use TLS client authentication (aka two-way authentication, mutual authentication).
In principle, this works with something like:
func enableClientAuth(server *http.Server, clientCertFile string) error {
clientCert, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
The problem I'm having is this error:
> tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")
This seems to be because the client certificate is self-signed, but is not a CA certificate, Go will not accept the signature. (Doesn't this defeat the purpose of a self-signed certificate? Most self-signed certs I have seen are not CA certs.) Unfortunately, I have no control over how the client certificate is generated or sent; it is all done by AWS. Is there something I can do to get a certificate in the ClientCAs cert pool that will cause Go to accept the API Gateway client certificate?
Example client certificate:
-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----
答案1
得分: 6
@JohnWeldon的评论引导我找到了解决方案,即在加载客户端证书后需要修改客户端证书结构。这需要对PEM进行解码并解析出证书。对于API Gateway客户端证书,我需要将BasicConstraintsValid
和IsCA
设置为true,将KeyUsage
设置为KeyUsageCertSign
;对于我本地生成的证书,我只需要后两个。修改我问题中的enableClientAuth()
函数:
func enableClientAuth(server *http.Server, clientCertFile string) error {
pemBytes, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
pemBlock, _ := pem.Decode(pemBytes)
clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return err
}
clientCert.BasicConstraintsValid = true
clientCert.IsCA = true
clientCert.KeyUsage = x509.KeyUsageCertSign
caCertPool := x509.NewCertPool()
caCertPool.AddCert(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
英文:
@JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificate struct after I load it. This requires decoding the PEM and parsing out the certificate. For the API Gateway client certificate, I had to set BasicConstraintsValid
and IsCA
to true and KeyUsage
to KeyUsageCertSign
; for my locally generated cert I only needed the latter two. Modifying the enableClientAuth()
func in my question:
func enableClientAuth(server *http.Server, clientCertFile string) error {
pemBytes, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
pemBlock, _ := pem.Decode(pemBytes)
clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return err
}
clientCert.BasicConstraintsValid = true
clientCert.IsCA = true
clientCert.KeyUsage = x509.KeyUsageCertSign
caCertPool := x509.NewCertPool()
caCertPool.AddCert(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论