how to validate client certificate

[badiku]

hi,

follow turorial it is easy to setup https server certificate:
https://makoserver.net/articles/SSL-Certificate-Installation-Tutorial

but, how to setup client certificate validation?

tried this, but always got "not trusted":
https://realtimelogic.com/ba/doc/en/lua/lua.html#request_certificate

if request:clientcert() then
   local certT,trusted = request:certificate()
   print("You are", trusted and "" or "not", "trusted")
   print(ba.json.encode(certT))
end

doc says that:

The second return value will always be false for all Barracuda App Server examples and pre-built servers such as the Mako Server since the certificate store for server connections are by default empty.

https://realtimelogic.com/ba/doc/en/lua/auxlua.html#ba_create_certstore

I trid to create a root certificate as testroot.pem, and add the CA to a store in app .preload script,
and at client browser selected a certificate signed by testroot.pem,
but still failed to trust.

mystore = ba.create.certstore()
c = mystore:addcert(ba.openio'home', 'testroot.pem')
print(c) -- got 1 

I want to know how to validate client certificate using ba.create.certstore(),
any tutorial regarding this problem?

[surfskidude]

Here is an example:

-- Checks if RTL's website certificate is valid.
-- Returns true if OK; otherwise, nil, "sslnottrusted" is returned.
local function checkRtlCert(sharkObj)
    local url="https://realtimelogic.com"
    local http = require"httpc".create()
    return http:request{trusted=true,url=url,method="HEAD",shark=sharkObj}
end

-- Download a file using URL
local function downloadFile(url)
    local http=require"httpc".create()
    http:request{method="GET",url=url}
    local data,err=http:read"*a"
    if not data then trace("Download failed",err) end
    return data
end

trace(checkRtlCert()) -- Implisit use of ba.sharkclient(); prints true
trace(checkRtlCert(ba.sharkclient())) -- prints true
local store = ba.create.certstore()
-- Empty store
trace(checkRtlCert(ba.create.sharkssl(store))) -- Prints nil,"sslnottrusted"

local rootCert=downloadFile"https://letsencrypt.org/certs/isrgrootx1.pem"
if rootCert then
    local store = ba.create.certstore()
    store:addcert(rootCert)
    trace(checkRtlCert(ba.create.sharkssl(store))) -- Prints true
end

local rootCertBundle=downloadFile"https://curl.se/ca/cacert.pem"
if rootCertBundle then
    local store = ba.create.certstore()
    trace("Number of CA certs installed:",store:addcert(rootCertBundle))
    trace(checkRtlCert(ba.create.sharkssl(store))) -- Prints true
end

[badiku]

hi, thank you for these code.

but I think maybe you misunderstood me,

your code is for validate remote server certificate.

what I want to do, is to validate client certificate.

https://security.stackexchange.com/questions/242430/client-certificateverify-during-handshake

that is to say,

when I use request:clientcert() to make the Edge or Chrome browser prompt user to select a certificate to send it to the makoserver,
and how to validate client certificate using request:certificate().

how to make request:certificate() use the ba.create.certstore() and return trusted as true :
certT,trusted = request:certificate()

currently certT only shows subject name, and issuer name,
how to check its publickey and that it has private key, how to do the CertificateVerify step?

and BTW,

trace(checkRtlCert()) -- Implisit use of ba.sharkclient(); prints true
trace(checkRtlCert(ba.sharkclient())) -- prints true

I got nil, not true, for these two lines.

others works same result.

Number of CA certs installed: 141
true.

[surfskidude]

Are you using the Mako Server?
If so, there appears to be an undocumented feature for mako.conf. I have this in my mako.conf testup:

certfile="localhost.pem"
keyfile="localhost.key"
certstore="ca.pem"

The certstore attribute makes the code in mako.zip/.openports create a certificate store for the server listen object. When I run your code:

if request:clientcert() then
   local certT,trusted = request:certificate()
   print("You are", trusted and "" or "not", "trusted")
   print(ba.json.encode(certT))
end

I get

You are		trusted
{"san":["mycert"],"issuer":{"countryname":"US","commonname":"Real Time Logic Root CA","province":"California","locality":"Dana Point","organization":"Real Time Logic","unit":""},"parent":{"issuer":{"countryname":"US","commonname":"Real Time Logic Root CA","province":"California","locality":"Dana Point","organization":"Real Time Logic","unit":""},"tzto":"20691231004803Z","subject":{"countryname":"US","commonname":"Real Time Logic Root CA","province":"California","locality":"Dana Point","organization":"Real Time Logic","unit":""},"tzfrom":"200113004803Z"},"tzto":"20691231005306Z","subject":{"countryname":"US","commonname":"mycert","province":"California","locality":"Dana Point","organization":"Real Time Logic","unit":""},"tzfrom":"200113005306Z"}

BTW, you do not have to set:

certfile="localhost.pem"
keyfile="localhost.key"

You can use "certstore" with the let's encrypt plugin.

[badiku]

perfect. thank you very much.