tls: modularize trusted CA providers (#5784)

* tls: modularize client authentication trusted CA

* add `omitempty` to `CARaw`

* docs

* initial caddyfile support

* revert anything related to leaf cert validation

The certs are used differently than the CA pool flow

* complete caddyfile unmarshalling implementation

* Caddyfile syntax documentation

* enhance caddyfile parsing and documentation

Apply suggestions from code review

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* add client_auth caddyfile tests

* add caddyfile unmarshalling tests

* fix and add missed adapt tests

* fix rebase issue

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

caddyconfig/httpcaddyfile/builtins.go

@@ -15,12 +15,9 @@
 package httpcaddyfile
 
 import (
-	"encoding/base64"
-	"encoding/pem"
 	"fmt"
 	"html"
 	"net/http"
-	"os"
 	"reflect"
 	"strconv"
 	"strings"
@@ -215,83 +212,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 
 		case "client_auth":
 			cp.ClientAuthentication = &caddytls.ClientAuthentication{}
-			for nesting := h.Nesting(); h.NextBlock(nesting); {
+			if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil {
-				subdir := h.Val()
+				return nil, err
-				switch subdir {
-				case "verifier":
-					if !h.NextArg() {
-						return nil, h.ArgErr()
-					}
-
-					vType := h.Val()
-					modID := "tls.client_auth." + vType
-					unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
-					if err != nil {
-						return nil, err
-					}
-
-					_, ok := unm.(caddytls.ClientCertificateVerifier)
-					if !ok {
-						return nil, h.Dispenser.Errf("module %s is not a caddytls.ClientCertificatVerifier", modID)
-					}
-
-					cp.ClientAuthentication.VerifiersRaw = append(cp.ClientAuthentication.VerifiersRaw, caddyconfig.JSONModuleObject(unm, "verifier", vType, h.warnings))
-				case "mode":
-					if !h.Args(&cp.ClientAuthentication.Mode) {
-						return nil, h.ArgErr()
-					}
-					if h.NextArg() {
-						return nil, h.ArgErr()
-					}
-
-				case "trusted_ca_cert",
-					"trusted_leaf_cert":
-					if !h.NextArg() {
-						return nil, h.ArgErr()
-					}
-					if subdir == "trusted_ca_cert" {
-						cp.ClientAuthentication.TrustedCACerts = append(cp.ClientAuthentication.TrustedCACerts, h.Val())
-					} else {
-						cp.ClientAuthentication.TrustedLeafCerts = append(cp.ClientAuthentication.TrustedLeafCerts, h.Val())
-					}
-
-				case "trusted_ca_cert_file",
-					"trusted_leaf_cert_file":
-					if !h.NextArg() {
-						return nil, h.ArgErr()
-					}
-					filename := h.Val()
-					certDataPEM, err := os.ReadFile(filename)
-					if err != nil {
-						return nil, err
-					}
-					// while block is not nil, we have more certificates in the file
-					for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) {
-						if block.Type != "CERTIFICATE" {
-							return nil, h.Errf("no CERTIFICATE pem block found in %s", filename)
-						}
-						if subdir == "trusted_ca_cert_file" {
-							cp.ClientAuthentication.TrustedCACerts = append(
-								cp.ClientAuthentication.TrustedCACerts,
-								base64.StdEncoding.EncodeToString(block.Bytes),
-							)
-						} else {
-							cp.ClientAuthentication.TrustedLeafCerts = append(
-								cp.ClientAuthentication.TrustedLeafCerts,
-								base64.StdEncoding.EncodeToString(block.Bytes),
-							)
-						}
-					}
-					// if we decoded nothing, return an error
-					if len(cp.ClientAuthentication.TrustedCACerts) == 0 && len(cp.ClientAuthentication.TrustedLeafCerts) == 0 {
-						return nil, h.Errf("no CERTIFICATE pem block found in %s", filename)
-					}
-
-				default:
-					return nil, h.Errf("unknown subdirective for client_auth: %s", subdir)
-				}
 			}
-
 		case "alpn":
 			args := h.RemainingArgs()
 			if len(args) == 0 {

caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file-legacy.txt

@@ -0,0 +1,69 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trusted_ca_cert_file ../caddy.ca.cer
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_cert_file.txt

@@ -4,7 +4,9 @@ respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
-		trusted_ca_cert_file ../caddy.ca.cer
+		trust_pool file {
+			pem_file ../caddy.ca.cer
+		}
 	}
 }
 ----------
@@ -51,9 +53,12 @@ tls {
 								]
 							},
 							"client_authentication": {
-								"trusted_ca_certs": [
+								"ca": {
-									"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									"pem_files": [
-								],
+										"../caddy.ca.cer"
+									],
+									"provider": "file"
+								},
 								"mode": "request"
 							}
 						},

caddytest/integration/caddyfile_adapt/tls_client_auth_inline_cert-legacy.txt

@@ -0,0 +1,69 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

caddytest/integration/caddyfile_adapt/tls_client_auth_inline_cert.txt

@@ -4,7 +4,9 @@ respond "hello from localhost"
 tls {
 	client_auth {
 		mode request
-		trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
 	}
 }
 ----------
@@ -51,9 +53,12 @@ tls {
 								]
 							},
 							"client_authentication": {
-								"trusted_ca_certs": [
+								"ca": {
-									"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									"provider": "inline",
-								],
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
 								"mode": "request"
 							}
 						},

caddytest/integration/caddyfile_adapt/tls_client_auth_inline_cert_with_leaf_trust.txt

@@ -0,0 +1,75 @@
+localhost
+
+respond "hello from localhost"
+tls {
+	client_auth {
+		mode request
+		trust_pool inline {
+			trust_der MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+		}
+		trusted_leaf_cert_file ../caddy.ca.cer
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"handle": [
+								{
+									"handler": "subroute",
+									"routes": [
+										{
+											"handle": [
+												{
+													"body": "hello from localhost",
+													"handler": "static_response"
+												}
+											]
+										}
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"tls_connection_policies": [
+						{
+							"match": {
+								"sni": [
+									"localhost"
+								]
+							},
+							"client_authentication": {
+								"ca": {
+									"provider": "inline",
+									"trusted_ca_certs": [
+										"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+									]
+								},
+								"trusted_leaf_certs": [
+									"MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ=="
+								],
+								"mode": "request"
+							}
+						},
+						{}
+					]
+				}
+			}
+		}
+	}
+}

