如何让Go接受自签名证书进行TLS客户端身份验证?

huangapple go评论82阅读模式
英文:

How can I make Go accept a self-signed certificate for TLS client authentication?

问题

我正在使用AWS API Gateway和Go后端进行工作。为了确保所有连接都通过API Gateway进行,我需要使用TLS客户端身份验证(也称为双向身份验证、互相认证)。

原则上,可以使用以下代码实现:

func enableClientAuth(server *http.Server, clientCertFile string) error {
    clientCert, err := ioutil.ReadFile(clientCertFile)
    if err != nil {
        return err
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(clientCert)

    tlsConfig := &tls.Config{
        ClientAuth: tls.RequireAndVerifyClientCert,
        ClientCAs:  caCertPool,
    }
    tlsConfig.BuildNameToCertificate()
    server.TLSConfig = tlsConfig
    return nil
}

我遇到的问题是这个错误:

tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")

这似乎是因为客户端证书是自签名的,但不是CA证书,Go不会接受这个签名。(这不是自签名证书的目的吗?我见过的大多数自签名证书都不是CA证书。)不幸的是,我无法控制客户端证书的生成或发送;这一切都是由AWS完成的。有没有办法将一个证书添加到ClientCAs证书池中,以使Go接受API Gateway的客户端证书?

以下是示例客户端证书:

-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----
英文:

I'm working with AWS API Gateway and a Go back end. In order to ensure all connections are going through API Gateway, I need to use TLS client authentication (aka two-way authentication, mutual authentication).

In principle, this works with something like:

func enableClientAuth(server *http.Server, clientCertFile string) error {
	clientCert, err := ioutil.ReadFile(clientCertFile)
	if err != nil {
		return err
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(clientCert)

	tlsConfig := &tls.Config{
		ClientAuth: tls.RequireAndVerifyClientCert,
		ClientCAs:  caCertPool,
	}
	tlsConfig.BuildNameToCertificate()
	server.TLSConfig = tlsConfig
	return nil
}

The problem I'm having is this error:
> tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")

This seems to be because the client certificate is self-signed, but is not a CA certificate, Go will not accept the signature. (Doesn't this defeat the purpose of a self-signed certificate? Most self-signed certs I have seen are not CA certs.) Unfortunately, I have no control over how the client certificate is generated or sent; it is all done by AWS. Is there something I can do to get a certificate in the ClientCAs cert pool that will cause Go to accept the API Gateway client certificate?

Example client certificate:

-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----

答案1

得分: 6

@JohnWeldon的评论引导我找到了解决方案,即在加载客户端证书后需要修改客户端证书结构。这需要对PEM进行解码并解析出证书。对于API Gateway客户端证书,我需要将BasicConstraintsValidIsCA设置为true,将KeyUsage设置为KeyUsageCertSign;对于我本地生成的证书,我只需要后两个。修改我问题中的enableClientAuth()函数:

func enableClientAuth(server *http.Server, clientCertFile string) error {
    pemBytes, err := ioutil.ReadFile(clientCertFile)
    if err != nil {
        return err
    }

    pemBlock, _ := pem.Decode(pemBytes)
    clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
    if err != nil {
        return err
    }

    clientCert.BasicConstraintsValid = true
    clientCert.IsCA = true
    clientCert.KeyUsage = x509.KeyUsageCertSign

    caCertPool := x509.NewCertPool()
    caCertPool.AddCert(clientCert)

    tlsConfig := &tls.Config{
        ClientAuth: tls.RequireAndVerifyClientCert,
        ClientCAs:  caCertPool,
    }
    tlsConfig.BuildNameToCertificate()
    server.TLSConfig = tlsConfig
    return nil
}
英文:

@JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificate struct after I load it. This requires decoding the PEM and parsing out the certificate. For the API Gateway client certificate, I had to set BasicConstraintsValid and IsCA to true and KeyUsage to KeyUsageCertSign; for my locally generated cert I only needed the latter two. Modifying the enableClientAuth() func in my question:

func enableClientAuth(server *http.Server, clientCertFile string) error {
	pemBytes, err := ioutil.ReadFile(clientCertFile)
	if err != nil {
		return err
	}

	pemBlock, _ := pem.Decode(pemBytes)
	clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
	if err != nil {
		return err
	}

	clientCert.BasicConstraintsValid = true
	clientCert.IsCA = true
	clientCert.KeyUsage = x509.KeyUsageCertSign

	caCertPool := x509.NewCertPool()
	caCertPool.AddCert(clientCert)

	tlsConfig := &tls.Config{
		ClientAuth: tls.RequireAndVerifyClientCert,
		ClientCAs:  caCertPool,
	}
	tlsConfig.BuildNameToCertificate()
	server.TLSConfig = tlsConfig
	return nil
}

huangapple
  • 本文由 发表于 2016年3月31日 02:37:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/36317044.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定