Commit eea3f4e
authored
Add support for custom client certificate verification (#34)
Motivation:
`NIOSSLServerHandler` allows a custom verification callback to be used
for client certificate verification. This callback returns the peer's
validated chain of trust, which `NIOSSL` then surfaces in the channel
handler. Having control over certificate verification and accessing the
peer's validated certificate chain can be useful for mTLS
implementations.
`NIOHTTPServer` currently does not support propagating a custom
verification callback to `NIOSSLServerHandler`. This change adds support
for that and also surfaces the peer's validated certificate chain which
becomes available as a result.
Modifications:
- Updated the server configuration to also include a
`customCertificateVerificationCallback` argument for the `mTLS` and
`reloadingMTLS` cases of `TransportSecurity`.
- **Note**: There are certain caveats here which I'd like to hear
opinions about. We now expose `NIOSSL` types in the server configuration
type (the arguments and return type of the callback). I'm also not sure
whether custom client certificate verification is a requirement we want
to impose for other server implementations, so for now, I have made the
configuration type `NIOHTTPServer` specific and renamed
`HTTPServerConfiguration` to `NIOHTTPServerConfiguration`.
- Updated the `serveSecureUpgrade` method in `NIOHTTPServer` to:
- Propagate the custom verification callback into the underlying
`NIOSSLServerHandler`;
- Extract the peer certificate chain `EventLoopFuture` per connection,
and;
- Expose that future in a new type in `NIOHTTPServer` named
`ConnectionContext`.
- `ConnectionContext` is accessible from a task-local property. Users
can await the result of the promise from their route handlers by calling
`NIOHTTPServer. connectionContext.peerCertificateChain()`.
- The name of this type, its properties, the task-local approach, etc.
are all very much open for discussion.
- Added end-to-end tests for this functionality for both HTTP/1.1 and
HTTP2.
- Other changes:
- Added `NIOSSL+X509` containing some convenience conversions between
`NIOSSL` and `X509` types.
- Added documentation to the `TransportSecurity` methods.
Result:
Users can now specify a custom verification callback and access the
peer's validated certificate chain from the request handler.1 parent d56f742 commit eea3f4e
File tree
12 files changed
+939
-319
lines changed- Sources/HTTPServer
- Tests/HTTPServerTests
- Utilities
12 files changed
+939
-319
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | | - | |
| 27 | + | |
28 | 28 | | |
29 | 29 | | |
30 | | - | |
| 30 | + | |
31 | 31 | | |
32 | 32 | | |
33 | 33 | | |
| |||
This file was deleted.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
0 commit comments