MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2024-12-25 22:55:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

kms: use GetClientCertificate callback for KES API keys (#19921)

Browse Source 
This commit fixes an issue in the KES client configuration
that can cause the following error when connecting to KES:
```
ERROR Failed to connect to KMS: failed to generate data key with KMS key: tls: client certificate is required
```

The Go TLS stack seems to not send a client certificate if it
thinks the client certificate cannot be validated by the peer.
In case of an API key, we don't care about this since we use
public key pinning and the X.509 certificate is just a transport
encoding.

The `GetClientCertificate` seems to be honored always such that
this error does not occur.

Signed-off-by: Andreas Auernhammer <github@aead.dev>
This commit is contained in:
Andreas Auernhammer 2024-06-12 16:31:26 +02:00 committed by GitHub
parent e3ac4035b9
commit 7ce28c3b1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
internal/kms/config.go
View File

@ -168,7 +168,7 @@ func Connect(ctx context.Context, opts *ConnectionOptions) (*KMS, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
conf.Certificates = append(conf.Certificates, cert) conf.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cert, nil }
} else { } else {
loadX509KeyPair := func(certFile, keyFile string) (tls.Certificate, error) { loadX509KeyPair := func(certFile, keyFile string) (tls.Certificate, error) {
// Manually load the certificate and private key into memory. // Manually load the certificate and private key into memory.