I am trying to find a way to keychain https client certificate based authentication from macOS system. When I export the certificate and the key I can already successfully connect to my server, but that is not my goal. From the keychain it looks more difficult. I can't get the private key into the TLS Certificate Config. Maybe someone has an idea or a better way. Thanks a lot
package main
import (
"crypto/tls"
"io/ioutil"
"log"
"net/http"
"os"
"github.com/github/certstore"
"crypto/x509"
)
func HttpClient() (client *http.Client) {
// Open Keychain Certificate System Store
store, err := certstore.Open()
if err != nil {
log.Println(err)
}
defer store.Close()
// Get all in Identities
idents, err := store.Identities()
if err != nil {
log.Println(err)
}
// Iterate through the identities, looking for the one we want.
var me certstore.Identity
for _, ident := range idents {
defer ident.Close()
crt, errr := ident.Certificate()
if errr != nil {
log.Println(errr)
}
if crt.Subject.CommonName == "SCEP Identity UUID12345" {
me = ident
log.Println(crt.Subject.CommonName)
log.Println("Org: ",crt.Subject.Organization)
log.Println("Signer:", ident.Signer)
// Everything works fine when i load the cert and key from disk.
// x509cert, err := tls.LoadX509KeyPair("client.pem", "client.key")
chain, _ := ident.CertificateChain()
signer, er := me.Signer()
if er != nil {
log.Println("PrivateKey Error:",er)
}
certsnew := tls.Certificate{
Leaf: chain[0],
Certificate: serializeChain(chain),
PrivateKey: signer,
}
// Test to create KeyPair but does not work
// Error: cannot use signer (type crypto.Signer) as type []byte in argument to tls.X509KeyPair
tlsKeyPair, err := tls.X509KeyPair(chain[0].Raw, signer)
certs := []tls.Certificate{certsnew}
// if len(certs) == 0 {
// client = &http.Client{}
// return
// }
tr := &http.Transport{
TLSClientConfig: &tls.Config{Certificates: certs,
InsecureSkipVerify: true,
Renegotiation: tls.RenegotiateOnceAsClient},
}
client = &http.Client{Transport: tr}
}
}
return
}
