Verify the bridge client certificate is a leaf cert

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
repoSpanner · Jan 19, 2019 · 391f50be32ec2b0f126471ab4a71c40b598c9531 · 391f50b
1 parent 262568d
commit 391f50be32ec2b0f126471ab4a71c40b598c9531
Unified Split

Showing with 24 additions and 1 deletion.

+24 −1 bridge/root.go
diff --git a/bridge/root.go b/bridge/root.go
@@ -2,7 +2,9 @@ package bridge
 import (
 	"bytes"
+  
+	"crypto/x509"
 	"encoding/json"
+  
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -208,7 +210,8 @@ func ExecuteBridge() {
 	loadConfig()
 	// Just call this to make sure we abort loudly early on if the user has no access
-  
-	getCertAndKey()
+  
+	cert, _ := getCertAndKey()
+  
+	checkForNonLeafCert(cert)
 	if configuration.BaseURL == "" {
 		exitWithError("Invalid configuration file")
@@ -298,3 +301,23 @@ func getCertAndKey() (string, string) {
 	exitWithError("User does not have access to this bridge")
 	return "", ""
 }
+  
+
+  
+func checkForNonLeafCert(certpath string) {
+  
+	cts, err := ioutil.ReadFile(certpath)
+  
+	checkError(err, "Error opening client certificate")
+  
+	certblock, rest := pem.Decode(cts)
+  
+	if len(rest) != 0 {
+  
+		exitWithError("Client certificate has unexpected contents")
+  
+	}
+  
+	cert, err := x509.ParseCertificate(certblock.Bytes)
+  
+	checkError(err, "Error parsing client certificate")
+  
+	if cert.IsCA {
+  
+		exitWithError("Client certificate is a CA certificate?")
+  
+	}
+  
+	for _, ku := range cert.ExtKeyUsage {
+  
+		if ku != x509.ExtKeyUsageClientAuth {
+  
+			exitWithError("Client certificate is not a leaf certificate")
+  
+		}
+  
+	}
+  
+	// If everything is OK, we just return and the bridge code will take over
+  
+}