From 7ce28c3b1d03b1bfbf4d5c5afc236ea1636b848b Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Wed, 12 Jun 2024 16:31:26 +0200 Subject: [PATCH] kms: use `GetClientCertificate` callback for KES API keys (#19921) This commit fixes an issue in the KES client configuration that can cause the following error when connecting to KES: ``` ERROR Failed to connect to KMS: failed to generate data key with KMS key: tls: client certificate is required ``` The Go TLS stack seems to not send a client certificate if it thinks the client certificate cannot be validated by the peer. In case of an API key, we don't care about this since we use public key pinning and the X.509 certificate is just a transport encoding. The `GetClientCertificate` seems to be honored always such that this error does not occur. Signed-off-by: Andreas Auernhammer --- internal/kms/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/kms/config.go b/internal/kms/config.go index c622b67f6..2a50ca3b7 100644 --- a/internal/kms/config.go +++ b/internal/kms/config.go @@ -168,7 +168,7 @@ func Connect(ctx context.Context, opts *ConnectionOptions) (*KMS, error) { if err != nil { return nil, err } - conf.Certificates = append(conf.Certificates, cert) + conf.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { return &cert, nil } } else { loadX509KeyPair := func(certFile, keyFile string) (tls.Certificate, error) { // Manually load the certificate and private key into memory.