aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddytls/connpolicy.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls/connpolicy.go')
-rw-r--r--modules/caddytls/connpolicy.go37
1 files changed, 34 insertions, 3 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 20b781274..49c7add49 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -651,7 +651,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
}
trustedLeafCerts = append(trustedLeafCerts, clientCert)
}
- clientauth.verifiers = append(clientauth.verifiers, LeafCertClientAuth{TrustedLeafCerts: trustedLeafCerts})
+ clientauth.verifiers = append(clientauth.verifiers, LeafCertClientAuth{trustedLeafCerts: trustedLeafCerts})
}
// if a custom verification function already exists, wrap it
@@ -715,7 +715,8 @@ func setDefaultTLSParams(cfg *tls.Config) {
// LeafCertClientAuth verifies the client's leaf certificate.
type LeafCertClientAuth struct {
- TrustedLeafCerts []*x509.Certificate
+ LeafCertificateLoadersRaw []json.RawMessage `json:"leaf_certs_loaders,omitempty" caddy:"namespace=tls.leaf_cert_loader inline_key=loader"`
+ trustedLeafCerts []*x509.Certificate
}
// CaddyModule returns the Caddy module information.
@@ -726,6 +727,30 @@ func (LeafCertClientAuth) CaddyModule() caddy.ModuleInfo {
}
}
+func (l *LeafCertClientAuth) Provision(ctx caddy.Context) error {
+ if l.LeafCertificateLoadersRaw == nil {
+ return nil
+ }
+ val, err := ctx.LoadModule(l, "LeafCertificateLoadersRaw")
+ if err != nil {
+ return fmt.Errorf("could not parse leaf certificates loaders: %s", err.Error())
+ }
+ trustedLeafCertloaders := []LeafCertificateLoader{}
+ for _, loader := range val.([]any) {
+ trustedLeafCertloaders = append(trustedLeafCertloaders, loader.(LeafCertificateLoader))
+ }
+ trustedLeafCertificates := []*x509.Certificate{}
+ for _, loader := range trustedLeafCertloaders {
+ certs, err := loader.LoadLeafCertificates()
+ if err != nil {
+ return fmt.Errorf("could not load leaf certificates: %s", err.Error())
+ }
+ trustedLeafCertificates = append(trustedLeafCertificates, certs...)
+ }
+ l.trustedLeafCerts = trustedLeafCertificates
+ return nil
+}
+
func (l LeafCertClientAuth) VerifyClientCertificate(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) == 0 {
return fmt.Errorf("no client certificate provided")
@@ -736,7 +761,7 @@ func (l LeafCertClientAuth) VerifyClientCertificate(rawCerts [][]byte, _ [][]*x5
return fmt.Errorf("can't parse the given certificate: %s", err.Error())
}
- for _, trustedLeafCert := range l.TrustedLeafCerts {
+ for _, trustedLeafCert := range l.trustedLeafCerts {
if remoteLeafCert.Equal(trustedLeafCert) {
return nil
}
@@ -765,6 +790,12 @@ type ConnectionMatcher interface {
Match(*tls.ClientHelloInfo) bool
}
+// LeafCertificateLoader is a type that loads the trusted leaf certificates
+// for the tls.leaf_cert_loader modules
+type LeafCertificateLoader interface {
+ LoadLeafCertificates() ([]*x509.Certificate, error)
+}
+
// ClientCertificateVerifier is a type which verifies client certificates.
// It is called during verifyPeerCertificate in the TLS handshake.
type ClientCertificateVerifier interface {