-
-
Notifications
You must be signed in to change notification settings - Fork 80
/
tls_client_cert_validate.go
48 lines (44 loc) · 1.53 KB
/
tls_client_cert_validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package proxy
import (
"crypto/x509"
"fmt"
"github.com/grepplabs/kafka-proxy/config"
"github.com/grepplabs/kafka-proxy/proxy/clientcertvalidate"
)
func tlsClientCertVerificationFunc(conf *config.Config) (func([][]byte, [][]*x509.Certificate) error, error) {
parsedSubjects, parserErr := getParsedSubjects(conf)
if parserErr != nil {
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { return nil }, parserErr
}
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if len(parsedSubjects) == 0 {
return nil // nothing to validate
}
errs := []error{}
for _, chain := range verifiedChains {
for _, cert := range chain {
// as soon as any parsed subject validates, pass the request;
for _, parsedSubject := range parsedSubjects {
x509ValidateErr := parsedSubject.X509Validate(cert)
if x509ValidateErr == nil {
return nil
}
errs = append(errs, x509ValidateErr)
}
}
}
return fmt.Errorf("tls: no client certificate presented for any of the defined client subjects, errors: '%v'", errs)
}, nil
}
func getParsedSubjects(conf *config.Config) ([]clientcertvalidate.ParsedSubject, error) {
parsedSubjects := []clientcertvalidate.ParsedSubject{}
for _, subject := range conf.Proxy.TLS.ClientCert.Subjects {
parser := clientcertvalidate.NewSubjectParser(subject)
parsedSubject, parseErr := parser.Parse()
if parseErr != nil {
return parsedSubjects, parseErr
}
parsedSubjects = append(parsedSubjects, parsedSubject)
}
return parsedSubjects, nil
}