How to decode PKCS#12 file into a tls.Certificate (for use in tls.Config)

[ykunya]

Hi,

I am trying to use this library to get cert and key from p12 file and using it as tls config in http request.
so in my code, I am writing:

key, certtificate, _ := pkcs12.Decode(rawDecodedCert, certPassword)

Could you give me an example of how to use/convert the key and certificate to the cert object that is used in &tls.Config?

Thanks,
Yossi

[maraino]

Instead of using pkcs12.Decode, you should use pkcs12.DecodeChain. In a "proper" PKI infrastructure, you will be using intermediate certificates, which you will need to use. They should be in the p12 file, although they can be provided in a different manner.

Supposing that certs is something like []*x509.Certificate{leaf, intermediate}, a client can be configured like this.

var raw [][]byte
for _, crt := range certs {
	raw = append(raw, crt.Raw)
}
	
clientCert := tls.Certificate{
	Certificate: raw,
	PrivateKey:  key,
	Leaf:        certs[0],
}

transport := http.DefaultTransport.(*http.Transport).Clone()
transport.TLSClientConfig = &tls.Config{
	Certificates: []tls.Certificate{clientCert},
	MinVersion: tls.VersionTLS12,
}

client := http.Client{
	Transport: transport,
}

Note that in some cases, you will need more than one intermediate.

If you're using a Root certificate that is not installed in your OS, you will need to set RootCAs in the tls.Config. If not, the client will fail because it won't trust the server certificate. To do that, and assuming that root is a *x509.Certificate:

pool := x509.NewCertPool()
pool.AddCert(root)

var raw [][]byte
for _, crt := range certs {
	raw = append(raw, crt.Raw)
}
	
clientCert := tls.Certificate{
	Certificate: raw,
	PrivateKey:  key,
	Leaf:        certs[0],
}

transport := http.DefaultTransport.(*http.Transport).Clone()
transport.TLSClientConfig = &tls.Config{
	Certificates: []tls.Certificate{clientCert},
	RootCAs: pool,
	MinVersion: tls.VersionTLS12,

}

client := http.Client{
	Transport: transport,
}

Both the root and intermediates can be present in the p12 file. The DecodeChain method looks like:

func DecodeChain(pfxData []byte, password string) (privateKey interface{}, certificate *x509.Certificate, caCerts []*x509.Certificate, err error)

Here certificate is the leaf certificate (certs[0]) in my code, if caCerts contains both the intermediate and the roots, the root is generally the last certificate caCerts[len(caCerts)-1] and the intermediate(s) the rest, caCerts[:len(caCerts)-1]. In my code you will add something like this:

root := caCerts[len(caCerts)-1]
certs := append([]*x509.Certificate{certificate}, caCerts[:len(caCerts)-1]...)

[ykunya]

Thanks for the detailed explanation!

[AGWA]

Here's how to decode a PKCS#12 file into a tls.Certificate:

key, leafCert, chainCerts, err := pkcs12.DecodeChain(rawDecodedCert, certPassword)
if err != nil {
	// handle err
}

raw := [][]byte{leafCert.Raw}
for _, chainCert := range chainCerts {
	raw = append(raw, chainCert.Raw)
}

tlsCert := tls.Certificate{
	Certificate: raw,
	PrivateKey: key,
	Leaf: leafCert,
}

[ykunya]

I tried your suggestions and it worked! Thanks a lot!