From f418ddc31f16a2659331e2d80ed68036ebcacb9f Mon Sep 17 00:00:00 2001 From: hwipl <33433250+hwipl@users.noreply.github.com> Date: Wed, 13 Mar 2024 11:49:39 +0100 Subject: [PATCH] Add multi-certificate authentication to client Add the command line arguments "-user-cert" and "-user-key" to oc-client and the options "UserCertificate" and "UserKey" to the client config to support multi-certificate authentication. Signed-off-by: hwipl <33433250+hwipl@users.noreply.github.com> --- configs/oc-client.json | 2 ++ internal/client/cmd.go | 13 +++++++++++++ internal/client/cmd_test.go | 6 ++++++ pkg/client/client.go | 8 ++++++++ pkg/client/client_test.go | 2 ++ pkg/client/config.go | 2 ++ 6 files changed, 33 insertions(+) diff --git a/configs/oc-client.json b/configs/oc-client.json index 5134900..b5813ff 100644 --- a/configs/oc-client.json +++ b/configs/oc-client.json @@ -1,6 +1,8 @@ { "ClientCertificate": "/path/to/file or PKCS11 URI", "ClientKey": "/path/to/file or PKCS11 URI", + "UserCertificate": "Empty or /path/to/file or PKCS11 URI", + "UserKey": "Empty or /path/to/file or PKCS11 URI", "CACertificate": "Empty or additional CA Certificate file(s)", "XMLProfile": "/var/lib/oc-daemon/profile.xml", "VPNServer": "My VPN Server Name", diff --git a/internal/client/cmd.go b/internal/client/cmd.go index 6b8f291..1548315 100644 --- a/internal/client/cmd.go +++ b/internal/client/cmd.go @@ -61,6 +61,9 @@ func setConfig(args []string) error { cert := flags.String("cert", "", "set client certificate `file` or "+ "PKCS11 URI") key := flags.String("key", "", "set client key `file` or PKCS11 URI") + userCert := flags.String("user-cert", "", "set user certificate `file` or "+ + "PKCS11 URI") + userKey := flags.String("user-key", "", "set user key `file` or PKCS11 URI") ca := flags.String("ca", "", "set additional CA certificate `file`") profile := flags.String("profile", "", "set XML profile `file`") srv := flags.String("server", "", "set server `address`") @@ -160,6 +163,16 @@ func setConfig(args []string) error { config.ClientKey = *key } + // set user certificate + if *userCert != "" { + config.UserCertificate = *userCert + } + + // set user key + if *userKey != "" { + config.UserKey = *userKey + } + // set ca certificate if *ca != "" { config.CACertificate = *ca diff --git a/internal/client/cmd_test.go b/internal/client/cmd_test.go index e853c0c..5f0b270 100644 --- a/internal/client/cmd_test.go +++ b/internal/client/cmd_test.go @@ -81,6 +81,8 @@ func TestRun(t *testing.T) { if err := run([]string{"test", "-cert", "cert-file", "-key", "key-file", + "-user-cert", "user-cert-file", + "-user-key", "user-key-file", "-ca", "ca-file", "-profile", "profile-file", "-server", "test-server", @@ -99,6 +101,8 @@ func TestRun(t *testing.T) { if err := run([]string{"test", "-cert", "cert-file", "-key", "key-file", + "-user-cert", "user-cert-file", + "-user-key", "user-key-file", "-ca", "ca-file", "-profile", "profile-file", "-server", "test-server", @@ -126,6 +130,8 @@ func TestRun(t *testing.T) { if err := run([]string{"test", "-cert", "cert-file", "-key", "key-file", + "-user-cert", "user-cert-file", + "-user-key", "user-key-file", "-ca", "ca-file", "-profile", "profile-file", "-server", "test-server", diff --git a/pkg/client/client.go b/pkg/client/client.go index 2923afe..1d367ac 100644 --- a/pkg/client/client.go +++ b/pkg/client/client.go @@ -412,6 +412,8 @@ var authenticate = func(d *DBusClient) error { userAgent := fmt.Sprintf("--useragent=%s", config.UserAgent) certificate := fmt.Sprintf("--certificate=%s", config.ClientCertificate) sslKey := fmt.Sprintf("--sslkey=%s", config.ClientKey) + mcaCertificate := fmt.Sprintf("--mca-certificate=%s", config.UserCertificate) + mcaKey := fmt.Sprintf("--mca-key=%s", config.UserKey) caFile := fmt.Sprintf("--cafile=%s", config.CACertificate) xmlConfig := fmt.Sprintf("--xmlconfig=%s", config.XMLProfile) user := fmt.Sprintf("--user=%s", config.User) @@ -424,6 +426,12 @@ var authenticate = func(d *DBusClient) error { xmlConfig, "--authenticate", } + if config.UserCertificate != "" { + parameters = append(parameters, mcaCertificate) + } + if config.UserKey != "" { + parameters = append(parameters, mcaKey) + } if config.Quiet { parameters = append(parameters, "--quiet") } diff --git a/pkg/client/client_test.go b/pkg/client/client_test.go index 641159b..05caf86 100644 --- a/pkg/client/client_test.go +++ b/pkg/client/client_test.go @@ -255,6 +255,8 @@ func TestDBusClientAuthenticate(t *testing.T) { // create test client conf := NewConfig() + conf.UserCertificate = "/test/user-cert" + conf.UserKey = "/test/user-key" conf.CACertificate = "/test/ca" conf.User = "test-user" conf.Password = "test-passwd" diff --git a/pkg/client/config.go b/pkg/client/config.go index ae1ce2e..036a68b 100644 --- a/pkg/client/config.go +++ b/pkg/client/config.go @@ -48,6 +48,8 @@ var ( type Config struct { ClientCertificate string ClientKey string + UserCertificate string + UserKey string CACertificate string XMLProfile string VPNServer string