httpcaddyfile: Add client certificate config to tls

caddyconfig/httpcaddyfile/builtins.go

@@ -59,6 +59,11 @@ func parseBind(h Helper) ([]ConfigValue, error) {
 //         protocols <min> [<max>]
 //         ciphers   <cipher_suites...>
 //         curves    <curves...>
+//         clients	 {
+//                     mode	              [request|require|verify_if_given|require_and_verify]
+//                     trusted_ca_certs   <trusted_ca_certs...>
+//                     trusted_leaf_certs <trusted_leaf_certs...>
+//					 }
 //         alpn      <values...>
 //         load      <paths...>
 //         ca        <acme_ca_endpoint>
@@ -181,6 +186,36 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					cp.Curves = append(cp.Curves, h.Val())
 				}
 
+			case "clients":
+				ch := h.NewFromNextSegment() // new helper for client auth config
+				cp.ClientAuthentication = &caddytls.ClientAuthentication{}
+				for ch.Next() {
+					for ch.NextBlock(0) {
+						switch ch.Val() {
+						case "mode":
+							for ch.NextArg() {
+								cp.ClientAuthentication.Mode = ch.Val()
+							}
+						case "trusted_ca_certs":
+							for ch.NextArg() {
+								if _, err := caddytls.DecodeBase64DERCert(ch.Val()); err != nil {
+									return nil, h.Errf("cannot decode trusted CA certificate '%s'", ch.Val())
+								}
+								cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, ch.Val())
+							}
+						case "trusted_leaf_certs":
+							for ch.NextArg() {
+								if _, err := caddytls.DecodeBase64DERCert(ch.Val()); err != nil {
+									return nil, h.Errf("cannot decode trusted leaf certificate '%s'", ch.Val())
+								}
+								cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, ch.Val())
+							}
+						default:
+							return nil, h.Errf("Unknown param for Client Certificate Check: '%s'", ch.Val())
+						}
+					}
+				}
+
 			case "alpn":
 				args := h.RemainingArgs()
 				if len(args) == 0 {

modules/caddytls/connpolicy.go

@@ -336,7 +336,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 	if len(clientauth.TrustedCACerts) > 0 {
 		caPool := x509.NewCertPool()
 		for _, clientCAString := range clientauth.TrustedCACerts {
-			clientCA, err := decodeBase64DERCert(clientCAString)
+			clientCA, err := DecodeBase64DERCert(clientCAString)
 			if err != nil {
 				return fmt.Errorf("parsing certificate: %v", err)
 			}
@@ -350,7 +350,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 		clientauth.trustedLeafCerts = []*x509.Certificate{}
 
 		for _, clientCertString := range clientauth.TrustedLeafCerts {
-			clientCert, err := decodeBase64DERCert(clientCertString)
+			clientCert, err := DecodeBase64DERCert(clientCertString)
 			if err != nil {
 				return fmt.Errorf("parsing certificate: %v", err)
 			}
@@ -397,7 +397,7 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
 }
 
 // decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
-func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
+func DecodeBase64DERCert(certStr string) (*x509.Certificate, error) {
 	// decode base64
 	derBytes, err := base64.StdEncoding.DecodeString(certStr)
 	if err != nil {