modules/caddytls/capools.go

@@ -0,0 +1,820 @@
+package caddytls
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"reflect"
+
+	"github.com/caddyserver/certmagic"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	"github.com/caddyserver/caddy/v2/modules/caddypki"
+)
+
+func init() {
+	caddy.RegisterModule(InlineCAPool{})
+	caddy.RegisterModule(FileCAPool{})
+	caddy.RegisterModule(PKIRootCAPool{})
+	caddy.RegisterModule(PKIIntermediateCAPool{})
+	caddy.RegisterModule(StoragePool{})
+	caddy.RegisterModule(HTTPCertPool{})
+	caddy.RegisterModule(LazyCertPool{})
+}
+
+// The interface to be implemented by all guest modules part of
+// the namespace 'tls.ca_pool.source.'
+type CA interface {
+	CertPool() *x509.CertPool
+}
+
+// InlineCAPool is a certificate authority pool provider coming from
+// a DER-encoded certificates in the config
+type InlineCAPool struct {
+	// A list of base64 DER-encoded CA certificates
+	// against which to validate client certificates.
+	// Client certs which are not signed by any of
+	// these CAs will be rejected.
+	TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
+
+	pool *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (icp InlineCAPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.inline",
+		New: func() caddy.Module {
+			return new(InlineCAPool)
+		},
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (icp *InlineCAPool) Provision(ctx caddy.Context) error {
+	caPool := x509.NewCertPool()
+	for i, clientCAString := range icp.TrustedCACerts {
+		clientCA, err := decodeBase64DERCert(clientCAString)
+		if err != nil {
+			return fmt.Errorf("parsing certificate at index %d: %v", i, err)
+		}
+		caPool.AddCert(clientCA)
+	}
+	icp.pool = caPool
+
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool inline {
+//		trust_der <base64_der_cert>...
+//	}
+//
+// The 'trust_der' directive can be specified multiple times.
+func (icp *InlineCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	if d.CountRemainingArgs() > 0 {
+		return d.ArgErr()
+	}
+	for d.NextBlock(0) {
+		switch d.Val() {
+		case "trust_der":
+			icp.TrustedCACerts = append(icp.TrustedCACerts, d.RemainingArgs()...)
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	if len(icp.TrustedCACerts) == 0 {
+		return d.Err("no certificates specified")
+	}
+	return nil
+}
+
+// CertPool implements CA.
+func (icp InlineCAPool) CertPool() *x509.CertPool {
+	return icp.pool
+}
+
+// FileCAPool generates trusted root certificates pool from the designated DER and PEM file
+type FileCAPool struct {
+	// TrustedCACertPEMFiles is a list of PEM file names
+	// from which to load certificates of trusted CAs.
+	// Client certificates which are not signed by any of
+	// these CA certificates will be rejected.
+	TrustedCACertPEMFiles []string `json:"pem_files,omitempty"`
+
+	pool *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (FileCAPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.file",
+		New: func() caddy.Module {
+			return new(FileCAPool)
+		},
+	}
+}
+
+// Loads and decodes the DER and pem files to generate the certificate pool
+func (f *FileCAPool) Provision(ctx caddy.Context) error {
+	caPool := x509.NewCertPool()
+	for _, pemFile := range f.TrustedCACertPEMFiles {
+		pemContents, err := os.ReadFile(pemFile)
+		if err != nil {
+			return fmt.Errorf("reading %s: %v", pemFile, err)
+		}
+		caPool.AppendCertsFromPEM(pemContents)
+	}
+	f.pool = caPool
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool file [<pem_file>...] {
+//		pem_file <pem_file>...
+//	}
+//
+// The 'pem_file' directive can be specified multiple times.
+func (fcap *FileCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...)
+	for d.NextBlock(0) {
+		switch d.Val() {
+		case "pem_file":
+			fcap.TrustedCACertPEMFiles = append(fcap.TrustedCACertPEMFiles, d.RemainingArgs()...)
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	if len(fcap.TrustedCACertPEMFiles) == 0 {
+		return d.Err("no certificates specified")
+	}
+	return nil
+}
+
+func (f FileCAPool) CertPool() *x509.CertPool {
+	return f.pool
+}
+
+// PKIRootCAPool extracts the trusted root certificates from Caddy's native 'pki' app
+type PKIRootCAPool struct {
+	// List of the Authority names that are configured in the `pki` app whose root certificates are trusted
+	Authority []string `json:"authority,omitempty"`
+
+	ca   []*caddypki.CA
+	pool *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (PKIRootCAPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.pki_root",
+		New: func() caddy.Module {
+			return new(PKIRootCAPool)
+		},
+	}
+}
+
+// Loads the PKI app and load the root certificates into the certificate pool
+func (p *PKIRootCAPool) Provision(ctx caddy.Context) error {
+	pkiApp := ctx.AppIfConfigured("pki")
+	if pkiApp == nil {
+		return fmt.Errorf("PKI app not configured")
+	}
+	pki := pkiApp.(*caddypki.PKI)
+	for _, caID := range p.Authority {
+		c, err := pki.GetCA(ctx, caID)
+		if err != nil || c == nil {
+			return fmt.Errorf("getting CA %s: %v", caID, err)
+		}
+		p.ca = append(p.ca, c)
+	}
+
+	caPool := x509.NewCertPool()
+	for _, ca := range p.ca {
+		caPool.AddCert(ca.RootCertificate())
+	}
+	p.pool = caPool
+
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool pki_root [<ca_name>...] {
+//		authority <ca_name>...
+//	}
+//
+// The 'authority' directive can be specified multiple times.
+func (pkir *PKIRootCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	pkir.Authority = append(pkir.Authority, d.RemainingArgs()...)
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "authority":
+			pkir.Authority = append(pkir.Authority, d.RemainingArgs()...)
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	if len(pkir.Authority) == 0 {
+		return d.Err("no authorities specified")
+	}
+	return nil
+}
+
+// return the certificate pool generated with root certificates from the PKI app
+func (p PKIRootCAPool) CertPool() *x509.CertPool {
+	return p.pool
