custom SN verification in verifyPeerCertificate

ZetaoZhuang · ZetaoZhuang · commit 120ea07286a8 · 2025-10-27T14:14:08.000-07:00
diff --git a/cns/service.go b/cns/service.go
@@ -157,26 +157,29 @@ func getTLSConfig(tlsSettings localtls.TlsSettings, errChan chan<- error) (*tls.
 }
 
 // verifyPeerCertificate verifies the client certificate's subject name matches the expected subject name.
-func verifyPeerCertificate(rawCerts [][]byte, clientSubjectName string) error {
+func verifyPeerCertificate(verifiedChains [][]*x509.Certificate, clientSubjectName string) error {
 	// no client subject name provided, skip verification
 	if clientSubjectName == "" {
 		return nil
 	}
 
-	if len(rawCerts) == 0 {
+	if len(verifiedChains) == 0 {
 		return errors.New("no client certificate provided during mTLS")
 	}
 
-	cert, err := x509.ParseCertificate(rawCerts[0])
-	if err != nil {
-		return errors.Errorf("Failed to parse client certificate during mTLS: %v", err)
+	clientCert := verifiedChains[0][0]
+	// Match DNS names (case-insensitive)
+	for _, dns := range clientCert.DNSNames {
+		if strings.EqualFold(dns, clientSubjectName) {
+			return nil
+		}
 	}
 
-	err = cert.VerifyHostname(clientSubjectName)
-	if err != nil {
-		return errors.Errorf("Failed to verify client certificate subject name during mTLS: %v", err)
+	// If SANs didn't match, fall back to Common Name (CN) match.
+	if clientCert.Subject.CommonName != "" && strings.EqualFold(clientCert.Subject.CommonName, clientSubjectName) {
+		return nil
 	}
-	return nil
+	return errors.Errorf("Failed to verify client certificate subject name during mTLS: %s", clientSubjectName)
 }
 
 func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error) {
@@ -225,8 +228,8 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		tlsConfig.ClientCAs = rootCAs
 		tlsConfig.RootCAs = rootCAs
-		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-			return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)
+		tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)
 		}
 	}
 	logger.Debugf("TLS configured successfully from file: %+v", tlsSettings)
@@ -279,8 +282,8 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		tlsConfig.ClientCAs = rootCAs
 		tlsConfig.RootCAs = rootCAs
-		tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
-			return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)
+		tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
+			return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)
 		}
 	}
 
diff --git a/cns/service_test.go b/cns/service_test.go
@@ -151,6 +151,15 @@ func TestNewService(t *testing.T) {
 			MtlsClientCertSubjectName: "random.com",
 		}
 
+		TLSSettingWithClientCertCN := serverTLS.TlsSettings{
+			TLSPort:                   "10093",
+			TLSSubjectName:            "localhost",
+			TLSCertificatePath:        testCertFilePath,
+			UseMTLS:                   true,
+			MinTLSVersion:             "TLS 1.2",
+			MtlsClientCertSubjectName: "foo.com", // Common Name from test certificate
+		}
+
 		runMutualTLSTest := func(tlsSettings serverTLS.TlsSettings, handshakeFailureExpected bool) {
 			config.TLSSettings = tlsSettings
 			svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@@ -207,6 +216,7 @@ func TestNewService(t *testing.T) {
 			svc.Uninitialize()
 		}
 		runMutualTLSTest(TLSSetting, false)
+		runMutualTLSTest(TLSSettingWithClientCertCN, false)
 		runMutualTLSTest(TLSSettingWithDisallowedClientSN, true)
 	})
 }

Original file line number	Diff line number	Diff line change
`@@ -157,26 +157,29 @@ func getTLSConfig(tlsSettings localtls.TlsSettings, errChan chan<- error) (*tls.`
`157`	`157`	`}`
`158`	`158`
`159`	`159`	`// verifyPeerCertificate verifies the client certificate's subject name matches the expected subject name.`
`160`		`-func verifyPeerCertificate(rawCerts [][]byte, clientSubjectName string) error {`
	`160`	`+func verifyPeerCertificate(verifiedChains [][]*x509.Certificate, clientSubjectName string) error {`
`161`	`161`	`// no client subject name provided, skip verification`
`162`	`162`	`if clientSubjectName == "" {`
`163`	`163`	`return nil`
`164`	`164`	`}`
`165`	`165`
`166`		`- if len(rawCerts) == 0 {`
	`166`	`+ if len(verifiedChains) == 0 {`
`167`	`167`	`return errors.New("no client certificate provided during mTLS")`
`168`	`168`	`}`
`169`	`169`
`170`		`- cert, err := x509.ParseCertificate(rawCerts[0])`
`171`		`- if err != nil {`
`172`		`- return errors.Errorf("Failed to parse client certificate during mTLS: %v", err)`
	`170`	`+ clientCert := verifiedChains[0][0]`
	`171`	`+ // Match DNS names (case-insensitive)`
	`172`	`+ for _, dns := range clientCert.DNSNames {`
	`173`	`+ if strings.EqualFold(dns, clientSubjectName) {`
	`174`	`+ return nil`
	`175`	`+ }`
`173`	`176`	`}`
`174`	`177`
`175`		`- err = cert.VerifyHostname(clientSubjectName)`
`176`		`- if err != nil {`
`177`		`- return errors.Errorf("Failed to verify client certificate subject name during mTLS: %v", err)`
	`178`	`+ // If SANs didn't match, fall back to Common Name (CN) match.`
	`179`	`+ if clientCert.Subject.CommonName != "" && strings.EqualFold(clientCert.Subject.CommonName, clientSubjectName) {`
	`180`	`+ return nil`
`178`	`181`	`}`
`179`		`- return nil`
	`182`	`+ return errors.Errorf("Failed to verify client certificate subject name during mTLS: %s", clientSubjectName)`
`180`	`183`	`}`
`181`	`184`
`182`	`185`	`func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error) {`
`@@ -225,8 +228,8 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)`
`225`	`228`	`tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert`
`226`	`229`	`tlsConfig.ClientCAs = rootCAs`
`227`	`230`	`tlsConfig.RootCAs = rootCAs`
`228`		`- tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {`
`229`		`- return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)`
	`231`	`+ tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {`
	`232`	`+ return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)`
`230`	`233`	`}`
`231`	`234`	`}`
`232`	`235`	`logger.Debugf("TLS configured successfully from file: %+v", tlsSettings)`
`@@ -279,8 +282,8 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e`
`279`	`282`	`tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert`
`280`	`283`	`tlsConfig.ClientCAs = rootCAs`
`281`	`284`	`tlsConfig.RootCAs = rootCAs`
`282`		`- tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {`
`283`		`- return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)`
	`285`	`+ tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {`
	`286`	`+ return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)`
`284`	`287`	`}`
`285`	`288`	`}`
`286`	`289`