| 776 | } |
| 777 | |
| 778 | func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error { |
| 779 | if len(clientauth.CARaw) > 0 && (len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0) { |
| 780 | return fmt.Errorf("conflicting config for client authentication trust CA") |
| 781 | } |
| 782 | |
| 783 | // convert all named file paths to inline |
| 784 | if len(clientauth.TrustedCACertPEMFiles) > 0 { |
| 785 | for _, fpath := range clientauth.TrustedCACertPEMFiles { |
| 786 | ders, err := convertPEMFilesToDER(fpath) |
| 787 | if err != nil { |
| 788 | return err |
| 789 | } |
| 790 | clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...) |
| 791 | } |
| 792 | } |
| 793 | |
| 794 | // if we have TrustedCACerts explicitly set, create an 'inline' CA and return |
| 795 | if len(clientauth.TrustedCACerts) > 0 { |
| 796 | caPool := InlineCAPool{ |
| 797 | TrustedCACerts: clientauth.TrustedCACerts, |
| 798 | } |
| 799 | err := caPool.Provision(ctx) |
| 800 | if err != nil { |
| 801 | return err |
| 802 | } |
| 803 | clientauth.ca = caPool |
| 804 | } |
| 805 | |
| 806 | // if we don't have any CARaw set, there's not much work to do |
| 807 | if clientauth.CARaw == nil { |
| 808 | return nil |
| 809 | } |
| 810 | caRaw, err := ctx.LoadModule(clientauth, "CARaw") |
| 811 | if err != nil { |
| 812 | return err |
| 813 | } |
| 814 | ca, ok := caRaw.(CA) |
| 815 | if !ok { |
| 816 | return fmt.Errorf("'ca' module '%s' is not a certificate pool provider", ca) |
| 817 | } |
| 818 | clientauth.ca = ca |
| 819 | |
| 820 | return nil |
| 821 | } |
| 822 | |
| 823 | // Active returns true if clientauth has an actionable configuration. |
| 824 | func (clientauth ClientAuthentication) Active() bool { |