+}
+
+// PKIIntermediateCAPool extracts the trusted intermediate certificates from Caddy's native 'pki' app
+type PKIIntermediateCAPool struct {
+	// List of the Authority names that are configured in the `pki` app whose intermediate certificates are trusted
+	Authority []string `json:"authority,omitempty"`
+
+	ca   []*caddypki.CA
+	pool *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (PKIIntermediateCAPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.pki_intermediate",
+		New: func() caddy.Module {
+			return new(PKIIntermediateCAPool)
+		},
+	}
+}
+
+// Loads the PKI app and load the intermediate certificates into the certificate pool
+func (p *PKIIntermediateCAPool) Provision(ctx caddy.Context) error {
+	pkiApp := ctx.AppIfConfigured("pki")
+	if pkiApp == nil {
+		return fmt.Errorf("PKI app not configured")
+	}
+	pki := pkiApp.(*caddypki.PKI)
+	for _, caID := range p.Authority {
+		c, err := pki.GetCA(ctx, caID)
+		if err != nil || c == nil {
+			return fmt.Errorf("getting CA %s: %v", caID, err)
+		}
+		p.ca = append(p.ca, c)
+	}
+
+	caPool := x509.NewCertPool()
+	for _, ca := range p.ca {
+		caPool.AddCert(ca.IntermediateCertificate())
+	}
+	p.pool = caPool
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool pki_intermediate [<ca_name>...] {
+//		authority <ca_name>...
+//	}
+//
+// The 'authority' directive can be specified multiple times.
+func (pic *PKIIntermediateCAPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	pic.Authority = append(pic.Authority, d.RemainingArgs()...)
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "authority":
+			pic.Authority = append(pic.Authority, d.RemainingArgs()...)
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	if len(pic.Authority) == 0 {
+		return d.Err("no authorities specified")
+	}
+	return nil
+}
+
+// return the certificate pool generated with intermediate certificates from the PKI app
+func (p PKIIntermediateCAPool) CertPool() *x509.CertPool {
+	return p.pool
+}
+
+// StoragePool extracts the trusted certificates root from Caddy storage
+type StoragePool struct {
+	// The storage module where the trusted root certificates are stored. Absent
+	// explicit storage implies the use of Caddy default storage.
+	StorageRaw json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
+
+	// The storage key/index to the location of the certificates
+	PEMKeys []string `json:"pem_keys,omitempty"`
+
+	storage certmagic.Storage
+	pool    *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (StoragePool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.storage",
+		New: func() caddy.Module {
+			return new(StoragePool)
+		},
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (ca *StoragePool) Provision(ctx caddy.Context) error {
+	if ca.StorageRaw != nil {
+		val, err := ctx.LoadModule(ca, "StorageRaw")
+		if err != nil {
+			return fmt.Errorf("loading storage module: %v", err)
+		}
+		cmStorage, err := val.(caddy.StorageConverter).CertMagicStorage()
+		if err != nil {
+			return fmt.Errorf("creating storage configuration: %v", err)
+		}
+		ca.storage = cmStorage
+	}
+	if ca.storage == nil {
+		ca.storage = ctx.Storage()
+	}
+	if len(ca.PEMKeys) == 0 {
+		return fmt.Errorf("no PEM keys specified")
+	}
+	caPool := x509.NewCertPool()
+	for _, caID := range ca.PEMKeys {
+		bs, err := ca.storage.Load(ctx, caID)
+		if err != nil {
+			return fmt.Errorf("error loading cert '%s' from storage: %s", caID, err)
+		}
+		if !caPool.AppendCertsFromPEM(bs) {
+			return fmt.Errorf("failed to add certificate '%s' to pool", caID)
+		}
+	}
+	ca.pool = caPool
+
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool storage [<storage_keys>...] {
+//		storage <storage_module>
+//		keys	<storage_keys>...
+//	}
+//
+// The 'keys' directive can be specified multiple times.
+// The'storage' directive is optional and defaults to the default storage module.
+func (sp *StoragePool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...)
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "storage":
+			if sp.StorageRaw != nil {
+				return d.Err("storage module already set")
+			}
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			modStem := d.Val()
+			modID := "caddy.storage." + modStem
+			unm, err := caddyfile.UnmarshalModule(d, modID)
+			if err != nil {
+				return err
+			}
+			storage, ok := unm.(caddy.StorageConverter)
+			if !ok {
+				return d.Errf("module %s is not a caddy.StorageConverter", modID)
+			}
+			sp.StorageRaw = caddyconfig.JSONModuleObject(storage, "module", modStem, nil)
+		case "keys":
+			sp.PEMKeys = append(sp.PEMKeys, d.RemainingArgs()...)
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	return nil
+}
+
+func (p StoragePool) CertPool() *x509.CertPool {
+	return p.pool
+}
+
+// TLSConfig holds configuration related to the TLS configuration for the
+// transport/client.
+// copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
+type TLSConfig struct {
+	// Provides the guest module that provides the trusted certificate authority (CA) certificates
+	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
+
+	// If true, TLS verification of server certificates will be disabled.
+	// This is insecure and may be removed in the future. Do not use this
+	// option except in testing or local development environments.
+	InsecureSkipVerify bool `json:"insecure_skip_verify,omitempty"`
+
+	// The duration to allow a TLS handshake to a server. Default: No timeout.
+	HandshakeTimeout caddy.Duration `json:"handshake_timeout,omitempty"`
+
+	// The server name used when verifying the certificate received in the TLS
+	// handshake. By default, this will use the upstream address' host part.
+	// You only need to override this if your upstream address does not match the
+	// certificate the upstream is likely to use. For example if the upstream
+	// address is an IP address, then you would need to configure this to the
