summaryrefslogtreecommitdiff
path: root/caddyconfig
diff options
context:
space:
mode:
authorNWHirschfeld <nwhirschfeld@users.noreply.github.com>2020-06-05 20:19:36 +0200
committerGitHub <noreply@github.com>2020-06-05 12:19:36 -0600
commit1dfb11486eacc32af1003242023ddc4544823a31 (patch)
tree6aea6cb19fb6b9e87a8d35fb861c70205c57fd0c /caddyconfig
parent11a132d48b574ef113e411aa22c0801a5a3190bd (diff)
httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'caddyconfig')
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go63
1 files changed, 62 insertions, 1 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 90ce3a4..fde5601 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -15,8 +15,11 @@
package httpcaddyfile
import (
+ "encoding/base64"
+ "encoding/pem"
"fmt"
"html"
+ "io/ioutil"
"net/http"
"reflect"
"strings"
@@ -59,6 +62,13 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// protocols <min> [<max>]
// ciphers <cipher_suites...>
// curves <curves...>
+// client_auth {
+// mode [request|require|verify_if_given|require_and_verify]
+// trusted_ca_cert <base64_der>
+// trusted_ca_cert_file <filename>
+// trusted_leaf_cert <base64_der>
+// trusted_leaf_cert_file <filename>
+// }
// alpn <values...>
// load <paths...>
// ca <acme_ca_endpoint>
@@ -143,7 +153,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
var hasBlock bool
- for h.NextBlock(0) {
+ for nesting := h.Nesting(); h.NextBlock(nesting); {
hasBlock = true
switch h.Val() {
@@ -181,6 +191,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
cp.Curves = append(cp.Curves, h.Val())
}
+ case "client_auth":
+ cp.ClientAuthentication = &caddytls.ClientAuthentication{}
+ for nesting := h.Nesting(); h.NextBlock(nesting); {
+ subdir := h.Val()
+ switch subdir {
+ case "mode":
+ if !h.Args(&cp.ClientAuthentication.Mode) {
+ return nil, h.ArgErr()
+ }
+ if h.NextArg() {
+ return nil, h.ArgErr()
+ }
+
+ case "trusted_ca_cert",
+ "trusted_leaf_cert":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ if subdir == "trusted_ca_cert" {
+ cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val())
+ } else {
+ cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val())
+ }
+
+ case "trusted_ca_cert_file",
+ "trusted_leaf_cert_file":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ filename := h.Val()
+ certDataPEM, err := ioutil.ReadFile(filename)
+ if err != nil {
+ return nil, err
+ }
+ block, _ := pem.Decode(certDataPEM)
+ if block == nil || block.Type != "CERTIFICATE" {
+ return nil, h.Errf("no CERTIFICATE pem block found in %s", h.Val())
+ }
+ if subdir == "trusted_ca_cert_file" {
+ cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts,
+ base64.StdEncoding.EncodeToString(block.Bytes))
+ } else {
+ cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts,
+ base64.StdEncoding.EncodeToString(block.Bytes))
+ }
+
+ default:
+ return nil, h.Errf("unknown subdirective for client_auth: %s", subdir)
+ }
+ }
+
case "alpn":
args := h.RemainingArgs()
if len(args) == 0 {