I'm working with AWS API Gateway and a Go back end. In order to ensure all connections are going through API Gateway, I need to use TLS client authentication (aka two-way authentication, mutual authentication).
In principle, this works with something like:
func enableClientAuth(server *http.Server, clientCertFile string) error {
clientCert, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
The problem I'm having is this error:
tls: failed to verify client's certificate: x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "ApiGateway")
This seems to be because the client certificate is self-signed, but is not a CA certificate, Go will not accept the signature. (Doesn't this defeat the purpose of a self-signed certificate? Most self-signed certs I have seen are not CA certs.) Unfortunately, I have no control over how the client certificate is generated or sent; it is all done by AWS. Is there something I can do to get a certificate in the ClientCAs cert pool that will cause Go to accept the API Gateway client certificate?
Example client certificate:
-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIISIIYdm+rIgMwDQYJKoZIhvcNAQELBQAwNDELMAkGA1UE
BhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAMTCkFwaUdhdGV3YXkwHhcN
MTYwMzMwMTgxNTE4WhcNMTcwMzMwMTgxNTE4WjA0MQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHU2VhdHRsZTETMBEGA1UEAxMKQXBpR2F0ZXdheTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALVVG0Ng8IbDy0tdw2yp2GHXYV8jDPJxsRXAstZ+
5N4ngG/ySPyv1i2OOvzKqUNzyKptsUbgtG/0XDWRI0qDATrsxXH6xy8lBeRZHNi4
ko6EP9BevyxB5YtoKqEoXbKAn4/hNWmac8tnENkLww0qFpPOhtxb0B2DHv+lkqZo
qBBBBZQ5Dal95h0cpUwoLRr5w3HsYzPcX1OUtQ/5cH0M0p/XvkB4jrZxsh1aQGsf
B9+temIJJtKvmmZ0C/dZ+neJhA+I526eUENeqmm5R1irM7sj4FDaU4bLR+L/+R6s
KtDLT4jPqf5vFYfMuEmyk4b5TBATJxAA47Y+gRFRe6Aon0ECAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAmFdXuy5Y6zdrIZHd7XCt/Q6jsU3hFGaEGRbDEFBwh6ixz58e
1egiUnIeUWZTFSzjQSY3IhYE7dvW+BVkjdLybhB3rim29Fb67AkBtRmQOLnHz426
bflOG46BSwNTvIEytOr0O6ds49bD34UrHELUCGmHJqIhBSrVCFOCwlf/Mksw9jxD
xo/YmJe2R4xNklvxWiFHOXrnGwrJ9yaWeQnCkRZBzfFLSZ26/fBnbkYUGn0lmtoB
e/rg/rgpwufbkhXA6CFX7adnLUKWqZgbmL5dpvLu9vB34ebfo4vE+o7AsgdloHBV
obcSyrLbZp25k/SlbOhSAqjjW1NaF+YypTxHFA==
-----END CERTIFICATE-----
@JohnWeldon's comment led me to the solution, which is that I need to modify the client Certificate struct after I load it. This requires decoding the PEM and parsing out the certificate. For the API Gateway client certificate, I had to set BasicConstraintsValid
and IsCA
to true and KeyUsage
to KeyUsageCertSign
; for my locally generated cert I only needed the latter two. Modifying the enableClientAuth()
func in my question:
func enableClientAuth(server *http.Server, clientCertFile string) error {
pemBytes, err := ioutil.ReadFile(clientCertFile)
if err != nil {
return err
}
pemBlock, _ := pem.Decode(pemBytes)
clientCert, err := x509.ParseCertificate(pemBlock.Bytes)
if err != nil {
return err
}
clientCert.BasicConstraintsValid = true
clientCert.IsCA = true
clientCert.KeyUsage = x509.KeyUsageCertSign
caCertPool := x509.NewCertPool()
caCertPool.AddCert(clientCert)
tlsConfig := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
ClientCAs: caCertPool,
}
tlsConfig.BuildNameToCertificate()
server.TLSConfig = tlsConfig
return nil
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With