+	// hostname being served by the upstream server. Currently, this does not
+	// support placeholders because the TLS config is not provisioned on each
+	// connection, so a static value must be used.
+	ServerName string `json:"server_name,omitempty"`
+
+	// TLS renegotiation level. TLS renegotiation is the act of performing
+	// subsequent handshakes on a connection after the first.
+	// The level can be:
+	//  - "never": (the default) disables renegotiation.
+	//  - "once": allows a remote server to request renegotiation once per connection.
+	//  - "freely": allows a remote server to repeatedly request renegotiation.
+	Renegotiation string `json:"renegotiation,omitempty"`
+}
+
+func (t *TLSConfig) unmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "ca":
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			modStem := d.Val()
+			modID := "tls.ca_pool.source." + modStem
+			unm, err := caddyfile.UnmarshalModule(d, modID)
+			if err != nil {
+				return err
+			}
+			ca, ok := unm.(CA)
+			if !ok {
+				return d.Errf("module %s is not a caddytls.CA", modID)
+			}
+			t.CARaw = caddyconfig.JSONModuleObject(ca, "provider", modStem, nil)
+		case "insecure_skip_verify":
+			t.InsecureSkipVerify = true
+		case "handshake_timeout":
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			dur, err := caddy.ParseDuration(d.Val())
+			if err != nil {
+				return d.Errf("bad timeout value '%s': %v", d.Val(), err)
+			}
+			t.HandshakeTimeout = caddy.Duration(dur)
+		case "server_name":
+			if !d.Args(&t.ServerName) {
+				return d.ArgErr()
+			}
+		case "renegotiation":
+			if !d.Args(&t.Renegotiation) {
+				return d.ArgErr()
+			}
+			switch t.Renegotiation {
+			case "never", "once", "freely":
+				continue
+			default:
+				t.Renegotiation = ""
+				return d.Errf("unrecognized renegotiation level: %s", t.Renegotiation)
+			}
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	return nil
+}
+
+// MakeTLSClientConfig returns a tls.Config usable by a client to a backend.
+// If there is no custom TLS configuration, a nil config may be returned.
+// copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
+func (t TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) {
+	repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+	if repl == nil {
+		repl = caddy.NewReplacer()
+	}
+	cfg := new(tls.Config)
+
+	if t.CARaw != nil {
+		caRaw, err := ctx.LoadModule(t, "CARaw")
+		if err != nil {
+			return nil, err
+		}
+		ca := caRaw.(CA)
+		cfg.RootCAs = ca.CertPool()
+	}
+
+	// Renegotiation
+	switch t.Renegotiation {
+	case "never", "":
+		cfg.Renegotiation = tls.RenegotiateNever
+	case "once":
+		cfg.Renegotiation = tls.RenegotiateOnceAsClient
+	case "freely":
+		cfg.Renegotiation = tls.RenegotiateFreelyAsClient
+	default:
+		return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation)
+	}
+
+	// override for the server name used verify the TLS handshake
+	cfg.ServerName = repl.ReplaceKnown(cfg.ServerName, "")
+
+	// throw all security out the window
+	cfg.InsecureSkipVerify = t.InsecureSkipVerify
+
+	// only return a config if it's not empty
+	if reflect.DeepEqual(cfg, new(tls.Config)) {
+		return nil, nil
+	}
+
+	return cfg, nil
+}
+
+// The HTTPCertPool fetches the trusted root certificates from HTTP(S)
+// endpoints. The TLS connection properties can be customized, including custom
+// trusted root certificate. One example usage of this module is to get the trusted
+// certificates from another Caddy instance that is running the PKI app and ACME server.
+type HTTPCertPool struct {
+	// the list of URLs that respond with PEM-encoded certificates to trust.
+	Endpoints []string `json:"endpoints,omitempty"`
+
+	// Customize the TLS connection knobs to used during the HTTP call
+	TLS *TLSConfig `json:"tls,omitempty"`
+
+	pool *x509.CertPool
+}
+
+// CaddyModule implements caddy.Module.
+func (HTTPCertPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.http",
+		New: func() caddy.Module {
+			return new(HTTPCertPool)
+		},
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (hcp *HTTPCertPool) Provision(ctx caddy.Context) error {
+	caPool := x509.NewCertPool()
+
+	customTransport := http.DefaultTransport.(*http.Transport).Clone()
+	if hcp.TLS != nil {
+		tlsConfig, err := hcp.TLS.makeTLSClientConfig(ctx)
+		if err != nil {
+			return err
+		}
+		customTransport.TLSClientConfig = tlsConfig
+	}
+
+	var httpClient *http.Client
+	*httpClient = *http.DefaultClient
+	httpClient.Transport = customTransport
+
+	for _, uri := range hcp.Endpoints {
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, uri, nil)
+		if err != nil {
+			return err
+		}
+		res, err := httpClient.Do(req)
+		if err != nil {
+			return err
+		}
+		pembs, err := io.ReadAll(res.Body)
+		res.Body.Close()
+		if err != nil {
+			return err
+		}
+		if !caPool.AppendCertsFromPEM(pembs) {
+			return fmt.Errorf("failed to add certs from URL: %s", uri)
+		}
+	}
+	hcp.pool = caPool
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool http [<endpoints...>] {
+//			endpoints 	<endpoints...>
+//			tls 		<tls_config>
+//	}
+//
+// tls_config:
+//
+//		ca <ca_module>
+//		insecure_skip_verify
+//		handshake_timeout <duration>
+//		server_name <name>
+//		renegotiation <never|once|freely>
+//
+//	<ca_module> is the name of the CA module to source the trust
+//
+// certificate pool and follows the syntax of the named CA module.
+func (hcp *HTTPCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...)
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "endpoints":
+			if d.CountRemainingArgs() == 0 {
+				return d.ArgErr()
+			}
+			hcp.Endpoints = append(hcp.Endpoints, d.RemainingArgs()...)
+		case "tls":
+			if hcp.TLS != nil {
+				return d.Err("tls block already defined")
+			}
+			hcp.TLS = new(TLSConfig)
+			if err := hcp.TLS.unmarshalCaddyfile(d); err != nil {
+				return err
+			}
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+
+	return nil
+}
+
