mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-23 09:06:29 +01:00
b8cba62643
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
71 lines
2.1 KiB
Go
71 lines
2.1 KiB
Go
package caddytls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"math/big"
|
|
|
|
"github.com/caddyserver/caddy/v2"
|
|
"github.com/caddyserver/certmagic"
|
|
)
|
|
|
|
func init() {
|
|
caddy.RegisterModule(CustomCertSelectionPolicy{})
|
|
}
|
|
|
|
// CustomCertSelectionPolicy represents a policy for selecting the certificate
|
|
// used to complete a handshake when there may be multiple options. All fields
|
|
// specified must match the candidate certificate for it to be chosen.
|
|
// This was needed to solve https://github.com/caddyserver/caddy/issues/2588.
|
|
type CustomCertSelectionPolicy struct {
|
|
SerialNumber *big.Int `json:"serial_number,omitempty"`
|
|
SubjectOrganization string `json:"subject_organization,omitempty"`
|
|
PublicKeyAlgorithm PublicKeyAlgorithm `json:"public_key_algorithm,omitempty"`
|
|
Tag string `json:"tag,omitempty"`
|
|
}
|
|
|
|
// CaddyModule returns the Caddy module information.
|
|
func (CustomCertSelectionPolicy) CaddyModule() caddy.ModuleInfo {
|
|
return caddy.ModuleInfo{
|
|
ID: "tls.certificate_selection.custom",
|
|
New: func() caddy.Module { return new(CustomCertSelectionPolicy) },
|
|
}
|
|
}
|
|
|
|
// SelectCertificate implements certmagic.CertificateSelector.
|
|
func (p CustomCertSelectionPolicy) SelectCertificate(_ *tls.ClientHelloInfo, choices []certmagic.Certificate) (certmagic.Certificate, error) {
|
|
for _, cert := range choices {
|
|
if p.SerialNumber != nil && cert.SerialNumber.Cmp(p.SerialNumber) != 0 {
|
|
continue
|
|
}
|
|
|
|
if p.PublicKeyAlgorithm != PublicKeyAlgorithm(x509.UnknownPublicKeyAlgorithm) &&
|
|
PublicKeyAlgorithm(cert.PublicKeyAlgorithm) != p.PublicKeyAlgorithm {
|
|
continue
|
|
}
|
|
|
|
if p.SubjectOrganization != "" {
|
|
var matchOrg bool
|
|
for _, org := range cert.Subject.Organization {
|
|
if p.SubjectOrganization == org {
|
|
matchOrg = true
|
|
break
|
|
}
|
|
}
|
|
if !matchOrg {
|
|
continue
|
|
}
|
|
}
|
|
|
|
if p.Tag != "" && !cert.HasTag(p.Tag) {
|
|
continue
|
|
}
|
|
|
|
return cert, nil
|
|
}
|
|
return certmagic.Certificate{}, fmt.Errorf("no certificates matched custom selection policy")
|
|
}
|
|
|
|
// Interface guard
|
|
var _ certmagic.CertificateSelector = (*CustomCertSelectionPolicy)(nil)
|