3

My api is behind a gateway and the gateway terminates the ssl handshake from client and initiate a separate handshake with my api. No client should call my api directly. My requirement is that I have to extract the Common Name from incoming https request and validate it against a list.

I am new to go and used this example https://venilnoronha.io/a-step-by-step-guide-to-mtls-in-go as my starting point to build a go server using https.

But not sure how can I move further to to extract COMMON NAME from the leaf certificate of the certificate chain.

package main

import (
    "crypto/tls"
    "crypto/x509"
    "io"
    "io/ioutil"
    "log"
    "net/http"
)

func helloHandler(w http.ResponseWriter, r *http.Request) {
    // Write "Hello, world!" to the response body
    io.WriteString(w, "Hello, world!\n")
}

func main() {
    // Set up a /hello resource handler
    http.HandleFunc("/hello", helloHandler)

    // Create a CA certificate pool and add cert.pem to it
    caCert, err := ioutil.ReadFile("cert.pem")
    if err != nil {
        log.Fatal(err)
    }
    caCertPool := x509.NewCertPool()
    caCertPool.AppendCertsFromPEM(caCert)

    // Create the TLS Config with the CA pool and enable Client certificate validation
    tlsConfig := &tls.Config{
        ClientCAs:  caCertPool,
        ClientAuth: tls.RequireAndVerifyClientCert,
    }
    tlsConfig.BuildNameToCertificate()

    // Create a Server instance to listen on port 8443 with the TLS config
    server := &http.Server{
        Addr:      ":8443",
        TLSConfig: tlsConfig,
    }

    // Listen to HTTPS connections with the server certificate and wait
    log.Fatal(server.ListenAndServeTLS("cert.pem", "key.pem"))

}

I should be able to print the Common Name of the leaf certificate coming in the certificate chain.

Ash
  • 73
  • 1
  • 6

1 Answers1

7

You can retrieve it from the VerifiedChains member of the request's TLS field:

func helloHandler(w http.ResponseWriter, r *http.Request) {
    if r.TLS != nil && len(r.TLS.VerifiedChains) > 0 && len(r.TLS.VerifiedChains[0]) > 0 {
        var commonName = r.TLS.VerifiedChains[0][0].Subject.CommonName

        // Do what you want with the common name.
        io.WriteString(w, fmt.Sprintf("Hello, %s!\n", commonName))
    }

    // Write "Hello, world!" to the response body
    io.WriteString(w, "Hello, world!\n")
}

The leaf certificate is always the first one in the chain.

Crowman
  • 25,242
  • 5
  • 48
  • 56
  • Thanks @paul-griffiths, it worked. Unfortunately I can't change the status for your answer because of my low stackoverflow reputation points. – Ash Jun 03 '19 at 22:05
  • 1
    @Ash: Glad to hear it. If the answer helped you, you can accept it by clicking the checkmark regardless of your reputation. – Crowman Jun 03 '19 at 22:09