+// report error if the endpoints are not valid URLs
+func (hcp HTTPCertPool) Validate() (err error) {
+	for _, u := range hcp.Endpoints {
+		_, e := url.Parse(u)
+		if e != nil {
+			err = errors.Join(err, e)
+		}
+	}
+	return err
+}
+
+// CertPool return the certificate pool generated from the HTTP responses
+func (hcp HTTPCertPool) CertPool() *x509.CertPool {
+	return hcp.pool
+}
+
+// LazyCertPool defers the generation of the certificate pool from the
+// guest module to demand-time rather than at provisionig time. The gain of the
+// lazy load adds a risk of failure to load the certificates at demand time
+// because the validation that's typically done at provisioning is deferred.
+// The validation can be enforced to run before runtime by setting
+// `EagerValidation`/`eager_validation` to `true`. It is the operator's responsibility
+// to ensure the resources are available if `EagerValidation`/`eager_validation`
+// is set to `true`. The module also incurs performance cost at every demand.
+type LazyCertPool struct {
+	// Provides the guest module that provides the trusted certificate authority (CA) certificates
+	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
+
+	// Whether the validation step should try to load and provision the guest module to validate
+	// the correctness of the configuration. Depeneding on the type of the guest module,
+	// the resources may not be available at validation time. It is the
+	// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
+	// is set to `true`.
+	EagerValidation bool `json:"eager_validation,omitempty"`
+
+	ctx caddy.Context
+}
+
+// CaddyModule implements caddy.Module.
+func (LazyCertPool) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "tls.ca_pool.source.lazy",
+		New: func() caddy.Module {
+			return new(LazyCertPool)
+		},
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (lcp *LazyCertPool) Provision(ctx caddy.Context) error {
+	if len(lcp.CARaw) == 0 {
+		return fmt.Errorf("missing backing CA source")
+	}
+	lcp.ctx = ctx
+	return nil
+}
+
+// Syntax:
+//
+//	trust_pool lazy {
+//		backend <ca_module>
+//		eager_validation
+//	}
+//
+// The `backend` directive specifies the CA module to use to provision the
+// certificate pool. The `eager_validation` directive specifies that the
+// validation step should try to load and provision the guest module to validate
+// the correctness of the configuration. Depeneding on the type of the guest module,
+// the resources may not be available at validation time. It is the
+// operator's responsibility to ensure the resources are available if `EagerValidation`/`eager_validation`
+// is set to `true`.
+//
+// The `backend` directive is required.
+func (lcp *LazyCertPool) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	d.Next() // consume module name
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		switch d.Val() {
+		case "backend":
+			if lcp.CARaw != nil {
+				return d.Err("backend block already defined")
+			}
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			modStem := d.Val()
+			modID := "tls.ca_pool.source." + modStem
+			unm, err := caddyfile.UnmarshalModule(d, modID)
+			if err != nil {
+				return err
+			}
+			backend, ok := unm.(CA)
+			if !ok {
+				return d.Errf("module %s is not a caddytls.CA", modID)
+			}
+			lcp.CARaw = caddyconfig.JSONModuleObject(backend, "provider", modStem, nil)
+		case "eager_validation":
+			lcp.EagerValidation = true
+		default:
+			return d.Errf("unrecognized directive: %s", d.Val())
+		}
+	}
+	if lcp.CARaw == nil {
+		return d.Err("backend block is required")
+	}
+	return nil
+}
+
+// If EagerValidation is `true`, it attempts to load and provision the guest module
+// to ensure the guesst module's configuration is correct. Depeneding on the type of the
+// guest module, the resources may not be available at validation time. It is the
+// operator's responsibility to ensure the resources are available if `EagerValidation` is
+// set to `true`.
+func (lcp LazyCertPool) Validate() error {
+	if lcp.EagerValidation {
+		_, err := lcp.ctx.LoadModule(lcp, "CARaw")
+		return err
+	}
+	return nil
+}
+
+// CertPool loads the guest module and returns the CertPool from there
+// TODO: Cache?
+func (lcp LazyCertPool) CertPool() *x509.CertPool {
+	caRaw, err := lcp.ctx.LoadModule(lcp, "CARaw")
+	if err != nil {
+		return nil
+	}
+	ca := caRaw.(CA)
+	return ca.CertPool()
+}
+
+var (
+	_ caddy.Module          = (*InlineCAPool)(nil)
+	_ caddy.Provisioner     = (*InlineCAPool)(nil)
+	_ CA                    = (*InlineCAPool)(nil)
+	_ caddyfile.Unmarshaler = (*InlineCAPool)(nil)
+
+	_ caddy.Module          = (*FileCAPool)(nil)
+	_ caddy.Provisioner     = (*FileCAPool)(nil)
+	_ CA                    = (*FileCAPool)(nil)
+	_ caddyfile.Unmarshaler = (*FileCAPool)(nil)
+
+	_ caddy.Module          = (*PKIRootCAPool)(nil)
+	_ caddy.Provisioner     = (*PKIRootCAPool)(nil)
+	_ CA                    = (*PKIRootCAPool)(nil)
+	_ caddyfile.Unmarshaler = (*PKIRootCAPool)(nil)
+
+	_ caddy.Module          = (*PKIIntermediateCAPool)(nil)
+	_ caddy.Provisioner     = (*PKIIntermediateCAPool)(nil)
+	_ CA                    = (*PKIIntermediateCAPool)(nil)
+	_ caddyfile.Unmarshaler = (*PKIIntermediateCAPool)(nil)
+
+	_ caddy.Module          = (*StoragePool)(nil)
+	_ caddy.Provisioner     = (*StoragePool)(nil)
+	_ CA                    = (*StoragePool)(nil)
+	_ caddyfile.Unmarshaler = (*StoragePool)(nil)
+
+	_ caddy.Module          = (*HTTPCertPool)(nil)
+	_ caddy.Provisioner     = (*HTTPCertPool)(nil)
+	_ caddy.Validator       = (*HTTPCertPool)(nil)
+	_ CA                    = (*HTTPCertPool)(nil)
+	_ caddyfile.Unmarshaler = (*HTTPCertPool)(nil)
+
+	_ caddy.Module          = (*LazyCertPool)(nil)
+	_ caddy.Provisioner     = (*LazyCertPool)(nil)
+	_ caddy.Validator       = (*LazyCertPool)(nil)
+	_ CA                    = (*LazyCertPool)(nil)
+	_ caddyfile.Unmarshaler = (*LazyCertPool)(nil)
+)

