gwutils

func MakeTLSPeerCertificateForwarder ¶

func MakeTLSPeerCertificateForwarder(encryptionPassphrase string) gateway.InterceptorFunc

MakeTLSPeerCertificateForwarder returns a bahamut gateway.InterceptorFunc that you will need to add to the bahamut.Gateway in order to intercept any calls going to the A3S /issue endpoint (or any other one you would have as a proxy) in order to pass the user certificates as a secure header.

The encryptionPassphrase is necessary as A3S will refuse to trust a header containing a user certificate if it is not encrypted with that key. The key must be exactly 16, 24 or 32 bytes long to encrypt respectively to AES-128, A3S-192 or AES-256.

WARNING: You MUST NOT use this function without installing a custom peer certificate verifier with MakeTLSPeerCertificateVerifier in the gateway's server TLS config. A3S will blindly trust the certificate in the header, which is why you MUST verify it before.

func MakeTLSPeerCertificateVerifier ¶

func MakeTLSPeerCertificateVerifier(
	ctx context.Context,
	m manipulate.Manipulator,
	opts ...VerifierOption,
) func([][]byte, [][]*x509.Certificate) error

MakeTLSPeerCertificateVerifier returns a function you can use as tls.Config.VerifyPeerCertificate. You will need to do this if you want to support user authentication through MTLS while you are behind a bahamut.Gateway.

This is the first step of the necessary dance to securely forward the client certificate in a trusted header. You will then need to add an interceptor using MakeTLSPeerCertificateForwarder

The returned function will use the provided manipulator to search A3S for an mtls source that holds the CA that has issued the presented client certificates by matching the certificate AuthorityKeyID. If it can find one, the certificate signature will be checked using the matching CA.

The results are cached for the provided cacheDuration and a maximum of cacheSize items will be kept.