amazon-web-servicesaws-api-gatewaymtls

API Gateway with mTLS accepts any self-signed CA signed cert


I am configuring mTLS for an API Gateway, my trustore.pem only has one cert.

I've created another CA, signed a cert with that CA and issued the curl request with --key and --cert params, and it went through. I already disabled the default endpoint.

I am wondering if this is the expected behaviour, its not safe, its just bollocks cause anyone can create a self-signed cert and bypass the mTLS.

What I did:

# ca
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem



# client john
openssl genrsa -out john.key 2048
openssl req -new -key john.key -out john.csr
openssl x509 -req -in john.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out john.pem -days 3650 -sha256

# create trustore (copy of RootCA.pem) and upload it to S3.
cp RootCA.pem truststore.pem
aws s3 cp truststore.pem s3://...

If I issue:

curl --cert john.csr --key john.key myapi.com/test
healthy

But if I create another CA

# ca
openssl genrsa -out RootCA-2.key 4096
openssl req -new -x509 -days 3650 -key RootCA-2.key -out RootCA-2.pem



# client marta
openssl genrsa -out marta.key 2048
openssl req -new -key marta.key -out marta.csr
openssl x509 -req -in marta.csr -CA RootCA-2.pem -CAkey RootCA-2.key -set_serial 01 -out marta.pem -days 3650 -sha256


And issue

curl --cert marta.csr --key marta.key myapi.com/test
healthy

It responds with healthy which should deny the request cause the RootCA-2 is not on the truststore, right?


Solution

  • I was issuing /ping whereas /ping and /sping are reserved endpoints for api gateway, thus always anwsering with healthy...

    Attacking any other endpoint works good, segregating by certs and allowing/denying if a cert comes from trusted CA.