3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 04:13:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

authorize: implement client certificate CRL check (#4439)

Browse source 
Update isValidClientCertificate() to also consult the configured
certificate revocation lists. Update existing test cases and add a new
unit test to exercise the revocation support. Restore the skipped
integration test case.

Generate new test certificates and CRLs using a new `go run`-able source
file.
This commit is contained in:
Kenneth Jenkins 2023-08-03 15:59:11 -07:00 committed by GitHub
parent e91600c158
commit 9d4d31cb4f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 352 additions and 92 deletions
Download patch file Download diff file Expand all files Collapse all files

12
config/options.go
View file

@ -966,6 +966,18 @@ func (o *Options) GetClientCA() ([]byte, error) {
return nil, nil
}
// GetClientCRL returns the client certificate revocation list bundle. If
// neither client_crl nor client_crl_file is specified nil will be returned.
func (o *Options) GetClientCRL() ([]byte, error) {
if o.ClientCRL != "" {
return base64.StdEncoding.DecodeString(o.ClientCRL)
}
if o.ClientCRLFile != "" {
return os.ReadFile(o.ClientCRLFile)
}
return nil, nil
}
// GetDataBrokerCertificate gets the optional databroker certificate. This method will return nil if no certificate is
// specified.
func (o *Options) GetDataBrokerCertificate() (*tls.Certificate, error) {