3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-08 04:18:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: allow client certificate intermediates

Browse source 
Update the isValidClientCertificate() method to consider any
client-supplied intermediate certificates. Previously, in order to trust
client certificates issued by an intermediate CA, users would need to
include that intermediate CA's certificate directly in the client_ca
setting. After this change, only the trusted root CA needs to be set: as
long as the client can supply a set of certificates that chain back to
this trusted root, the client's certificate will validate successfully.

Rework the previous CRL checking logic to now consider CRLs for all
issuers in the verified chains.
This commit is contained in:
Kenneth Jenkins 2023-07-18 13:16:47 -07:00
parent ac475f4c5d
commit ae8b639c4b
4 changed files with 181 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

2
authorize/evaluator/headers_evaluator_test.go
View file

@ -204,7 +204,7 @@ func TestHeadersEvaluator(t *testing.T) {
assert.Equal(t, "CUSTOM_VALUE", output.Headers.Get("X-Custom-Header"))
assert.Equal(t, "ID_TOKEN", output.Headers.Get("X-ID-Token"))
assert.Equal(t, "ACCESS_TOKEN", output.Headers.Get("X-Access-Token"))
assert.Equal(t, "17859273e8a980631d367b2d5a6a6635412b0f22835f69e47b3f65624546a704",
assert.Equal(t, "f0c7dc2ca5e4b792935bcdb61a8b8f31b6521c686ffd8a6edb414a1e64ab8eb5",
output.Headers.Get("Client-Cert-Fingerprint"))
})