diff options
author | NWHirschfeld <nwhirschfeld@users.noreply.github.com> | 2020-06-05 20:19:36 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-05 12:19:36 -0600 |
commit | 1dfb11486eacc32af1003242023ddc4544823a31 (patch) | |
tree | 6aea6cb19fb6b9e87a8d35fb861c70205c57fd0c /caddyconfig/httpcaddyfile | |
parent | 11a132d48b574ef113e411aa22c0801a5a3190bd (diff) |
httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update caddyconfig/httpcaddyfile/builtins.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* added adapt test for parsing client certificate configuration from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update modules/caddytls/connpolicy.go
* Make review adjustments
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'caddyconfig/httpcaddyfile')
-rw-r--r-- | caddyconfig/httpcaddyfile/builtins.go | 63 |
1 files changed, 62 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index 90ce3a4..fde5601 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -15,8 +15,11 @@ package httpcaddyfile import ( + "encoding/base64" + "encoding/pem" "fmt" "html" + "io/ioutil" "net/http" "reflect" "strings" @@ -59,6 +62,13 @@ func parseBind(h Helper) ([]ConfigValue, error) { // protocols <min> [<max>] // ciphers <cipher_suites...> // curves <curves...> +// client_auth { +// mode [request|require|verify_if_given|require_and_verify] +// trusted_ca_cert <base64_der> +// trusted_ca_cert_file <filename> +// trusted_leaf_cert <base64_der> +// trusted_leaf_cert_file <filename> +// } // alpn <values...> // load <paths...> // ca <acme_ca_endpoint> @@ -143,7 +153,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) { } var hasBlock bool - for h.NextBlock(0) { + for nesting := h.Nesting(); h.NextBlock(nesting); { hasBlock = true switch h.Val() { @@ -181,6 +191,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) { cp.Curves = append(cp.Curves, h.Val()) } + case "client_auth": + cp.ClientAuthentication = &caddytls.ClientAuthentication{} + for nesting := h.Nesting(); h.NextBlock(nesting); { + subdir := h.Val() + switch subdir { + case "mode": + if !h.Args(&cp.ClientAuthentication.Mode) { + return nil, h.ArgErr() + } + if h.NextArg() { + return nil, h.ArgErr() + } + + case "trusted_ca_cert", + "trusted_leaf_cert": + if !h.NextArg() { + return nil, h.ArgErr() + } + if subdir == "trusted_ca_cert" { + cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val()) + } else { + cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val()) + } + + case "trusted_ca_cert_file", + "trusted_leaf_cert_file": + if !h.NextArg() { + return nil, h.ArgErr() + } + filename := h.Val() + certDataPEM, err := ioutil.ReadFile(filename) + if err != nil { + return nil, err + } + block, _ := pem.Decode(certDataPEM) + if block == nil || block.Type != "CERTIFICATE" { + return nil, h.Errf("no CERTIFICATE pem block found in %s", h.Val()) + } + if subdir == "trusted_ca_cert_file" { + cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, + base64.StdEncoding.EncodeToString(block.Bytes)) + } else { + cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, + base64.StdEncoding.EncodeToString(block.Bytes)) + } + + default: + return nil, h.Errf("unknown subdirective for client_auth: %s", subdir) + } + } + case "alpn": args := h.RemainingArgs() if len(args) == 0 { |