diff options
author | Mohammed Al Sahaf <[email protected]> | 2024-01-25 11:44:41 +0300 |
---|---|---|
committer | GitHub <[email protected]> | 2024-01-25 11:44:41 +0300 |
commit | e965b111cdf46109b4ed87e607e8dce5225105f4 (patch) | |
tree | 1d6bcde8b9e5c5457e061e5ef84303a7d412131e /caddyconfig | |
parent | b9c40e711115d35c2809313aeec42ab10fcd6914 (diff) | |
download | caddy-e965b111cdf46109b4ed87e607e8dce5225105f4.tar.gz caddy-e965b111cdf46109b4ed87e607e8dce5225105f4.zip |
tls: modularize trusted CA providers (#5784)
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <[email protected]>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <[email protected]>
Diffstat (limited to 'caddyconfig')
-rw-r--r-- | caddyconfig/httpcaddyfile/builtins.go | 81 |
1 files changed, 2 insertions, 79 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go index 11d18caea..5040924df 100644 --- a/caddyconfig/httpcaddyfile/builtins.go +++ b/caddyconfig/httpcaddyfile/builtins.go @@ -15,12 +15,9 @@ package httpcaddyfile import ( - "encoding/base64" - "encoding/pem" "fmt" "html" "net/http" - "os" "reflect" "strconv" "strings" @@ -215,83 +212,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) { case "client_auth": cp.ClientAuthentication = &caddytls.ClientAuthentication{} - for nesting := h.Nesting(); h.NextBlock(nesting); { - subdir := h.Val() - switch subdir { - case "verifier": - if !h.NextArg() { - return nil, h.ArgErr() - } - - vType := h.Val() - modID := "tls.client_auth." + vType - unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID) - if err != nil { - return nil, err - } - - _, ok := unm.(caddytls.ClientCertificateVerifier) - if !ok { - return nil, h.Dispenser.Errf("module %s is not a caddytls.ClientCertificatVerifier", modID) - } - - cp.ClientAuthentication.VerifiersRaw = append(cp.ClientAuthentication.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, h.warnings)) - case "mode": - if !h.Args(&cp.ClientAuthentication.Mode) { - return nil, h.ArgErr() - } - if h.NextArg() { - return nil, h.ArgErr() - } - - case "trusted_ca_cert", - "trusted_leaf_cert": - if !h.NextArg() { - return nil, h.ArgErr() - } - if subdir == "trusted_ca_cert" { - cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val()) - } else { - cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val()) - } - - case "trusted_ca_cert_file", - "trusted_leaf_cert_file": - if !h.NextArg() { - return nil, h.ArgErr() - } - filename := h.Val() - certDataPEM, err := os.ReadFile(filename) - if err != nil { - return nil, err - } - // while block is not nil, we have more certificates in the file - for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) { - if block.Type != "CERTIFICATE" { - return nil, h.Errf("no CERTIFICATE pem block found in %s", filename) - } - if subdir == "trusted_ca_cert_file" { - cp.ClientAuthentication.TrustedCACerts = append( - cp.ClientAuthentication.TrustedCACerts, - base64.StdEncoding.EncodeToString(block.Bytes), - ) - } else { - cp.ClientAuthentication.TrustedLeafCerts = append( - cp.ClientAuthentication.TrustedLeafCerts, - base64.StdEncoding.EncodeToString(block.Bytes), - ) - } - } - // if we decoded nothing, return an error - if len(cp.ClientAuthentication.TrustedCACerts) == 0 && len(cp.ClientAuthentication.TrustedLeafCerts) == 0 { - return nil, h.Errf("no CERTIFICATE pem block found in %s", filename) - } - - default: - return nil, h.Errf("unknown subdirective for client_auth: %s", subdir) - } + if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil { + return nil, err } - case "alpn": args := h.RemainingArgs() if len(args) == 0 { |