deps and refactor
This commit is contained in:
Jun Kurihara
parent
b479a38166
commit
62fe6a0b49
3 changed files with 37 additions and 26 deletions
2
h3
2
h3
|
|
@ -1 +1 @@
|
|||
Subproject commit 90ef1f7183640f3bc0779fd598e4dd0b621d0753
|
||||
Subproject commit 720da6d652c41a5ac2b56c9bf602b756bd0032d3
|
||||
|
|
@ -110,7 +110,7 @@ impl Backend {
|
|||
}
|
||||
|
||||
fn read_client_ca_certs(&self) -> io::Result<(Vec<OwnedTrustAnchor>, HashSet<Vec<u8>>)> {
|
||||
debug!("Read CA certificate for client authentication");
|
||||
debug!("Read CA certificates for client authentication");
|
||||
// Reads client certificate and returns client
|
||||
let client_ca_cert_path = {
|
||||
if let Some(c) = self.client_ca_cert_path.as_ref() {
|
||||
|
|
|
|||
|
|
@ -9,11 +9,29 @@ pub(super) fn check_client_authentication(
|
|||
client_certs: Option<&[Certificate]>,
|
||||
client_certs_setting_for_sni: Option<&HashSet<Vec<u8>>>,
|
||||
) -> Result<()> {
|
||||
if let Some(client_ca_keyids_set) = client_certs_setting_for_sni {
|
||||
if let Some(client_certs) = client_certs {
|
||||
debug!("Incoming TLS client is (temporarily) authenticated via client cert");
|
||||
// Check client certificate key ids
|
||||
let client_ca_keyids_set = match client_certs_setting_for_sni {
|
||||
Some(c) => c,
|
||||
None => {
|
||||
// No client cert settings for given server name
|
||||
return Ok(());
|
||||
}
|
||||
};
|
||||
|
||||
let client_certs = match client_certs {
|
||||
Some(c) => {
|
||||
debug!("Incoming TLS client is (temporarily) authenticated via client cert");
|
||||
c
|
||||
}
|
||||
None => {
|
||||
// TODO: return 403 here
|
||||
error!("Client certificate is needed for given server name");
|
||||
return Err(RpxyError::Proxy(
|
||||
"Client certificate is needed for given server name".to_string(),
|
||||
));
|
||||
}
|
||||
};
|
||||
|
||||
// Check client certificate key ids
|
||||
let mut client_certs_parsed_iter = client_certs.iter().filter_map(|d| parse_x509_certificate(&d.0).ok());
|
||||
let match_server_crypto_and_client_cert = client_certs_parsed_iter.any(|c| {
|
||||
let mut filtered = c.1.iter_extensions().filter_map(|e| {
|
||||
|
|
@ -23,9 +41,9 @@ pub(super) fn check_client_authentication(
|
|||
None
|
||||
}
|
||||
});
|
||||
|
||||
filtered.any(|id| client_ca_keyids_set.contains(id.0))
|
||||
});
|
||||
|
||||
if !match_server_crypto_and_client_cert {
|
||||
// TODO: return 403 here
|
||||
error!("Inconsistent client certificate for given server name");
|
||||
|
|
@ -33,13 +51,6 @@ pub(super) fn check_client_authentication(
|
|||
"Inconsistent client certificate for given server name".to_string(),
|
||||
));
|
||||
}
|
||||
} else {
|
||||
// TODO: return 403 here
|
||||
error!("Client certificate is needed for given server name");
|
||||
return Err(RpxyError::Proxy(
|
||||
"Client certificate is needed for given server name".to_string(),
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue