Store the whole verified certificate chain

2018-01-10 16:11:36 -08:00 · 2018-01-10 16:11:36 -08:00 · 8058ab039f
parent 13bbf3fbbb
commit 8058ab039f
1 changed files with 6 additions and 13 deletions
--- a/nomad/rpc.go
+++ b/nomad/rpc.go
@ -3,6 +3,7 @@ package nomad
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io"
 	"math/rand"
@ -66,11 +67,9 @@ type RPCContext struct {
 	// TLS marks whether the RPC is over a TLS based connection
 	TLS bool

-	// TLSRole is the certificate role making the TLS connection.
-	TLSRole string
-
-	// TLSRegion is the region on the certificate making the TLS connection
-	TLSRegion string
+	// VerifiedChains is is the Verified certificates presented by the incoming
+	// connection.
+	VerifiedChains [][]*x509.Certificate

 	// NodeID marks the NodeID that initiated the connection.
 	NodeID string
@ -188,15 +187,9 @@ func (s *Server) handleConn(ctx context.Context, conn net.Conn, rpcCtx *RPCConte
 		// using TLS
 		rpcCtx.TLS = true

-		// Parse the region and role from the TLS certificate
+		// Store the verified chains so they can be inspected later.
 		state := tlsConn.ConnectionState()
-		parts := strings.SplitN(state.ServerName, ".", 3)
-		if len(parts) != 3 || (parts[0] != "server" && parts[0] != "client") || parts[2] != "nomad" {
-			s.logger.Printf("[WARN] nomad.rpc: invalid server name %q on verified TLS connection", state.ServerName)
-		} else {
-			rpcCtx.TLSRole = parts[0]
-			rpcCtx.TLSRegion = parts[1]
-		}
+		rpcCtx.VerifiedChains = state.VerifiedChains

 		s.handleConn(ctx, conn, rpcCtx)