modules/caddytls/capools_test.go

@@ -0,0 +1,892 @@
+package caddytls
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+	"time"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+	_ "github.com/caddyserver/caddy/v2/modules/filestorage"
+)
+
+const (
+	test_der_1       = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
+	test_cert_file_1 = "../../caddytest/caddy.ca.cer"
+)
+
+func TestInlineCAPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected InlineCAPool
+		wantErr  bool
+	}{
+		{
+			name: "configuring no certificatest produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					inline {
+					}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "configuring certificates as arguments in-line produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+					inline %s
+				`, test_der_1)),
+			},
+			wantErr: true,
+		},
+		{
+			name: "single cert",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				inline {
+					trust_der %s
+				}
+				`, test_der_1)),
+			},
+			expected: InlineCAPool{
+				TrustedCACerts: []string{test_der_1},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple certs in one line",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				inline {
+					trust_der %s %s
+				}
+				`, test_der_1, test_der_1),
+				),
+			},
+			expected: InlineCAPool{
+				TrustedCACerts: []string{test_der_1, test_der_1},
+			},
+		},
+		{
+			name: "multiple certs in multiple lines",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+					inline {
+						trust_der %s
+						trust_der %s
+					}
+				`, test_der_1, test_der_1)),
+			},
+			expected: InlineCAPool{
+				TrustedCACerts: []string{test_der_1, test_der_1},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			icp := &InlineCAPool{}
+			if err := icp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("InlineCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, icp) {
+				t.Errorf("InlineCAPool.UnmarshalCaddyfile() = %v, want %v", icp, tt.expected)
+			}
+		})
+	}
+}
+
+func TestFileCAPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		expected FileCAPool
+		args     args
+		wantErr  bool
+	}{
+		{
+			name: "configuring no certificatest produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					file {
+					}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "configuring certificates as arguments in-line produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				file %s
+				`, test_cert_file_1)),
+			},
+			expected: FileCAPool{
+				TrustedCACertPEMFiles: []string{test_cert_file_1},
+			},
+		},
+		{
+			name: "single cert",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				file {
+					pem_file %s
+				}
+				`, test_cert_file_1)),
+			},
+			expected: FileCAPool{
+				TrustedCACertPEMFiles: []string{test_cert_file_1},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple certs inline and in-block are merged",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				file %s {
+					pem_file %s
+				}
+				`, test_cert_file_1, test_cert_file_1)),
+			},
+			expected: FileCAPool{
+				TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple certs in one line",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				file {
+					pem_file %s %s
+				}
+				`, test_der_1, test_der_1),
+				),
+			},
+			expected: FileCAPool{
+				TrustedCACertPEMFiles: []string{test_der_1, test_der_1},
+			},
+		},
+		{
+			name: "multiple certs in multiple lines",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+					file {
+						pem_file %s
+						pem_file %s
+					}
+				`, test_cert_file_1, test_cert_file_1)),
+			},
+			expected: FileCAPool{
+				TrustedCACertPEMFiles: []string{test_cert_file_1, test_cert_file_1},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			fcap := &FileCAPool{}
+			if err := fcap.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("FileCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, fcap) {
+				t.Errorf("FileCAPool.UnmarshalCaddyfile() = %v, want %v", fcap, tt.expected)
+			}
+		})
+	}
+}
+
+func TestPKIRootCAPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		expected PKIRootCAPool
+		args     args
+		wantErr  bool
+	}{
+		{
+			name: "configuring no certificatest produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					pki_root {
+					}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "single authority as arguments in-line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_root ca_1
+				`),
+			},
+			expected: PKIRootCAPool{
+				Authority: []string{"ca_1"},
+			},
+		},
+		{
+			name: "multiple authorities as arguments in-line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_root ca_1 ca_2
+				`),
+			},
+			expected: PKIRootCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+		{
+			name: "single authority in block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_root {
+					authority ca_1
+				}`),
+			},
+			expected: PKIRootCAPool{
+				Authority: []string{"ca_1"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple authorities in one line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_root {
+					authority ca_1 ca_2
+				}`),
+			},
+			expected: PKIRootCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+		{
+			name: "multiple authorities in multiple lines",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					pki_root {
+						authority ca_1
+						authority ca_2
+					}`),
+			},
+			expected: PKIRootCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pkir := &PKIRootCAPool{}
+			if err := pkir.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pkir) {
+				t.Errorf("PKIRootCAPool.UnmarshalCaddyfile() = %v, want %v", pkir, tt.expected)
+			}
+		})
+	}
+}
+
+func TestPKIIntermediateCAPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		expected PKIIntermediateCAPool
+		args     args
+		wantErr  bool
+	}{
+		{
+			name: "configuring no certificatest produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_intermediate {
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "single authority as arguments in-line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`pki_intermediate ca_1`),
+			},
+			expected: PKIIntermediateCAPool{
+				Authority: []string{"ca_1"},
+			},
+		},
+		{
+			name: "multiple authorities as arguments in-line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`pki_intermediate ca_1 ca_2`),
+			},
+			expected: PKIIntermediateCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+		{
+			name: "single authority in block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_intermediate {
+					authority ca_1
+				}`),
+			},
+			expected: PKIIntermediateCAPool{
+				Authority: []string{"ca_1"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple authorities in one line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				pki_intermediate {
+					authority ca_1 ca_2
+				}`),
+			},
+			expected: PKIIntermediateCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+		{
+			name: "multiple authorities in multiple lines",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					pki_intermediate {
+						authority ca_1
+						authority ca_2
+					}`),
+			},
+			expected: PKIIntermediateCAPool{
+				Authority: []string{"ca_1", "ca_2"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pic := &PKIIntermediateCAPool{}
+			if err := pic.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, pic) {
+				t.Errorf("PKIIntermediateCAPool.UnmarshalCaddyfile() = %v, want %v", pic, tt.expected)
+			}
+		})
+	}
+}
+
+func TestStoragePoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected StoragePool
+		wantErr  bool
+	}{
+		{
+			name: "empty block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`storage {
+				}`),
+			},
+			expected: StoragePool{},
+			wantErr:  false,
+		},
+		{
+			name: "providing single storage key inline",
+			args: args{
+				d: caddyfile.NewTestDispenser(`storage key-1`),
+			},
+			expected: StoragePool{
+				PEMKeys: []string{"key-1"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "providing multiple storage keys inline",
+			args: args{
+				d: caddyfile.NewTestDispenser(`storage key-1 key-2`),
+			},
+			expected: StoragePool{
+				PEMKeys: []string{"key-1", "key-2"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "providing keys inside block without specifying storage type",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					storage {
+						keys key-1 key-2
+					}
+				`),
+			},
+			expected: StoragePool{
+				PEMKeys: []string{"key-1", "key-2"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "providing keys in-line and inside block merges them",
+			args: args{
+				d: caddyfile.NewTestDispenser(`storage key-1 key-2 key-3 {
+					keys key-4 key-5
+				}`),
+			},
+			expected: StoragePool{
+				PEMKeys: []string{"key-1", "key-2", "key-3", "key-4", "key-5"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "specifying storage type in block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`storage {
