Fix TLS Client Certificate Verify Not Applied

xiaokangwang · xiaokangwang · commit 52ea2b014673 · 2022-05-03T15:23:33.000+01:00
diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go
@@ -30,11 +30,13 @@ func ParseCertificate(c *cert.Certificate) *Certificate {
 	return nil
 }
 
-func (c *Config) loadSelfCertPool() (*x509.CertPool, error) {
+func (c *Config) loadSelfCertPool(usage Certificate_Usage) (*x509.CertPool, error) {
 	root := x509.NewCertPool()
 	for _, cert := range c.Certificate {
-		if !root.AppendCertsFromPEM(cert.Certificate) {
-			return nil, newError("failed to append cert").AtWarning()
+		if cert.Usage == usage {
+			if !root.AppendCertsFromPEM(cert.Certificate) {
+				return nil, newError("failed to append cert").AtWarning()
+			}
 		}
 	}
 	return root, nil
@@ -209,13 +211,19 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		}
 	}
 
+	clientRoot, err := c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY_CLIENT)
+	if err != nil {
+		newError("failed to load client root certificate").AtError().Base(err).WriteToLog()
+	}
+
 	config := &tls.Config{
 		ClientSessionCache:     globalSessionCache,
 		RootCAs:                root,
 		InsecureSkipVerify:     c.AllowInsecure,
 		NextProtos:             c.NextProtocol,
 		SessionTicketsDisabled: !c.EnableSessionResumption,
 		VerifyPeerCertificate:  c.verifyPeerCert,
+		ClientCAs:              clientRoot,
 	}
 
 	for _, opt := range opts {
@@ -238,6 +246,9 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		config.NextProtos = []string{"h2", "http/1.1"}
 	}
 
+	if c.VerifyClientCertificate {
+		config.ClientAuth = tls.RequireAndVerifyClientCert
+	}
 	return config
 }
 
diff --git a/transport/internet/tls/config_other.go b/transport/internet/tls/config_other.go
@@ -33,7 +33,7 @@ var rootCerts rootCertsCache
 
 func (c *Config) getCertPool() (*x509.CertPool, error) {
 	if c.DisableSystemRoot {
-		return c.loadSelfCertPool()
+		return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)
 	}
 
 	if len(c.Certificate) == 0 {
diff --git a/transport/internet/tls/config_windows.go b/transport/internet/tls/config_windows.go
@@ -7,7 +7,7 @@ import "crypto/x509"
 
 func (c *Config) getCertPool() (*x509.CertPool, error) {
 	if c.DisableSystemRoot {
-		return c.loadSelfCertPool()
+		return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)
 	}
 
 	return nil, nil

Original file line number	Diff line number	Diff line change
`@@ -30,11 +30,13 @@ func ParseCertificate(c cert.Certificate) Certificate {`
`30`	`30`	`return nil`
`31`	`31`	`}`
`32`	`32`
`33`		`-func (c Config) loadSelfCertPool() (x509.CertPool, error) {`
	`33`	`+func (c Config) loadSelfCertPool(usage Certificate_Usage) (x509.CertPool, error) {`
`34`	`34`	`root := x509.NewCertPool()`
`35`	`35`	`for _, cert := range c.Certificate {`
`36`		`- if !root.AppendCertsFromPEM(cert.Certificate) {`
`37`		`- return nil, newError("failed to append cert").AtWarning()`
	`36`	`+ if cert.Usage == usage {`
	`37`	`+ if !root.AppendCertsFromPEM(cert.Certificate) {`
	`38`	`+ return nil, newError("failed to append cert").AtWarning()`
	`39`	`+ }`
`38`	`40`	`}`
`39`	`41`	`}`
`40`	`42`	`return root, nil`
`@@ -209,13 +211,19 @@ func (c Config) GetTLSConfig(opts ...Option) tls.Config {`
`209`	`211`	`}`
`210`	`212`	`}`
`211`	`213`
	`214`	`+ clientRoot, err := c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY_CLIENT)`
	`215`	`+ if err != nil {`
	`216`	`+ newError("failed to load client root certificate").AtError().Base(err).WriteToLog()`
	`217`	`+ }`
	`218`	`+`
`212`	`219`	`config := &tls.Config{`
`213`	`220`	`ClientSessionCache: globalSessionCache,`
`214`	`221`	`RootCAs: root,`
`215`	`222`	`InsecureSkipVerify: c.AllowInsecure,`
`216`	`223`	`NextProtos: c.NextProtocol,`
`217`	`224`	`SessionTicketsDisabled: !c.EnableSessionResumption,`
`218`	`225`	`VerifyPeerCertificate: c.verifyPeerCert,`
	`226`	`+ ClientCAs: clientRoot,`
`219`	`227`	`}`
`220`	`228`
`221`	`229`	`for _, opt := range opts {`
`@@ -238,6 +246,9 @@ func (c Config) GetTLSConfig(opts ...Option) tls.Config {`
`238`	`246`	`config.NextProtos = []string{"h2", "http/1.1"}`
`239`	`247`	`}`
`240`	`248`
	`249`	`+ if c.VerifyClientCertificate {`
	`250`	`+ config.ClientAuth = tls.RequireAndVerifyClientCert`
	`251`	`+ }`
`241`	`252`	`return config`
`242`	`253`	`}`
`243`	`254`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ var rootCerts rootCertsCache`
`33`	`33`
`34`	`34`	`func (c Config) getCertPool() (x509.CertPool, error) {`
`35`	`35`	`if c.DisableSystemRoot {`
`36`		`- return c.loadSelfCertPool()`
	`36`	`+ return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`if len(c.Certificate) == 0 {`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import "crypto/x509"`
`7`	`7`
`8`	`8`	`func (c Config) getCertPool() (x509.CertPool, error) {`
`9`	`9`	`if c.DisableSystemRoot {`
`10`		`- return c.loadSelfCertPool()`
	`10`	`+ return c.loadSelfCertPool(Certificate_AUTHORITY_VERIFY)`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`return nil, nil`