Add multi-certificate authentication to client

Add the command line arguments "-user-cert" and "-user-key" to oc-client
and the options "UserCertificate" and "UserKey" to the client config to
support multi-certificate authentication.

Signed-off-by: hwipl <[email protected]>

configs/oc-client.json

@@ -1,6 +1,8 @@
 {
     "ClientCertificate": "/path/to/file or PKCS11 URI",
     "ClientKey": "/path/to/file or PKCS11 URI",
+    "UserCertificate": "Empty or /path/to/file or PKCS11 URI",
+    "UserKey": "Empty or /path/to/file or PKCS11 URI",
     "CACertificate": "Empty or additional CA Certificate file(s)",
     "XMLProfile": "/var/lib/oc-daemon/profile.xml",
     "VPNServer": "My VPN Server Name",

internal/client/cmd.go

@@ -61,6 +61,9 @@ func setConfig(args []string) error {
 	cert := flags.String("cert", "", "set client certificate `file` or "+
 		"PKCS11 URI")
 	key := flags.String("key", "", "set client key `file` or PKCS11 URI")
+	userCert := flags.String("user-cert", "", "set user certificate `file` or "+
+		"PKCS11 URI")
+	userKey := flags.String("user-key", "", "set user key `file` or PKCS11 URI")
 	ca := flags.String("ca", "", "set additional CA certificate `file`")
 	profile := flags.String("profile", "", "set XML profile `file`")
 	srv := flags.String("server", "", "set server `address`")
@@ -160,6 +163,16 @@ func setConfig(args []string) error {
 		config.ClientKey = *key
 	}
 
+	// set user certificate
+	if *userCert != "" {
+		config.UserCertificate = *userCert
+	}
+
+	// set user key
+	if *userKey != "" {
+		config.UserKey = *userKey
+	}
+
 	// set ca certificate
 	if *ca != "" {
 		config.CACertificate = *ca

internal/client/cmd_test.go

@@ -81,6 +81,8 @@ func TestRun(t *testing.T) {
 	if err := run([]string{"test",
 		"-cert", "cert-file",
 		"-key", "key-file",
+		"-user-cert", "user-cert-file",
+		"-user-key", "user-key-file",
 		"-ca", "ca-file",
 		"-profile", "profile-file",
 		"-server", "test-server",
@@ -99,6 +101,8 @@ func TestRun(t *testing.T) {
 	if err := run([]string{"test",
 		"-cert", "cert-file",
 		"-key", "key-file",
+		"-user-cert", "user-cert-file",
+		"-user-key", "user-key-file",
 		"-ca", "ca-file",
 		"-profile", "profile-file",
 		"-server", "test-server",
@@ -126,6 +130,8 @@ func TestRun(t *testing.T) {
 		if err := run([]string{"test",
 			"-cert", "cert-file",
 			"-key", "key-file",
+			"-user-cert", "user-cert-file",
+			"-user-key", "user-key-file",
 			"-ca", "ca-file",
 			"-profile", "profile-file",
 			"-server", "test-server",

pkg/client/client.go

@@ -412,6 +412,8 @@ var authenticate = func(d *DBusClient) error {
 	userAgent := fmt.Sprintf("--useragent=%s", config.UserAgent)
 	certificate := fmt.Sprintf("--certificate=%s", config.ClientCertificate)
 	sslKey := fmt.Sprintf("--sslkey=%s", config.ClientKey)
+	mcaCertificate := fmt.Sprintf("--mca-certificate=%s", config.UserCertificate)
+	mcaKey := fmt.Sprintf("--mca-key=%s", config.UserKey)
 	caFile := fmt.Sprintf("--cafile=%s", config.CACertificate)
 	xmlConfig := fmt.Sprintf("--xmlconfig=%s", config.XMLProfile)
 	user := fmt.Sprintf("--user=%s", config.User)
@@ -424,6 +426,12 @@ var authenticate = func(d *DBusClient) error {
 		xmlConfig,
 		"--authenticate",
 	}
+	if config.UserCertificate != "" {
+		parameters = append(parameters, mcaCertificate)
+	}
+	if config.UserKey != "" {
+		parameters = append(parameters, mcaKey)
+	}
 	if config.Quiet {
 		parameters = append(parameters, "--quiet")
 	}

pkg/client/client_test.go

@@ -255,6 +255,8 @@ func TestDBusClientAuthenticate(t *testing.T) {
 
 	// create test client
 	conf := NewConfig()
+	conf.UserCertificate = "/test/user-cert"
+	conf.UserKey = "/test/user-key"
 	conf.CACertificate = "/test/ca"
 	conf.User = "test-user"
 	conf.Password = "test-passwd"

pkg/client/config.go

@@ -48,6 +48,8 @@ var (
 type Config struct {
 	ClientCertificate string
 	ClientKey         string
+	UserCertificate   string
+	UserKey           string
 	CACertificate     string
 	XMLProfile        string
 	VPNServer         string