Skip to content

Commit

Permalink
check all SAN types against regex
Browse files Browse the repository at this point in the history
Signed-off-by: chodges15 <[email protected]>
  • Loading branch information
chodges15 committed Mar 1, 2023
1 parent cfa5a75 commit 7e1d1b8
Show file tree
Hide file tree
Showing 6 changed files with 27 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ tls_server_config:
key_file: "server.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "client2_selfsigned.pem"
client_cert_allowed_san_dns: "bad"
client_allowed_san_regex: "bad"
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ tls_server_config:
key_file: "server.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "client2_selfsigned.pem"
client_cert_allowed_san_dns: "test3"
client_allowed_san_regex: "test3"
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ tls_server_config:
key_file: "server.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "client2_selfsigned.pem"
client_cert_allowed_san_dns: ".+test.+"
client_allowed_san_regex: ".+test.+"
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ tls_server_config:
key_file: "server.key"
client_auth_type: "RequireAndVerifyClientCert"
client_ca_file: "client2_selfsigned.pem"
client_cert_allowed_san_dns: (test\d|dns)
client_allowed_san_regex: (test\d|dns)
26 changes: 19 additions & 7 deletions web/tls_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,7 @@ type TLSConfig struct {
MinVersion TLSVersion `yaml:"min_version"`
MaxVersion TLSVersion `yaml:"max_version"`
PreferServerCipherSuites bool `yaml:"prefer_server_cipher_suites"`
// regular expression to match the SAN DNS entries of the client cert
ClientCertAllowedSanDNSRegex string `yaml:"client_cert_allowed_san_dns"`
ClientAllowedSanRegex string `yaml:"client_allowed_san_regex"`
}

type FlagConfig struct {
Expand All @@ -69,21 +68,34 @@ func (t *TLSConfig) SetDirectory(dir string) {
t.ClientCAs = config_util.JoinDir(dir, t.ClientCAs)
}

// VerifyPeerCertificate will check the DNS SAN entries of the client cert if there is configuration for it
// VerifyPeerCertificate will check the SAN entries of the client cert if there is configuration for it
func (t *TLSConfig) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
// sender cert comes first, see https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2
cert, err := x509.ParseCertificate(rawCerts[0])
if err != nil {
return fmt.Errorf("error parsing client certificate: %s", err)
}

for _, san := range cert.DNSNames {
if matched, _ := regexp.MatchString(t.ClientCertAllowedSanDNSRegex, san); matched {
// Build up a slice of strings with all Subject Alternate Name values
sanValues := append(cert.DNSNames, cert.EmailAddresses...)

for _, ip := range cert.IPAddresses {
sanValues = append(sanValues, ip.String())
}

for _, uri := range cert.URIs {
sanValues = append(sanValues, uri.String())
}

for _, sanValue := range sanValues {
if matched, _ := regexp.MatchString(t.ClientAllowedSanRegex, sanValue); matched {
return nil
}
}

return fmt.Errorf("could not find configured SAN DNS in client cert: %s", t.ClientCertAllowedSanDNSRegex)
//todo: check other fields of the cert

return fmt.Errorf("could not find configured SAN in client cert: %s", t.ClientAllowedSanRegex)
}

type HTTPConfig struct {
Expand Down Expand Up @@ -183,7 +195,7 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) {
cfg.ClientCAs = clientCAPool
}

if c.ClientCertAllowedSanDNSRegex != "" {
if c.ClientAllowedSanRegex != "" {
// verify that the client cert contains the allowed domain name
cfg.VerifyPeerCertificate = c.VerifyPeerCertificate
}
Expand Down
8 changes: 4 additions & 4 deletions web/tls_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -350,28 +350,28 @@ func TestServerBehaviour(t *testing.T) {
},
{
Name: `valid tls config yml and tls client with VerifyPeerCertificate (present good SAN DNS entry)`,
YAMLConfigPath: "testdata/web_config_auth_client_san_dns.good.yaml",
YAMLConfigPath: "testdata/web_config_auth_client_san.good.yaml",
UseTLSClient: true,
ClientCertificate: "client2_selfsigned",
ExpectedError: nil,
},
{
Name: `valid tls config yml and tls client with VerifyPeerCertificate (present invalid SAN DNS entries)`,
YAMLConfigPath: "testdata/web_config_auth_client_san_dns.bad.yaml",
YAMLConfigPath: "testdata/web_config_auth_client_san.bad.yaml",
UseTLSClient: true,
ClientCertificate: "client2_selfsigned",
ExpectedError: ErrorMap["Invalid client cert"],
},
{
Name: `valid tls config yml and tls client with VerifyPeerCertificate (present SAN DNS entry that matches configured regex)`,
YAMLConfigPath: "testdata/web_config_auth_client_san_dns_regex.good.yaml",
YAMLConfigPath: "testdata/web_config_auth_client_san_regex.good.yaml",
UseTLSClient: true,
ClientCertificate: "client2_selfsigned",
ExpectedError: nil,
},
{
Name: `valid tls config yml and tls client with VerifyPeerCertificate (present SAN DNS entry that does not match configured regex)`,
YAMLConfigPath: "testdata/web_config_auth_client_san_dns_regex.bad.yaml",
YAMLConfigPath: "testdata/web_config_auth_client_san_regex.bad.yaml",
UseTLSClient: true,
ClientCertificate: "client2_selfsigned",
ExpectedError: ErrorMap["Invalid client cert"],
Expand Down

0 comments on commit 7e1d1b8

Please sign in to comment.