Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
65555c9
commit f6a83ac
Showing
3 changed files
with
70 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package armor | ||
|
||
import ( | ||
"crypto/tls" | ||
"crypto/x509" | ||
"encoding/base64" | ||
) | ||
|
||
// GetConfigForClient implements the Config.GetClientCertificate callback | ||
func (a *Armor) GetConfigForClient(clientHelloInfo *tls.ClientHelloInfo) (*tls.Config, error) { | ||
// Get the host from the hello info | ||
host := a.Hosts[clientHelloInfo.ServerName] | ||
if len(host.ClientCAs) == 0 { | ||
return nil, nil | ||
} | ||
|
||
// Use existing host config if exist | ||
if host.TLSConfig != nil { | ||
return host.TLSConfig, nil | ||
} | ||
|
||
// Build and save the host config | ||
host.TLSConfig = a.buildTLSConfig(clientHelloInfo, host) | ||
|
||
return host.TLSConfig, nil | ||
} | ||
|
||
func (a *Armor) buildTLSConfig(clientHelloInfo *tls.ClientHelloInfo, host *Host) *tls.Config { | ||
// Copy the configurations from the regular server | ||
tlsConfig := new(tls.Config) | ||
*tlsConfig = *a.Echo.TLSServer.TLSConfig | ||
|
||
// Set the client validation and the certification pool | ||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert | ||
tlsConfig.ClientCAs = a.buildClientCertPool(host) | ||
|
||
return tlsConfig | ||
} | ||
|
||
func (a *Armor) buildClientCertPool(host *Host) (certPool *x509.CertPool) { | ||
certPool = x509.NewCertPool() | ||
|
||
// Loop every CA certs given as base64 DER encoding | ||
for _, clientCAString := range host.ClientCAs { | ||
// Decode base64 | ||
derBytes, err := base64.StdEncoding.DecodeString(clientCAString) | ||
if err != nil { | ||
continue | ||
} | ||
if len(derBytes) == 0 { | ||
continue | ||
} | ||
|
||
// Parse the DER encoded certificate | ||
var caCert *x509.Certificate | ||
caCert, err = x509.ParseCertificate(derBytes) | ||
if err != nil { | ||
continue | ||
} | ||
|
||
// Add the certificate to CertPool | ||
certPool.AddCert(caCert) | ||
} | ||
|
||
return certPool | ||
} |