selectCert uses hello to select a certificate from the cache for name. If cfg.CertSelection is set, it will be used to make the decision. Otherwise, the first matching unexpired cert is returned. As a special case, if no certificates match name and cfg.CertSelection is set, then all certificates in
(hello *tls.ClientHelloInfo, name string)
| 184 | // then all certificates in the cache will be passed in |
| 185 | // for the cfg.CertSelection to make the final decision. |
| 186 | func (cfg *Config) selectCert(hello *tls.ClientHelloInfo, name string) (Certificate, bool) { |
| 187 | logger := cfg.Logger.Named("handshake") |
| 188 | choices := cfg.certCache.getAllMatchingCerts(name) |
| 189 | |
| 190 | if len(choices) == 0 { |
| 191 | if cfg.CertSelection == nil { |
| 192 | logger.Debug("no matching certificates and no custom selection logic", zap.String("identifier", name)) |
| 193 | return Certificate{}, false |
| 194 | } |
| 195 | logger.Debug("no matching certificate; will choose from all certificates", zap.String("identifier", name)) |
| 196 | choices = cfg.certCache.getAllCerts() |
| 197 | } |
| 198 | |
| 199 | logger.Debug("choosing certificate", |
| 200 | zap.String("identifier", name), |
| 201 | zap.Int("num_choices", len(choices))) |
| 202 | |
| 203 | if cfg.CertSelection == nil { |
| 204 | cert, err := DefaultCertificateSelector(hello, choices) |
| 205 | logger.Debug("default certificate selection results", |
| 206 | zap.Error(err), |
| 207 | zap.String("identifier", name), |
| 208 | zap.Strings("subjects", cert.Names), |
| 209 | zap.Bool("managed", cert.managed), |
| 210 | zap.String("issuer_key", cert.issuerKey), |
| 211 | zap.String("hash", cert.hash)) |
| 212 | return cert, err == nil |
| 213 | } |
| 214 | |
| 215 | cert, err := cfg.CertSelection.SelectCertificate(hello, choices) |
| 216 | |
| 217 | logger.Debug("custom certificate selection results", |
| 218 | zap.Error(err), |
| 219 | zap.String("identifier", name), |
| 220 | zap.Strings("subjects", cert.Names), |
| 221 | zap.Bool("managed", cert.managed), |
| 222 | zap.String("issuer_key", cert.issuerKey), |
| 223 | zap.String("hash", cert.hash)) |
| 224 | |
| 225 | return cert, err == nil |
| 226 | } |
| 227 | |
| 228 | // DefaultCertificateSelector is the default certificate selection logic |
| 229 | // given a choice of certificates. If there is at least one certificate in |
no test coverage detected