From d2ba0ed332ed3fc3b8f38e1ce525fc1211bfed03 Mon Sep 17 00:00:00 2001 From: David Wu Date: Thu, 12 Nov 2020 14:38:25 -0600 Subject: [PATCH] Updated the host dialer code to be able to connect to servers with client auth and retrieve the certificates --- .../hostdialer/hostdialer.go | 25 +++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/cert/certificateRepository/hostdialer/hostdialer.go b/cert/certificateRepository/hostdialer/hostdialer.go index 672ca12..7787c40 100644 --- a/cert/certificateRepository/hostdialer/hostdialer.go +++ b/cert/certificateRepository/hostdialer/hostdialer.go @@ -2,6 +2,7 @@ package hostdialer import ( "crypto/tls" + "crypto/x509" "encoding/pem" "fmt" ) @@ -29,11 +30,26 @@ func (h *Data) GetPEMCertsFrom(host string, port int) ([]byte, error) { // We'll skip the TLS check, because we just want to get the certificate here. // If this is not done, this method may fail - conn, err = tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &tls.Config{InsecureSkipVerify: true}) + conn, err = tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), + &tls.Config{ + InsecureSkipVerify: true, + ClientAuth: tls.RequestClientCert, + VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + for _, rawCert := range rawCerts { + PEMCertBytes = append(PEMCertBytes, + pem.EncodeToMemory(&pem.Block{ + Type: "CERTIFICATE", + Bytes: rawCert, + })...) + } + return nil + }, + }, + ) // If we can dial in without error, iterate through the peer certificates and convert them back into // PEM format to be returned. - if err == nil { + if len(PEMCertBytes) == 0 && err == nil { for _, cert := range conn.ConnectionState().PeerCertificates { PEMCertBytes = append(PEMCertBytes, pem.EncodeToMemory(&pem.Block{ @@ -42,5 +58,10 @@ func (h *Data) GetPEMCertsFrom(host string, port int) ([]byte, error) { })...) } } + + if len(PEMCertBytes) > 0 && err != nil && err.Error() == "EOF" { + err = nil + } + return PEMCertBytes, err }