deps and refactor

2022-10-11 15:35:46 +09:00 · 2022-10-11 15:35:46 +09:00 · 62fe6a0b49
commit 62fe6a0b49
parent b479a38166
3 changed files with 37 additions and 26 deletions
--- a/src/backend/mod.rs
+++ b/src/backend/mod.rs
@ -110,7 +110,7 @@ impl Backend {
  }

  fn read_client_ca_certs(&self) -> io::Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>)> {
-    debug!("Read CA certificate for client authentication");
+    debug!("Read CA certificates for client authentication");
    // Reads client certificate and returns client
    let client_ca_cert_path = {
      if let Some(c) = self.client_ca_cert_path.as_ref() {
--- a/src/proxy/proxy_client_cert.rs
+++ b/src/proxy/proxy_client_cert.rs
@ -9,37 +9,48 @@ pub(super) fn check_client_authentication(
  client_certs: Option<&[Certificate]>,
  client_certs_setting_for_sni: Option<&HashSet<Vec<u8>>>,
 ) -> Result<()> {
-  if let Some(client_ca_keyids_set) = client_certs_setting_for_sni {
-    if let Some(client_certs) = client_certs {
+  let client_ca_keyids_set = match client_certs_setting_for_sni {
+    Some(c) => c,
+    None => {
+      // No client cert settings for given server name
+      return Ok(());
+    }
+  };
+
+  let client_certs = match client_certs {
+    Some(c) => {
      debug!("Incoming TLS client is (temporarily) authenticated via client cert");
-      // Check client certificate key ids
-
-      let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
-      let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
-        let mut filtered = c.1.iter_extensions().filter_map(|e| {
-          if let ParsedExtension::AuthorityKeyIdentifier(key_id) = e.parsed_extension() {
-            key_id.key_identifier.as_ref()
-          } else {
-            None
-          }
-        });
-
-        filtered.any(|id| client_ca_keyids_set.contains(id.0))
-      });
-      if !match_server_crypto_and_client_cert {
-        // TODO: return 403 here
-        error!("Inconsistent client certificate for given server name");
-        return Err(RpxyError::Proxy(
-          "Inconsistent client certificate for given server name".to_string(),
-        ));
-      }
-    } else {
+      c
+    }
+    None => {
      // TODO: return 403 here
      error!("Client certificate is needed for given server name");
      return Err(RpxyError::Proxy(
        "Client certificate is needed for given server name".to_string(),
      ));
    }
+  };
+
+  // Check client certificate key ids
+  let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
+  let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
+    let mut filtered = c.1.iter_extensions().filter_map(|e| {
+      if let ParsedExtension::AuthorityKeyIdentifier(key_id) = e.parsed_extension() {
+        key_id.key_identifier.as_ref()
+      } else {
+        None
+      }
+    });
+    filtered.any(|id| client_ca_keyids_set.contains(id.0))
+  });
+
+  if !match_server_crypto_and_client_cert {
+    // TODO: return 403 here
+    error!("Inconsistent client certificate for given server name");
+    return Err(RpxyError::Proxy(
+      "Inconsistent client certificate for given server name".to_string(),
+    ));
  }
+
  Ok(())
 }