From 1dfb11486eacc32af1003242023ddc4544823a31 Mon Sep 17 00:00:00 2001 From: NWHirschfeld Date: Fri, 5 Jun 2020 20:19:36 +0200 Subject: httpcaddyfile: Add client_auth options to tls directive (#3335) * reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie Co-authored-by: Matt Holt --- modules/caddytls/connpolicy.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'modules') diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 3a18061..fec1fe2 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro case "require_and_verify": cfg.ClientAuth = tls.RequireAndVerifyClientCert default: - return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode) + return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode) } } else { // otherwise, set a safe default mode @@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro // enforce leaf verification by writing our own verify function if len(clientauth.TrustedLeafCerts) > 0 { clientauth.trustedLeafCerts = []*x509.Certificate{} - for _, clientCertString := range clientauth.TrustedLeafCerts { clientCert, err := decodeBase64DERCert(clientCertString) if err != nil { @@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro } clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert) } - // if a custom verification function already exists, wrap it clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate - cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate } @@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte, // decodeBase64DERCert base64-decodes, then DER-decodes, certStr. func decodeBase64DERCert(certStr string) (*x509.Certificate, error) { - // decode base64 derBytes, err := base64.StdEncoding.DecodeString(certStr) if err != nil { return nil, err } - - // parse the DER-encoded certificate return x509.ParseCertificate(derBytes) } -- cgit v1.2.3