From 1dfb11486eacc32af1003242023ddc4544823a31 Mon Sep 17 00:00:00 2001
From: NWHirschfeld <nwhirschfeld@users.noreply.github.com>
Date: Fri, 5 Jun 2020 20:19:36 +0200
Subject: httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update caddyconfig/httpcaddyfile/builtins.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* added adapt test for parsing client certificate configuration from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update modules/caddytls/connpolicy.go
* Make review adjustments
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---
caddyconfig/httpcaddyfile/builtins.go | 63 ++++++++++++++++++++++++++++++++++-
1 file changed, 62 insertions(+), 1 deletion(-)
(limited to 'caddyconfig/httpcaddyfile')
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 90ce3a4..fde5601 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -15,8 +15,11 @@
package httpcaddyfile
import (
+ "encoding/base64"
+ "encoding/pem"
"fmt"
"html"
+ "io/ioutil"
"net/http"
"reflect"
"strings"
@@ -59,6 +62,13 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// protocols <min> [<max>]
// ciphers <cipher_suites...>
// curves <curves...>
+// client_auth {
+// mode [request|require|verify_if_given|require_and_verify]
+// trusted_ca_cert <base64_der>
+// trusted_ca_cert_file <filename>
+// trusted_leaf_cert <base64_der>
+// trusted_leaf_cert_file <filename>
+// }
// alpn <values...>
// load <paths...>
// ca <acme_ca_endpoint>
@@ -143,7 +153,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
var hasBlock bool
- for h.NextBlock(0) {
+ for nesting := h.Nesting(); h.NextBlock(nesting); {
hasBlock = true
switch h.Val() {
@@ -181,6 +191,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
cp.Curves = append(cp.Curves, h.Val())
}
+ case "client_auth":
+ cp.ClientAuthentication = &caddytls.ClientAuthentication{}
+ for nesting := h.Nesting(); h.NextBlock(nesting); {
+ subdir := h.Val()
+ switch subdir {
+ case "mode":
+ if !h.Args(&cp.ClientAuthentication.Mode) {
+ return nil, h.ArgErr()
+ }
+ if h.NextArg() {
+ return nil, h.ArgErr()
+ }
+
+ case "trusted_ca_cert",
+ "trusted_leaf_cert":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ if subdir == "trusted_ca_cert" {
+ cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val())
+ } else {
+ cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val())
+ }
+
+ case "trusted_ca_cert_file",
+ "trusted_leaf_cert_file":
+ if !h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ filename := h.Val()
+ certDataPEM, err := ioutil.ReadFile(filename)
+ if err != nil {
+ return nil, err
+ }
+ block, _ := pem.Decode(certDataPEM)
+ if block == nil || block.Type != "CERTIFICATE" {
+ return nil, h.Errf("no CERTIFICATE pem block found in %s", h.Val())
+ }
+ if subdir == "trusted_ca_cert_file" {
+ cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts,
+ base64.StdEncoding.EncodeToString(block.Bytes))
+ } else {
+ cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts,
+ base64.StdEncoding.EncodeToString(block.Bytes))
+ }
+
+ default:
+ return nil, h.Errf("unknown subdirective for client_auth: %s", subdir)
+ }
+ }
+
case "alpn":
args := h.RemainingArgs()
if len(args) == 0 {
--
cgit v1.2.3