mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
sts: allow clients to send certificate chain (#13235)
This commit fixes an issue in the `AssumeRoleWithCertificate` handler. Before clients received an error when they send a chain of X.509 certificates (their client certificate as well as intermediate / root CAs). Now, client can send a certificate chain and the server will only consider non-CA / leaf certificates as possible client certificate candidates. However, the client still can only send one certificate. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
91567ba916
commit
1fc0e9a6aa
@ -683,6 +683,24 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInsecureConnection, errors.New("No TLS connection attempt"))
|
||||
return
|
||||
}
|
||||
|
||||
// A client may send a certificate chain such that we end up
|
||||
// with multiple peer certificates. However, we can only accept
|
||||
// a single client certificate. Otherwise, the certificate to
|
||||
// policy mapping would be ambigious.
|
||||
// However, we can filter all CA certificates and only check
|
||||
// whether they client has sent exactly one (non-CA) leaf certificate.
|
||||
var peerCertificates = make([]*x509.Certificate, 0, len(r.TLS.PeerCertificates))
|
||||
for _, cert := range r.TLS.PeerCertificates {
|
||||
if cert.IsCA {
|
||||
continue
|
||||
}
|
||||
peerCertificates = append(peerCertificates, cert)
|
||||
}
|
||||
r.TLS.PeerCertificates = peerCertificates
|
||||
|
||||
// Now, we have to check that the client has provided exactly one leaf
|
||||
// certificate that we can map to a policy.
|
||||
if len(r.TLS.PeerCertificates) == 0 {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("No client certificate provided"))
|
||||
return
|
||||
@ -693,7 +711,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
}
|
||||
|
||||
var certificate = r.TLS.PeerCertificates[0]
|
||||
if !globalSTSTLSConfig.InsecureSkipVerify {
|
||||
if !globalSTSTLSConfig.InsecureSkipVerify { // Verify whether the client certificate has been issued by a trusted CA.
|
||||
_, err := certificate.Verify(x509.VerifyOptions{
|
||||
KeyUsages: []x509.ExtKeyUsage{
|
||||
x509.ExtKeyUsageClientAuth,
|
||||
|
Loading…
Reference in New Issue
Block a user