+					storage file_system /var/caddy/storage
+				}`),
+			},
+			expected: StoragePool{
+				StorageRaw: json.RawMessage(`{"module":"file_system","root":"/var/caddy/storage"}`),
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sp := &StoragePool{}
+			if err := sp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("StoragePool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, sp) {
+				t.Errorf("StoragePool.UnmarshalCaddyfile() = %s, want %s", sp.StorageRaw, tt.expected.StorageRaw)
+			}
+		})
+	}
+}
+
+func TestTLSConfig_unmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected TLSConfig
+		wantErr  bool
+	}{
+		{
+			name: "no arguments is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+				}`),
+			},
+			expected: TLSConfig{},
+		},
+		{
+			name: "setting 'renegotiation' to 'never' is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+					renegotiation never
+				}`),
+			},
+			expected: TLSConfig{
+				Renegotiation: "never",
+			},
+		},
+		{
+			name: "setting 'renegotiation' to 'once' is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+					renegotiation once
+				}`),
+			},
+			expected: TLSConfig{
+				Renegotiation: "once",
+			},
+		},
+		{
+			name: "setting 'renegotiation' to 'freely' is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+					renegotiation freely
+				}`),
+			},
+			expected: TLSConfig{
+				Renegotiation: "freely",
+			},
+		},
+		{
+			name: "setting 'renegotiation' to other than 'none', 'once, or 'freely' is invalid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+					renegotiation foo
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'renegotiation' without argument is invalid",
+			args: args{
+				d: caddyfile.NewTestDispenser(` {
+					renegotiation
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'ca' without arguemnt is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					ca
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'ca' to 'file' with in-line cert is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					ca file /var/caddy/ca.pem
+				}`),
+			},
+			expected: TLSConfig{
+				CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem"],"provider":"file"}`),
+			},
+		},
+		{
+			name: "setting 'ca' to 'lazy' with appropriate block is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					ca lazy {
+						backend file {
+							pem_file /var/caddy/ca.pem
+						}
+					}
+				}`),
+			},
+			expected: TLSConfig{
+				CARaw: []byte(`{"ca":{"pem_files":["/var/caddy/ca.pem"],"provider":"file"},"provider":"lazy"}`),
+			},
+		},
+		{
+			name: "setting 'ca' to 'file' with appropriate block is valid",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					ca file /var/caddy/ca.pem {
+						pem_file /var/caddy/ca.pem
+					}
+				}`),
+			},
+			expected: TLSConfig{
+				CARaw: []byte(`{"pem_files":["/var/caddy/ca.pem","/var/caddy/ca.pem"],"provider":"file"}`),
+			},
+		},
+		{
+			name: "setting 'ca' multiple times is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`{
+					ca file /var/caddy/ca.pem {
+						pem_file /var/caddy/ca.pem
+					}
+					ca inline %s
+				}`, test_der_1)),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'handshake_timeout' without value is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					handshake_timeout
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'handshake_timeout' properly is successful",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					handshake_timeout 42m
+				}`),
+			},
+			expected: TLSConfig{
+				HandshakeTimeout: caddy.Duration(42 * time.Minute),
+			},
+		},
+		{
+			name: "setting 'server_name' without value is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					server_name
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'server_name' properly is successful",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					server_name example.com
+				}`),
+			},
+			expected: TLSConfig{
+				ServerName: "example.com",
+			},
+		},
+		{
+			name: "unsupported directives are errors",
+			args: args{
+				d: caddyfile.NewTestDispenser(`{
+					foo
+				}`),
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tr := &TLSConfig{}
+			if err := tr.unmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("TLSConfig.unmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, tr) {
+				t.Errorf("TLSConfig.UnmarshalCaddyfile() = %v, want %v", tr, tt.expected)
+			}
+		})
+	}
+}
+
+func TestHTTPCertPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected HTTPCertPool
+		wantErr  bool
+	}{
+		{
+			name: "no block, inline http endpoint",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://localhost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "no block, inline https endpoint",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http https://localhost/ca-certs`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"https://localhost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "no block, mixed http and https endpoints inline",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs https://localhost/ca-certs`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://localhost/ca-certs", "https://localhost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple endpoints in separate lines in block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					http {
+						endpoints http://localhost/ca-certs
+						endpoints http://remotehost/ca-certs
+					}
+				`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "endpoints defiend inline and in block are merged",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http http://localhost/ca-certs {
+					endpoints http://remotehost/ca-certs
+				}`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple endpoints defiend in block on the same line",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http {
+					endpoints http://remotehost/ca-certs http://localhost/ca-certs
+				}`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://remotehost/ca-certs", "http://localhost/ca-certs"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "declaring 'endpoints' in block without argument is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`http {
+					endpoints
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "multiple endpoints in separate lines in block",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					http {
+						endpoints http://localhost/ca-certs
+						endpoints http://remotehost/ca-certs
+						tls {
+							renegotiation freely
+						}
+					}
+				`),
+			},
+			expected: HTTPCertPool{
+				Endpoints: []string{"http://localhost/ca-certs", "http://remotehost/ca-certs"},
+				TLS: &TLSConfig{
+					Renegotiation: "freely",
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			hcp := &HTTPCertPool{}
+			if err := hcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("HTTPCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, hcp) {
+				t.Errorf("HTTPCertPool.UnmarshalCaddyfile() = %v, want %v", hcp, tt.expected)
+			}
+		})
+	}
+}
+
+func TestLazyCertPoolUnmarshalCaddyfile(t *testing.T) {
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected LazyCertPool
+		wantErr  bool
+	}{
+		{
+			name: "no block results in error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "empty block results in error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "defining 'backend' multiple times results in error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+					backend http {
+						endpoints http://localhost/ca-certs
+					}
+					backend file {
+						pem_file /var/caddy/certs
+					}
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "defining 'backend' without argument results in error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+					backend
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "using unrecognized directive results in error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+					foo
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "defining single 'backend' is successful",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+					backend http {
+						endpoints http://localhost/ca-certs
+					}
+				}`),
+			},
+			expected: LazyCertPool{
+				CARaw: []byte(`{"endpoints":["http://localhost/ca-certs"],"provider":"http"}`),
+			},
+		},
+		{
+			name: "defining single 'backend' with 'eager_validation' successful",
+			args: args{
+				d: caddyfile.NewTestDispenser(`lazy {
+					backend file {
+						pem_file /var/caddy/certs
+					}
+					eager_validation
+				}`),
+			},
+			expected: LazyCertPool{
+				CARaw:           []byte(`{"pem_files":["/var/caddy/certs"],"provider":"file"}`),
+				EagerValidation: true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			lcp := &LazyCertPool{}
+			if err := lcp.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("LazyCertPool.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, lcp) {
+				t.Errorf("LazyCertPool.UnmarshalCaddyfile() = %v, want %v", lcp, tt.expected)
+			}
+		})
+	}
+}

