Skip to content

Commit

Permalink
Cleaned implementation of leaf cert loader modules
Browse files Browse the repository at this point in the history
  • Loading branch information
armadi1809 committed Feb 28, 2024
1 parent 3e60ec5 commit 4a5a8ba
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 97 deletions.
4 changes: 2 additions & 2 deletions modules/caddytls/connpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -733,7 +733,7 @@ func (l *LeafCertClientAuth) Provision(ctx caddy.Context) error {
}
val, err := ctx.LoadModule(l, "LeafCertificateLoadersRaw")
if err != nil {
return fmt.Errorf("Could not parse leaf certificates loaders: %s", err.Error())
return fmt.Errorf("could not parse leaf certificates loaders: %s", err.Error())
}
trustedLeafCertloaders := []LeafCertificateLoader{}
for _, loader := range val.([]any) {
Expand All @@ -743,7 +743,7 @@ func (l *LeafCertClientAuth) Provision(ctx caddy.Context) error {
for _, loader := range trustedLeafCertloaders {
certs, err := loader.LoadLeafCertificates()
if err != nil {
return fmt.Errorf("Could not load leaf certificates: %s", err.Error())
return fmt.Errorf("could not load leaf certificates: %s", err.Error())
}
trustedLeafCertificates = append(trustedLeafCertificates, certs...)
}
Expand Down
31 changes: 7 additions & 24 deletions modules/caddytls/leafderloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,17 @@ func init() {
// decoding their DER blocks directly. This has the advantage
// of not needing to store them on disk at all.
type LeafDERLoader struct {
Ders []LeafCertDER `json:"ders,omitempty"`
Certificates []string `json:"certs,omitempty"`
}

// Provision implements caddy.Provisioner.
func (pl LeafDERLoader) Provision(ctx caddy.Context) error {
func (pl *LeafDERLoader) Provision(ctx caddy.Context) error {
repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
if !ok {
repl = caddy.NewReplacer()
}
for k, pair := range pl.Ders {
for i, tag := range pair.Tags {
pair.Tags[i] = repl.ReplaceKnown(tag, "")
}
pl.Ders[k] = LeafCertDER{
CertificateDER: repl.ReplaceKnown(pair.CertificateDER, ""),
Tags: pair.Tags,
}
for i, cert := range pl.Certificates {
pl.Certificates[i] = repl.ReplaceKnown(cert, "")
}
return nil
}
Expand All @@ -58,22 +52,11 @@ func (LeafDERLoader) CaddyModule() caddy.ModuleInfo {
}
}

// LeafCertDER contains DER-encoded Leaf certificate.
type LeafCertDER struct {
// The leaf certificate in DER format.
CertificateDER string `json:"certificate"`

// Arbitrary values to associate with this certificate.
// Can be useful when you want to select a particular
// certificate when there may be multiple valid candidates.
Tags []string `json:"tags,omitempty"`
}

// LoadLeafCertificates returns the certificates contained in pl.
func (pl LeafDERLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
certs := make([]*x509.Certificate, 0, len(pl.Ders))
for i, pair := range pl.Ders {
cert, err := x509.ParseCertificate([]byte(pair.CertificateDER))
certs := make([]*x509.Certificate, 0, len(pl.Certificates))
for i, cert := range pl.Certificates {
cert, err := x509.ParseCertificate([]byte(cert))
if err != nil {
return nil, fmt.Errorf("DER cert %d: %v", i, err)
}
Expand Down
55 changes: 13 additions & 42 deletions modules/caddytls/leaffileloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,24 +29,17 @@ func init() {

// LeafFileLoader loads leaf certificates from disk.
type LeafFileLoader struct {
Files []LeafCertFile `json:"files,omitempty"`
Files []string `json:"files,omitempty"`
}

// Provision implements caddy.Provisioner.
func (fl LeafFileLoader) Provision(ctx caddy.Context) error {
func (fl *LeafFileLoader) Provision(ctx caddy.Context) error {
repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
if !ok {
repl = caddy.NewReplacer()
}
for k, pair := range fl.Files {
for i, tag := range pair.Tags {
pair.Tags[i] = repl.ReplaceKnown(tag, "")
}
fl.Files[k] = LeafCertFile{
LeafCertificate: repl.ReplaceKnown(pair.LeafCertificate, ""),
Format: repl.ReplaceKnown(pair.Format, ""),
Tags: pair.Tags,
}
for k, path := range fl.Files {
fl.Files[k] = repl.ReplaceKnown(path, "")
}
return nil
}
Expand All @@ -59,41 +52,19 @@ func (LeafFileLoader) CaddyModule() caddy.ModuleInfo {
}
}

