From 37eb0cbedbbe55435f6d7fabadda1b8fa2952536 Mon Sep 17 00:00:00 2001 From: armadi1809 Date: Wed, 28 Feb 2024 16:16:42 -0600 Subject: [PATCH] Cleaned implementation of leaf cert loader modules --- modules/caddytls/leafderloader.go | 31 ++++----------- modules/caddytls/leaffileloader.go | 55 +++++++-------------------- modules/caddytls/leaffolderloader.go | 4 +- modules/caddytls/leafstorageloader.go | 37 +++++------------- 4 files changed, 32 insertions(+), 95 deletions(-) diff --git a/modules/caddytls/leafderloader.go b/modules/caddytls/leafderloader.go index 4e622faae461..5cbad5dc1da5 100644 --- a/modules/caddytls/leafderloader.go +++ b/modules/caddytls/leafderloader.go @@ -29,23 +29,17 @@ func init() { // decoding their DER blocks directly. This has the advantage // of not needing to store them on disk at all. type LeafDERLoader struct { - Ders []LeafCertDER `json:"ders,omitempty"` + Certificates []string `json:"certs,omitempty"` } // Provision implements caddy.Provisioner. -func (pl LeafDERLoader) Provision(ctx caddy.Context) error { +func (pl *LeafDERLoader) Provision(ctx caddy.Context) error { repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) if !ok { repl = caddy.NewReplacer() } - for k, pair := range pl.Ders { - for i, tag := range pair.Tags { - pair.Tags[i] = repl.ReplaceKnown(tag, "") - } - pl.Ders[k] = LeafCertDER{ - CertificateDER: repl.ReplaceKnown(pair.CertificateDER, ""), - Tags: pair.Tags, - } + for i, cert := range pl.Certificates { + pl.Certificates[i] = repl.ReplaceKnown(cert, "") } return nil } @@ -58,22 +52,11 @@ func (LeafDERLoader) CaddyModule() caddy.ModuleInfo { } } -// LeafCertDER contains DER-encoded Leaf certificate. -type LeafCertDER struct { - // The leaf certificate in DER format. - CertificateDER string `json:"certificate"` - - // Arbitrary values to associate with this certificate. - // Can be useful when you want to select a particular - // certificate when there may be multiple valid candidates. - Tags []string `json:"tags,omitempty"` -} - // LoadLeafCertificates returns the certificates contained in pl. func (pl LeafDERLoader) LoadLeafCertificates() ([]*x509.Certificate, error) { - certs := make([]*x509.Certificate, 0, len(pl.Ders)) - for i, pair := range pl.Ders { - cert, err := x509.ParseCertificate([]byte(pair.CertificateDER)) + certs := make([]*x509.Certificate, 0, len(pl.Certificates)) + for i, cert := range pl.Certificates { + cert, err := x509.ParseCertificate([]byte(cert)) if err != nil { return nil, fmt.Errorf("DER cert %d: %v", i, err) } diff --git a/modules/caddytls/leaffileloader.go b/modules/caddytls/leaffileloader.go index 1360f38c3204..90c2b83a76ce 100644 --- a/modules/caddytls/leaffileloader.go +++ b/modules/caddytls/leaffileloader.go @@ -29,24 +29,17 @@ func init() { // LeafFileLoader loads leaf certificates from disk. type LeafFileLoader struct { - Files []LeafCertFile `json:"files,omitempty"` + Files []string `json:"files,omitempty"` } // Provision implements caddy.Provisioner. -func (fl LeafFileLoader) Provision(ctx caddy.Context) error { +func (fl *LeafFileLoader) Provision(ctx caddy.Context) error { repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) if !ok { repl = caddy.NewReplacer() } - for k, pair := range fl.Files { - for i, tag := range pair.Tags { - pair.Tags[i] = repl.ReplaceKnown(tag, "") - } - fl.Files[k] = LeafCertFile{ - LeafCertificate: repl.ReplaceKnown(pair.LeafCertificate, ""), - Format: repl.ReplaceKnown(pair.Format, ""), - Tags: pair.Tags, - } + for k, path := range fl.Files { + fl.Files[k] = repl.ReplaceKnown(path, "") } return nil } @@ -59,41 +52,19 @@ func (LeafFileLoader) CaddyModule() caddy.ModuleInfo { } } -// LeafCertFile associates leaf certificate file name along with its -// encoding format so that they can be loaded from disk. -type LeafCertFile struct { - // Path to the certificate file. - LeafCertificate string `json:"certificate"` - - // The format of the cert. Can be "pem". Default: "pem" - Format string `json:"format,omitempty"` - - // Arbitrary values to associate with this certificate. - // Can