From 1dfb11486eacc32af1003242023ddc4544823a31 Mon Sep 17 00:00:00 2001 From: NWHirschfeld Date: Fri, 5 Jun 2020 20:19:36 +0200 Subject: httpcaddyfile: Add client_auth options to tls directive (#3335) * reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie Co-authored-by: Matt Holt --- caddyconfig/httpcaddyfile/builtins.go | 63 ++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) (limited to 'caddyconfig') diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index 90ce3a4..fde5601 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -15,8 +15,11 @@ package httpcaddyfile import ( + "encoding/base64" + "encoding/pem" "fmt" "html" + "io/ioutil" "net/http" "reflect" "strings" @@ -59,6 +62,13 @@ func parseBind(h Helper) ([]ConfigValue, error) { // protocols [] // ciphers // curves +// client_auth { +// mode [request|require|verify_if_given|require_and_verify] +// trusted_ca_cert +// trusted_ca_cert_file +// trusted_leaf_cert +// trusted_leaf_cert_file +// } // alpn // load // ca @@ -143,7 +153,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) { } var hasBlock bool - for h.NextBlock(0) { + for nesting := h.Nesting(); h.NextBlock(nesting); { hasBlock = true switch h.Val() { @@ -181,6 +191,57 @@ func parseTLS(h Helper) ([]ConfigValue, error) { cp.Curves = append(cp.Curves, h.Val()) } + case "client_auth": + cp.ClientAuthentication = &caddytls.ClientAuthentication{} + for nesting := h.Nesting(); h.NextBlock(nesting); { + subdir := h.Val() + switch subdir { + case "mode": + if !h.Args(&cp.ClientAuthentication.Mode) { + return nil, h.ArgErr() + } + if h.NextArg() { + return nil, h.ArgErr() + } + + case "trusted_ca_cert", + "trusted_leaf_cert": + if !h.NextArg() { + return nil, h.ArgErr() + } + if subdir == "trusted_ca_cert" { + cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val()) + } else { + cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val()) + } + + case "trusted_ca_cert_file", + "trusted_leaf_cert_file": + if !h.NextArg() { + return nil, h.ArgErr() + } + filename := h.Val() + certDataPEM, err := ioutil.ReadFile(filename) + if err != nil { + return nil, err + } + block, _ := pem.Decode(certDataPEM) + if block == nil || block.Type != "CERTIFICATE" { + return nil, h.Errf("no CERTIFICATE pem block found in %s", h.Val()) + } + if subdir == "trusted_ca_cert_file" { + cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, + base64.StdEncoding.EncodeToString(block.Bytes)) + } else { + cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, + base64.StdEncoding.EncodeToString(block.Bytes)) + } + + default: + return nil, h.Errf("unknown subdirective for client_auth: %s", subdir) + } + } + case "alpn": args := h.RemainingArgs() if len(args) == 0 { -- cgit v1.2.3