// LeafCertFile associates leaf certificate file name along with its
// encoding format so that they can be loaded from disk.
type LeafCertFile struct {
// Path to the certificate file.
LeafCertificate string `json:"certificate"`

// The format of the cert. Can be "pem". Default: "pem"
Format string `json:"format,omitempty"`

// Arbitrary values to associate with this certificate.
// Can be useful when you want to select a particular
// certificate when there may be multiple valid candidates.
Tags []string `json:"tags,omitempty"`
}

// LoadLEafCertificates returns the certificates to be loaded by fl.
func (fl LeafFileLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
certificates := make([]*x509.Certificate, 0, len(fl.Files))
for _, pair := range fl.Files {
switch pair.Format {
case "":
fallthrough
case "pem":
ders, err := convertPEMFilesToDERBytes(pair.LeafCertificate)
if err != nil {
return nil, err
}
certs, err := x509.ParseCertificates(ders)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
for _, path := range fl.Files {
ders, err := convertPEMFilesToDERBytes(path)
if err != nil {
return nil, err
}
certs, err := x509.ParseCertificates(ders)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
}
return certificates, nil
}
Expand Down
4 changes: 2 additions & 2 deletions modules/caddytls/leaffolderloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ func (LeafFolderLoader) CaddyModule() caddy.ModuleInfo {
}

// Provision implements caddy.Provisioner.
func (fl LeafFolderLoader) Provision(ctx caddy.Context) error {
func (fl *LeafFolderLoader) Provision(ctx caddy.Context) error {
repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
if !ok {
repl = caddy.NewReplacer()
Expand All @@ -71,7 +71,7 @@ func (fl LeafFolderLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
return nil
}

certData, err := os.ReadFile(fpath)
certData, err := convertPEMFilesToDERBytes(fpath)
if err != nil {
return err
}
Expand Down
37 changes: 10 additions & 27 deletions modules/caddytls/leafstorageloader.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ func init() {
type LeafStorageLoader struct {
// A list of pairs of certificate file names along with their
// encoding format so that they can be loaded from storage.
Certs []LeafCertFile `json:"certs,omitempty"`
Certs []string `json:"certs,omitempty"`

// The storage module where the trusted leaf certificates are stored. Absent
// explicit storage implies the use of Caddy default storage.
Expand Down Expand Up @@ -76,47 +76,30 @@ func (sl *LeafStorageLoader) Provision(ctx caddy.Context) error {
if !ok {
repl = caddy.NewReplacer()
}
for k, pair := range sl.Certs {
for i, tag := range pair.Tags {
pair.Tags[i] = repl.ReplaceKnown(tag, "")
}
sl.Certs[k] = LeafCertFile{
LeafCertificate: repl.ReplaceKnown(pair.LeafCertificate, ""),
Format: repl.ReplaceKnown(pair.Format, ""),
Tags: pair.Tags,
}
for k, path := range sl.Certs {
sl.Certs[k] = repl.ReplaceKnown(path, "")
}
return nil
}

// LoadLeafCertificates returns the certificates to be loaded by sl.
func (sl LeafStorageLoader) LoadLeafCertificates() ([]*x509.Certificate, error) {
certificates := make([]*x509.Certificate, 0, len(sl.Certs))
for _, pair := range sl.Certs {
certData, err := sl.storage.Load(sl.ctx, pair.LeafCertificate)
for _, path := range sl.Certs {
certData, err := sl.storage.Load(sl.ctx, path)
if err != nil {
return nil, err
}

switch pair.Format {
case "":
fallthrough
case "pem":
ders, err := convertPEMToDER(certData)
if err != nil {
return nil, err
}
certs, err := x509.ParseCertificates(ders)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
ders, err := convertPEMToDER(certData)
if err != nil {
return nil, err
}
certs, err := x509.ParseCertificates(ders)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
}
return certificates, nil
}
Expand Down

0 comments on commit 4a5a8ba

Please sign in to comment.