Skip to content

Commit 120ea07

Browse files
committed
custom SN verification in verifyPeerCertificate
1 parent abed720 commit 120ea07

File tree

2 files changed

+26
-13
lines changed

2 files changed

+26
-13
lines changed

cns/service.go

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -157,26 +157,29 @@ func getTLSConfig(tlsSettings localtls.TlsSettings, errChan chan<- error) (*tls.
157157
}
158158

159159
// verifyPeerCertificate verifies the client certificate's subject name matches the expected subject name.
160-
func verifyPeerCertificate(rawCerts [][]byte, clientSubjectName string) error {
160+
func verifyPeerCertificate(verifiedChains [][]*x509.Certificate, clientSubjectName string) error {
161161
// no client subject name provided, skip verification
162162
if clientSubjectName == "" {
163163
return nil
164164
}
165165

166-
if len(rawCerts) == 0 {
166+
if len(verifiedChains) == 0 {
167167
return errors.New("no client certificate provided during mTLS")
168168
}
169169

170-
cert, err := x509.ParseCertificate(rawCerts[0])
171-
if err != nil {
172-
return errors.Errorf("Failed to parse client certificate during mTLS: %v", err)
170+
clientCert := verifiedChains[0][0]
171+
// Match DNS names (case-insensitive)
172+
for _, dns := range clientCert.DNSNames {
173+
if strings.EqualFold(dns, clientSubjectName) {
174+
return nil
175+
}
173176
}
174177

175-
err = cert.VerifyHostname(clientSubjectName)
176-
if err != nil {
177-
return errors.Errorf("Failed to verify client certificate subject name during mTLS: %v", err)
178+
// If SANs didn't match, fall back to Common Name (CN) match.
179+
if clientCert.Subject.CommonName != "" && strings.EqualFold(clientCert.Subject.CommonName, clientSubjectName) {
180+
return nil
178181
}
179-
return nil
182+
return errors.Errorf("Failed to verify client certificate subject name during mTLS: %s", clientSubjectName)
180183
}
181184

182185
func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error) {
@@ -225,8 +228,8 @@ func getTLSConfigFromFile(tlsSettings localtls.TlsSettings) (*tls.Config, error)
225228
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
226229
tlsConfig.ClientCAs = rootCAs
227230
tlsConfig.RootCAs = rootCAs
228-
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
229-
return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)
231+
tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
232+
return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)
230233
}
231234
}
232235
logger.Debugf("TLS configured successfully from file: %+v", tlsSettings)
@@ -279,8 +282,8 @@ func getTLSConfigFromKeyVault(tlsSettings localtls.TlsSettings, errChan chan<- e
279282
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
280283
tlsConfig.ClientCAs = rootCAs
281284
tlsConfig.RootCAs = rootCAs
282-
tlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
283-
return verifyPeerCertificate(rawCerts, tlsSettings.MtlsClientCertSubjectName)
285+
tlsConfig.VerifyPeerCertificate = func(_ [][]byte, verifiedChains [][]*x509.Certificate) error {
286+
return verifyPeerCertificate(verifiedChains, tlsSettings.MtlsClientCertSubjectName)
284287
}
285288
}
286289

cns/service_test.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,15 @@ func TestNewService(t *testing.T) {
151151
MtlsClientCertSubjectName: "random.com",
152152
}
153153

154+
TLSSettingWithClientCertCN := serverTLS.TlsSettings{
155+
TLSPort: "10093",
156+
TLSSubjectName: "localhost",
157+
TLSCertificatePath: testCertFilePath,
158+
UseMTLS: true,
159+
MinTLSVersion: "TLS 1.2",
160+
MtlsClientCertSubjectName: "foo.com", // Common Name from test certificate
161+
}
162+
154163
runMutualTLSTest := func(tlsSettings serverTLS.TlsSettings, handshakeFailureExpected bool) {
155164
config.TLSSettings = tlsSettings
156165
svc, err := NewService(config.Name, config.Version, config.ChannelMode, config.Store)
@@ -207,6 +216,7 @@ func TestNewService(t *testing.T) {
207216
svc.Uninitialize()
208217
}
209218
runMutualTLSTest(TLSSetting, false)
219+
runMutualTLSTest(TLSSettingWithClientCertCN, false)
210220
runMutualTLSTest(TLSSettingWithDisallowedClientSN, true)
211221
})
212222
}

0 commit comments

Comments
 (0)