Issue #108: Mark ApiGateway certificates as CA certs

AWS API Gateway certficates are self-signed but don't have the IsCA flag set to true and also don't mark the certificate as to be used for certificate signing. This prevents Go to accept the certificate for client-cert authentication. Since it isn't possible to use a custom certificate for client authentication in the AWS API Gateway we need to patch the certificate on the fly. This is a preliminary patch to verify that the approach works but has the the certificate detection hard-coded and permanent. This should be configurable and off by default.
fabiolb · Jun 8, 2016 · 3ddf0d6 · 3ddf0d6
1 parent e84c069
commit 3ddf0d6
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/listen.go b/listen.go
@@ -3,7 +3,7 @@ package main
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
+	"encoding/pem"
 	"io/ioutil"
 	"log"
 	"net"
@@ -89,10 +89,23 @@ func newServer(l config.Listen, h http.Handler) (*http.Server, error) {
 			if err != nil {
 				return nil, err
 			}
+
+			// Issue #108: Temp patch to allow generated AWS API Gateway certs to be
+			// used for client cert authentication
 			pool := x509.NewCertPool()
-			if !pool.AppendCertsFromPEM(pemBlock) {
-				return nil, errors.New("failed to add client auth certs")
+			for p, rest := pem.Decode(pemBlock); p != nil; p, rest = pem.Decode(rest) {
+				cert, err := x509.ParseCertificate(p.Bytes)
+				if err != nil {
+					return nil, err
+				}
+				if cert.Issuer.CommonName == "ApiGateway" {
+					cert.BasicConstraintsValid = true
+					cert.IsCA = true
+					cert.KeyUsage = x509.KeyUsageCertSign
+				}
+				pool.AddCert(cert)
 			}
+
 			srv.TLSConfig.ClientCAs = pool
 			srv.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}