mirror of https://github.com/caddyserver/caddy.git
230 lines
5.7 KiB
Go
230 lines
5.7 KiB
Go
// Copyright 2015 Matthew Holt and The Caddy Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package httpcaddyfile
|
|
|
|
import (
|
|
"github.com/caddyserver/caddy/v2"
|
|
"github.com/caddyserver/caddy/v2/caddyconfig"
|
|
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
|
"github.com/caddyserver/caddy/v2/modules/caddypki"
|
|
)
|
|
|
|
func init() {
|
|
RegisterGlobalOption("pki", parsePKIApp)
|
|
}
|
|
|
|
// parsePKIApp parses the global log option. Syntax:
|
|
//
|
|
// pki {
|
|
// ca [<id>] {
|
|
// name <name>
|
|
// root_cn <name>
|
|
// intermediate_cn <name>
|
|
// intermediate_lifetime <duration>
|
|
// root {
|
|
// cert <path>
|
|
// key <path>
|
|
// format <format>
|
|
// }
|
|
// intermediate {
|
|
// cert <path>
|
|
// key <path>
|
|
// format <format>
|
|
// }
|
|
// }
|
|
// }
|
|
//
|
|
// When the CA ID is unspecified, 'local' is assumed.
|
|
func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
|
|
pki := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
|
|
|
|
for d.Next() {
|
|
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
|
switch d.Val() {
|
|
case "ca":
|
|
pkiCa := new(caddypki.CA)
|
|
if d.NextArg() {
|
|
pkiCa.ID = d.Val()
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
}
|
|
if pkiCa.ID == "" {
|
|
pkiCa.ID = caddypki.DefaultCAID
|
|
}
|
|
|
|
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
|
switch d.Val() {
|
|
case "name":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Name = d.Val()
|
|
|
|
case "root_cn":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.RootCommonName = d.Val()
|
|
|
|
case "intermediate_cn":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.IntermediateCommonName = d.Val()
|
|
|
|
case "intermediate_lifetime":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
dur, err := caddy.ParseDuration(d.Val())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
pkiCa.IntermediateLifetime = caddy.Duration(dur)
|
|
|
|
case "root":
|
|
if pkiCa.Root == nil {
|
|
pkiCa.Root = new(caddypki.KeyPair)
|
|
}
|
|
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
|
switch d.Val() {
|
|
case "cert":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Root.Certificate = d.Val()
|
|
|
|
case "key":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Root.PrivateKey = d.Val()
|
|
|
|
case "format":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Root.Format = d.Val()
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized pki ca root option '%s'", d.Val())
|
|
}
|
|
}
|
|
|
|
case "intermediate":
|
|
if pkiCa.Intermediate == nil {
|
|
pkiCa.Intermediate = new(caddypki.KeyPair)
|
|
}
|
|
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
|
switch d.Val() {
|
|
case "cert":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Intermediate.Certificate = d.Val()
|
|
|
|
case "key":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Intermediate.PrivateKey = d.Val()
|
|
|
|
case "format":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pkiCa.Intermediate.Format = d.Val()
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized pki ca intermediate option '%s'", d.Val())
|
|
}
|
|
}
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized pki ca option '%s'", d.Val())
|
|
}
|
|
}
|
|
|
|
pki.CAs[pkiCa.ID] = pkiCa
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized pki option '%s'", d.Val())
|
|
}
|
|
}
|
|
}
|
|
|
|
return pki, nil
|
|
}
|
|
|
|
func (st ServerType) buildPKIApp(
|
|
pairings []sbAddrAssociation,
|
|
options map[string]any,
|
|
warnings []caddyconfig.Warning,
|
|
) (*caddypki.PKI, []caddyconfig.Warning, error) {
|
|
skipInstallTrust := false
|
|
if _, ok := options["skip_install_trust"]; ok {
|
|
skipInstallTrust = true
|
|
}
|
|
falseBool := false
|
|
|
|
// Load the PKI app configured via global options
|
|
var pkiApp *caddypki.PKI
|
|
unwrappedPki, ok := options["pki"].(*caddypki.PKI)
|
|
if ok {
|
|
pkiApp = unwrappedPki
|
|
} else {
|
|
pkiApp = &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
|
|
}
|
|
for _, ca := range pkiApp.CAs {
|
|
if skipInstallTrust {
|
|
ca.InstallTrust = &falseBool
|
|
}
|
|
pkiApp.CAs[ca.ID] = ca
|
|
}
|
|
|
|
// Add in the CAs configured via directives
|
|
for _, p := range pairings {
|
|
for _, sblock := range p.serverBlocks {
|
|
// find all the CAs that were defined and add them to the app config
|
|
// i.e. from any "acme_server" directives
|
|
for _, caCfgValue := range sblock.pile["pki.ca"] {
|
|
ca := caCfgValue.Value.(*caddypki.CA)
|
|
if skipInstallTrust {
|
|
ca.InstallTrust = &falseBool
|
|
}
|
|
|
|
// the CA might already exist from global options, so
|
|
// don't overwrite it in that case
|
|
if _, ok := pkiApp.CAs[ca.ID]; !ok {
|
|
pkiApp.CAs[ca.ID] = ca
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// if there was no CAs defined in any of the servers,
|
|
// and we were requested to not install trust, then
|
|
// add one for the default/local CA to do so
|
|
if len(pkiApp.CAs) == 0 && skipInstallTrust {
|
|
ca := new(caddypki.CA)
|
|
ca.ID = caddypki.DefaultCAID
|
|
ca.InstallTrust = &falseBool
|
|
pkiApp.CAs[ca.ID] = ca
|
|
}
|
|
|
|
return pkiApp, warnings, nil
|
|
}
|