add `require client ca' rule to require certs signed by a CA

author: Omar Polo <op@omarpolo.com> 2021-02-09 22:30:04 +0000
committer: Omar Polo <op@omarpolo.com> 2021-02-09 22:30:04 +0000
commit: 02be96c6ddfc34e448cccd095b4f3d0efe4de8a3 (patch)
tree: bce70baf27334eaf46abfbb1101979db6fa9ba66 /parse.y
parent: 2ff026b09b810efd8c52e13f0a4988c588c8ee09 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/parse.y b/parse.y
index ab7a3e8..64c7879 100644
--- a/parse.y
+++ b/parse.y
@@ -58,7 +58,7 @@ int		 check_prefork_num(int);
 %token TIPV6 TPORT TPROTOCOLS TMIME TDEFAULT TTYPE
 %token TCHROOT TUSER TSERVER TPREFORK
 %token TLOCATION TCERT TKEY TROOT TCGI TLANG TINDEX TAUTO
-%token TSTRIP TBLOCK TRETURN TENTRYPOINT
+%token TSTRIP TBLOCK TRETURN TENTRYPOINT TREQUIRE TCLIENT TCA
 %token TERR
 
 %token <str>	TSTRING
@@ -190,6 +190,15 @@ locopt		: TDEFAULT TTYPE TSTRING {
 			loc->block_code = 40;
 		}
 		| TSTRIP TNUM		{ loc->strip = check_strip_no($2); }
+		| TREQUIRE TCLIENT TCA TSTRING {
+			if (loc->reqca != NULL)
+				yyerror("`require client ca' specified more than once");
+			if (*$4 != '/')
+				yyerror("path to certificate must be absolute: %s", $4);
+			if ((loc->reqca = load_ca($4)) == NULL)
+				yyerror("couldn't load ca cert: %s", $4);
+			free($4);
+		}
 		;
 
 %%
author	Omar Polo <op@omarpolo.com>	2021-02-09 22:30:04 +0000
committer	Omar Polo <op@omarpolo.com>	2021-02-09 22:30:04 +0000
commit	02be96c6ddfc34e448cccd095b4f3d0efe4de8a3 (patch)
tree	bce70baf27334eaf46abfbb1101979db6fa9ba66 /parse.y
parent	2ff026b09b810efd8c52e13f0a4988c588c8ee09 (diff)