ripjar / passport-client-cert Goto Github PK

Interesting project!

It would be helpful if you could publish it to the npm repository so that it can be easily installed.

It is common for various reasons to put a web server in front of your node implementation, it seems upon cursory review this presumes node is terminating the connection, you can make this work behind a load balancer by setting some combination of these headers (presuming Nginx) and validating against that:

1: cert hash
# proxy_set_header X-SSL-Client-hash $ssl_client_fingerprint;

1: cert in pem
# proxy_set_header X-SSL-Client-hash $ssl_client_raw_cert;

3: issuer dn and subject serial
# proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
# proxy_set_header X-SSL-Client-Serial $ssl_client_serial;

4: - issuer and subject dns
# proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn;
# proxy_set_header X-SSL-Client-S-DN $ssl_client_i_dn;

This would scale better than the current approach, you can set session caching very low for the associated vhost, get the server certificate with one of the lets encrypt clients easily and in general it should be able to work smoothly.

Oh, and you also want to be sure to check the value of : $ssl_client_verify

CNs themselves are not guaranteed to be unique, you can only uniquely identify a certificte with one of these options:

1. subject dn + issuer dn
2. subject dn + aki
3. ski + aki
4. hash of certificate
5. aki + serial

Not all certificates will have subjects (it is standards compliant to have a nul subject), for this reason the only secure and reliable way to do cert to user mapping is 3, 4, 5

This is important for a few reasons, one of the most significant being many CCA deployments will trust more than one CA (on purpose or by accident) for this reason two CAs can issue the same certificate and you would treat them the same.

One shortcoming of Nginx is that it requires that the server use the same list of CAs for CCA as it uses for other parts of operations. This means when using Nginx you typically need to either "open yourself up" to unnecessary trust anchors or disable verification of CCA certificates in Nginx (I think this isnt a problem in Apache but its been a while since I have looked, I am not sure about Node).

For this reason I would recommend designing this so it doesn't rely on the server logic for validation of the cert and instead do your own validation using $ssl_client_raw_cert and https://pkijs.org/examples/X509_cert_complex_example.html

Good Afternoon, I have been trying to implement this capability but i am having some trouble.

The routes are located in /routes/users.js
The passport.use(new ClientCertStrategy..... is located in auth/authroization.js

I am attempting to invoke the Client-cert strategy on the user.js line:
router.use('/user', auth.authenticate('client-cert'), function(req, res, next) {

console.log('authenticated');
next();
});

But all I get is a 401 error.

In the Authorization.js i have simplified it to return a user but still nothing:

passport.use(new ClientCertStrategy(function(clientCert, done)
{
var user = "test";
done(null, user);
}
));
module.exports = passport;

anysuggestions?