Permalink
Browse files

Verify the bridge client certificate is a leaf cert

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
  • Loading branch information...
puiterwijk committed Jan 19, 2019
1 parent 262568d commit 391f50be32ec2b0f126471ab4a71c40b598c9531
Showing with 24 additions and 1 deletion.
  1. +24 −1 bridge/root.go
@@ -2,7 +2,9 @@ package bridge

import (
"bytes"
"crypto/x509"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"io"
@@ -208,7 +210,8 @@ func ExecuteBridge() {
loadConfig()

// Just call this to make sure we abort loudly early on if the user has no access
getCertAndKey()
cert, _ := getCertAndKey()
checkForNonLeafCert(cert)

if configuration.BaseURL == "" {
exitWithError("Invalid configuration file")
@@ -298,3 +301,23 @@ func getCertAndKey() (string, string) {
exitWithError("User does not have access to this bridge")
return "", ""
}

func checkForNonLeafCert(certpath string) {
cts, err := ioutil.ReadFile(certpath)
checkError(err, "Error opening client certificate")
certblock, rest := pem.Decode(cts)
if len(rest) != 0 {
exitWithError("Client certificate has unexpected contents")
}
cert, err := x509.ParseCertificate(certblock.Bytes)
checkError(err, "Error parsing client certificate")
if cert.IsCA {
exitWithError("Client certificate is a CA certificate?")
}
for _, ku := range cert.ExtKeyUsage {
if ku != x509.ExtKeyUsageClientAuth {
exitWithError("Client certificate is not a leaf certificate")
}
}
// If everything is OK, we just return and the bridge code will take over
}

0 comments on commit 391f50b

Please sign in to comment.