feat: add mTLS support and ensure backward compatibility

Introduced mutual TLS support for enhanced security Patched existing invocations to maintain backward compatibility Enabled mTLS functionality for all certificates issued by the local (internal) CA
immobiliare · Oct 7, 2024 · 87fe565 · 87fe565
1 parent 6b33122
commit 87fe565
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 4 deletions.
diff --git a/cmd/gen.go b/cmd/gen.go
@@ -63,7 +63,7 @@ var cmdGen = &cobra.Command{
 			Str("algo", string(req.Algo)).
 			Msg("generating certificate")
 
-		crt, key, err := pki.New(req)
+		crt, key, err := pki.New(req, false)
 		if err != nil {
 			log.Fatal().Err(err).Msg("unable to generate certificate")
 		}

diff --git a/pki/crt.go b/pki/crt.go
@@ -133,7 +133,7 @@ func NewRequest(options map[string]any) Request {
 	return req
 }
 
-func New(req Request) (*x509.Certificate, *Key, error) {
+func New(req Request, mTLS bool) (*x509.Certificate, *Key, error) {
 	var crt = x509.Certificate{}
 	crt.Subject = pkix.Name{
 		CommonName:    req.CN,
@@ -159,6 +159,9 @@ func New(req Request) (*x509.Certificate, *Key, error) {
 	if req.Algo == RSA {
 		crt.KeyUsage |= x509.KeyUsageKeyEncipherment
 	}
+	if mTLS {
+		crt.ExtKeyUsage = append(crt.ExtKeyUsage, x509.ExtKeyUsageClientAuth)
+	}
 
 	if serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128)); err != nil {
 		return nil, nil, err

diff --git a/pki/crt_test.go b/pki/crt_test.go
@@ -22,7 +22,7 @@ var (
 )
 
 func testNewPair(t *testing.T) {
-	reqCrt, reqKey, err := New(testingReq)
+	reqCrt, reqKey, err := New(testingReq, false)
 	is.New(t).NoErr(err)
 	testingCrt = reqCrt
 	testingKey = reqKey

diff --git a/provider/local.go b/provider/local.go
@@ -61,7 +61,7 @@ func (p *Local) Get(name string, options map[string]string) ([]byte, []byte, err
 	}
 
 	req := pki.NewRequest(reqOptions)
-	crt, key, err := pki.New(req)
+	crt, key, err := pki.New(req, true)
 	if err != nil {
 		return nil, nil, err
 	}