be useful when you want to select a particular - // certificate when there may be multiple valid candidates. - Tags []string `json:"tags,omitempty"` -} - // LoadLEafCertificates returns the certificates to be loaded by fl. func (fl LeafFileLoader) LoadLeafCertificates() ([]*x509.Certificate, error) { certificates := make([]*x509.Certificate, 0, len(fl.Files)) - for _, pair := range fl.Files { - switch pair.Format { - case "": - fallthrough - case "pem": - ders, err := convertPEMFilesToDERBytes(pair.LeafCertificate) - if err != nil { - return nil, err - } - certs, err := x509.ParseCertificates(ders) - if err != nil { - return nil, err - } - certificates = append(certificates, certs...) - default: - return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) + for _, path := range fl.Files { + ders, err := convertPEMFilesToDERBytes(path) + if err != nil { + return nil, err + } + certs, err := x509.ParseCertificates(ders) + if err != nil { + return nil, err } + certificates = append(certificates, certs...) } return certificates, nil } diff --git a/modules/caddytls/leaffolderloader.go b/modules/caddytls/leaffolderloader.go index 753b08a8ffeb..15dbd96896aa 100644 --- a/modules/caddytls/leaffolderloader.go +++ b/modules/caddytls/leaffolderloader.go @@ -44,7 +44,7 @@ func (LeafFolderLoader) CaddyModule() caddy.ModuleInfo { } // Provision implements caddy.Provisioner. -func (fl LeafFolderLoader) Provision(ctx caddy.Context) error { +func (fl *LeafFolderLoader) Provision(ctx caddy.Context) error { repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) if !ok { repl = caddy.NewReplacer() @@ -71,7 +71,7 @@ func (fl LeafFolderLoader) LoadLeafCertificates() ([]*x509.Certificate, error) { return nil } - certData, err := os.ReadFile(fpath) + certData, err := convertPEMFilesToDERBytes(fpath) if err != nil { return err } diff --git a/modules/caddytls/leafstorageloader.go b/modules/caddytls/leafstorageloader.go index 01cbf2b524ae..33f82d813693 100644 --- a/modules/caddytls/leafstorageloader.go +++ b/modules/caddytls/leafstorageloader.go @@ -34,7 +34,7 @@ func init() { type LeafStorageLoader struct { // A list of pairs of certificate file names along with their // encoding format so that they can be loaded from storage. - Certs []LeafCertFile `json:"certs,omitempty"` + Certs []string `json:"certs,omitempty"` // The storage module where the trusted leaf certificates are stored. Absent // explicit storage implies the use of Caddy default storage. @@ -76,15 +76,8 @@ func (sl *LeafStorageLoader) Provision(ctx caddy.Context) error { if !ok { repl = caddy.NewReplacer() } - for k, pair := range sl.Certs { - for i, tag := range pair.Tags { - pair.Tags[i] = repl.ReplaceKnown(tag, "") - } - sl.Certs[k] = LeafCertFile{ - LeafCertificate: repl.ReplaceKnown(pair.LeafCertificate, ""), - Format: repl.ReplaceKnown(pair.Format, ""), - Tags: pair.Tags, - } + for k, path := range sl.Certs { + sl.Certs[k] = repl.ReplaceKnown(path, "") } return nil } @@ -92,31 +85,21 @@ func (sl *LeafStorageLoader) Provision(ctx caddy.Context) error { // LoadLeafCertificates returns the certificates to be loaded by sl. func (sl LeafStorageLoader) LoadLeafCertificates() ([]*x509.Certificate, error) { certificates := make([]*x509.Certificate, 0, len(sl.Certs)) - for _, pair := range sl.Certs { - certData, err := sl.storage.Load(sl.ctx, pair.LeafCertificate) + for _, path := range sl.Certs { + certData, err := sl.storage.Load(sl.ctx, path) if err != nil { return nil, err } - switch pair.Format { - case "": - fallthrough - case "pem": - ders, err := convertPEMToDER(certData) - if err != nil { - return nil, err - } - certs, err := x509.ParseCertificates(ders) - if err != nil { - return nil, err - } - certificates = append(certificates, certs...) - default: - return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) + ders, err := convertPEMToDER(certData) + if err != nil { + return nil, err } + certs, err := x509.ParseCertificates(ders) if err != nil { return nil, err } + certificates = append(certificates, certs...) } return certificates, nil }