Missing documentation for client TLS cert extensions

[dorranh]

cardano-wallet supports TLS, but places a restriction on client x.509 certificates that they set their purpose to clientAuth (https://github.com/input-output-hk/cardano-wallet/blob/master/lib/core/src/Cardano/Wallet/Api/Server/Tls.hs#L44).

Submitting requests with a client certificate signed by the proper CA but with additional purposes enabled yields a fairly uninformative error message on the server side: HandshakeFailed (Error_Protocol ("certificate rejected: [LeafNotV3]",True,CertificateUnknown)), so it would be helpful to have this restriction documented somewhere.

I'll also submit a PR addressing this issue.

cc @melmccann

[rvl]

Hi @dorranh - thanks for the report. That error message suggests that your client certificate is not X509.V3.
What does openssl x509 -in client.crt -text | grep Version say about it?

[dorranh]

Hi @rvl, thanks for the tip. The failing certificate was indeed V1 x509. It looks like I was conflating things since openssl (v1.1.1) by default creates a V1 x509 certificate but generates a V3 certificate when you specify additional extensions. Forcing V3 (by passing an empty extensions config, e.g. openssl x509 -extfile foo.cnf) makes things work.

Also, after reading the docs for the validation module it appears I had misunderstood how the validation worked. Per the docs - the clientAuth purpose is only enforced to exist if the certificate specified the extendedKeyUsage field.

Regarding this issue, IMO it would be helpful for either the documentation to link to the validation module or to expand the error messages a bit to make them more readable. That way cardano-wallet admins without Haskell knowledge can track down validation issues more easily.

If there is somewhere I can contribute please let me know!