From 1dfb11486eacc32af1003242023ddc4544823a31 Mon Sep 17 00:00:00 2001
From: NWHirschfeld <nwhirschfeld@users.noreply.github.com>
Date: Fri, 5 Jun 2020 20:19:36 +0200
Subject: httpcaddyfile: Add client_auth options to tls directive (#3335)

* reading client certificate config from Caddyfile

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* Update caddyconfig/httpcaddyfile/builtins.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* added adapt test for parsing client certificate configuration from Caddyfile

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* Update modules/caddytls/connpolicy.go

* Make review adjustments

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---
 modules/caddytls/connpolicy.go | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

(limited to 'modules/caddytls/connpolicy.go')

diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 3a18061..fec1fe2 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 		case "require_and_verify":
 			cfg.ClientAuth = tls.RequireAndVerifyClientCert
 		default:
-			return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode)
+			return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode)
 		}
 	} else {
 		// otherwise, set a safe default mode
@@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 	// enforce leaf verification by writing our own verify function
 	if len(clientauth.TrustedLeafCerts) > 0 {
 		clientauth.trustedLeafCerts = []*x509.Certificate{}
-
 		for _, clientCertString := range clientauth.TrustedLeafCerts {
 			clientCert, err := decodeBase64DERCert(clientCertString)
 			if err != nil {
@@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 			}
 			clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert)
 		}
-
 		// if a custom verification function already exists, wrap it
 		clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate
-
 		cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate
 	}
 
@@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
 
 // decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
 func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
-	// decode base64
 	derBytes, err := base64.StdEncoding.DecodeString(certStr)
 	if err != nil {
 		return nil, err
 	}
-
-	// parse the DER-encoded certificate
 	return x509.ParseCertificate(derBytes)
 }
 
-- 
cgit v1.2.3