mirror of
https://github.com/minio/minio.git
synced 2024-12-24 06:05:55 -05:00
sts: always verify the key usage of client certificates (#13583)
This commit makes the MinIO server behavior more consistent w.r.t. key usage verification. When MinIO verifies the client certificates it also checks that the client certificate is valid of client authentication (or any (i.e. wildcard) usage). However, the MinIO server used to not verify the client key usage when client certificate verification was disabled. Now, the MinIO server verifies the client key usage even when client certificate verification has been disabled. This makes the MinIO behavior more consistent from a client's perspective. Now, a client certificate has to be valid for client authentication in all cases. Signed-off-by: Andreas Auernhammer <hi@aead.dev>
This commit is contained in:
parent
df9f479d58
commit
8774d10bdf
@ -742,6 +742,31 @@ func (sts *stsAPIHandlers) AssumeRoleWithCertificate(w http.ResponseWriter, r *h
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidClientCertificate, err)
|
||||
return
|
||||
}
|
||||
} else {
|
||||
// Technically, there is no security argument for verifying the key usage
|
||||
// when we don't verify that the certificate has been issued by a trusted CA.
|
||||
// Any client can create a certificate with arbitrary key usage settings.
|
||||
//
|
||||
// However, this check ensures that a certificate with an invalid key usage
|
||||
// gets rejected even when we skip certificate verification. This helps
|
||||
// clients detect malformed certificates during testing instead of e.g.
|
||||
// a self-signed certificate that works while a comparable certificate
|
||||
// issued by a trusted CA fails due to the MinIO server being less strict
|
||||
// w.r.t. key usage verification.
|
||||
//
|
||||
// Basically, MinIO is more consistent (from a client perspective) when
|
||||
// we verify the key usage all the time.
|
||||
var validKeyUsage bool
|
||||
for _, usage := range certificate.ExtKeyUsage {
|
||||
if usage == x509.ExtKeyUsageAny || usage == x509.ExtKeyUsageClientAuth {
|
||||
validKeyUsage = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !validKeyUsage {
|
||||
writeSTSErrorResponse(ctx, w, true, ErrSTSMissingParameter, errors.New("certificate is not valid for client authentication"))
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// We map the X.509 subject common name to the policy. So, a client
|
||||
|
Loading…
Reference in New Issue
Block a user