modules/caddytls/connpolicy.go

@@ -19,6 +19,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"os"
@@ -29,6 +30,8 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -301,8 +304,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 
 	// client authentication
 	if p.ClientAuthentication != nil {
-		err := p.ClientAuthentication.ConfigureTLSConfig(cfg)
+		if err := p.ClientAuthentication.provision(ctx); err != nil {
-		if err != nil {
+			return fmt.Errorf("provisioning client CA: %v", err)
+		}
+		if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
 			return fmt.Errorf("configuring TLS client authentication: %v", err)
 		}
 	}
@@ -354,12 +359,18 @@ func (p ConnectionPolicy) SettingsEmpty() bool {
 
 // ClientAuthentication configures TLS client auth.
 type ClientAuthentication struct {
+	// Certificate authority module which provides the certificate pool of trusted certificates
+	CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
+	ca    CA
+
+	// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
 	// A list of base64 DER-encoded CA certificates
 	// against which to validate client certificates.
 	// Client certs which are not signed by any of
 	// these CAs will be rejected.
 	TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
 
+	// DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
 	// TrustedCACertPEMFiles is a list of PEM file names
 	// from which to load certificates of trusted CAs.
 	// Client certificates which are not signed by any of
@@ -399,13 +410,177 @@ type ClientAuthentication struct {
 	existingVerifyPeerCert func([][]byte, [][]*x509.Certificate) error
 }
 
+// UnmarshalCaddyfile parses the Caddyfile segment to set up the client authentication. Syntax:
+//
+//	client_auth {
+//		mode                   [request|require|verify_if_given|require_and_verify]
+//	 	trust_pool			   <module> {
+//			...
+//		}
+//		trusted_leaf_cert      <base64_der>
+//		trusted_leaf_cert_file <filename>
+//	}
+//
+// If `mode` is not provided, it defaults to `require_and_verify` if any of the following are provided:
+// - `trusted_leaf_certs`
+// - `trusted_leaf_cert_file`
+// - `trust_pool`
+//
+// Otherwise, it defaults to `require`.
+func (ca *ClientAuthentication) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	for d.NextArg() {
+		// consume any tokens on the same line, if any.
+	}
+	for nesting := d.Nesting(); d.NextBlock(nesting); {
+		subdir := d.Val()
+		switch subdir {
+		case "mode":
+			if d.CountRemainingArgs() > 1 {
+				return d.ArgErr()
+			}
+			if !d.Args(&ca.Mode) {
+				return d.ArgErr()
+			}
+		case "trusted_ca_cert":
+			if len(ca.CARaw) != 0 {
+				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
+			}
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			ca.TrustedCACerts = append(ca.TrustedCACerts, d.Val())
+		case "trusted_leaf_cert":
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, d.Val())
+		case "trusted_ca_cert_file":
+			if len(ca.CARaw) != 0 {
+				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
+			}
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			filename := d.Val()
+			ders, err := convertPEMFilesToDER(filename)
+			if err != nil {
+				return d.WrapErr(err)
+			}
+			ca.TrustedCACerts = append(ca.TrustedCACerts, ders...)
+		case "trusted_leaf_cert_file":
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			filename := d.Val()
+			ders, err := convertPEMFilesToDER(filename)
+			if err != nil {
+				return d.WrapErr(err)
+			}
+			ca.TrustedLeafCerts = append(ca.TrustedLeafCerts, ders...)
+		case "trust_pool":
+			if len(ca.TrustedCACerts) != 0 {
+				return d.Err("cannot specify both 'trust_pool' and 'trusted_ca_cert' or 'trusted_ca_cert_file'")
+			}
+			if !d.NextArg() {
+				return d.ArgErr()
+			}
+			modName := d.Val()
+			mod, err := caddyfile.UnmarshalModule(d, "tls.ca_pool.source."+modName)
+			if err != nil {
+				return d.WrapErr(err)
+			}
+			caMod, ok := mod.(CA)
+			if !ok {
+				return fmt.Errorf("trust_pool module '%s' is not a certificate pool provider", caMod)
+			}
+			ca.CARaw = caddyconfig.JSONModuleObject(caMod, "provider", modName, nil)
+		default:
+			return d.Errf("unknown subdirective for client_auth: %s", subdir)
+		}
+	}
+
+	// only trust_ca_cert or trust_ca_cert_file was specified
+	if len(ca.TrustedCACerts) > 0 {
+		fileMod := &InlineCAPool{}
+		fileMod.TrustedCACerts = append(fileMod.TrustedCACerts, ca.TrustedCACerts...)
+		ca.CARaw = caddyconfig.JSONModuleObject(fileMod, "provider", "inline", nil)
+		ca.TrustedCACertPEMFiles, ca.TrustedCACerts = nil, nil
+	}
+	return nil
+}
+
+func convertPEMFilesToDER(filename string) ([]string, error) {
+	certDataPEM, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	var ders []string
+	// while block is not nil, we have more certificates in the file
+	for block, rest := pem.Decode(certDataPEM); block != nil; block, rest = pem.Decode(rest) {
+		if block.Type != "CERTIFICATE" {
+			return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename)
+		}
+		ders = append(
+			ders,
+			base64.StdEncoding.EncodeToString(block.Bytes),
+		)
+	}
+	// if we decoded nothing, return an error
+	if len(ders) == 0 {
+		return nil, fmt.Errorf("no CERTIFICATE pem block found in %s", filename)
+	}
+	return ders, nil
+}
+
+func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
+	if len(clientauth.CARaw) > 0 && (len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0) {
+		return fmt.Errorf("conflicting config for client authentication trust CA")
+	}
+
+	// convert all named file paths to inline
+	if len(clientauth.TrustedCACertPEMFiles) > 0 {
+		for _, fpath := range clientauth.TrustedCACertPEMFiles {
+			ders, err := convertPEMFilesToDER(fpath)
+			if err != nil {
+				return nil
+			}
+			clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...)
+		}
+	}
+
+	// if we have TrustedCACerts explicitly set, create an 'inline' CA and return
+	if len(clientauth.TrustedCACerts) > 0 {
+		clientauth.ca = InlineCAPool{
+			TrustedCACerts: clientauth.TrustedCACerts,
+		}
+		return nil
+	}
+
+	// if we don't have any CARaw set, there's not much work to do
+	if clientauth.CARaw == nil {
+		return nil
+	}
+	caRaw, err := ctx.LoadModule(clientauth, "CARaw")
+	if err != nil {
+		return err
+	}
+	ca, ok := caRaw.(CA)
+	if !ok {
+		return fmt.Errorf("CARaw module '%s' is not a certificate pool provider", ca)
+	}
+	clientauth.ca = ca
+
+	return nil
+}
+
 // Active returns true if clientauth has an actionable configuration.
 func (clientauth ClientAuthentication) Active() bool {
 	return len(clientauth.TrustedCACerts) > 0 ||
 		len(clientauth.TrustedCACertPEMFiles) > 0 ||
 		len(clientauth.TrustedLeafCerts) > 0 || // TODO: DEPRECATED
 		len(clientauth.VerifiersRaw) > 0 ||
-		len(clientauth.Mode) > 0
+		len(clientauth.Mode) > 0 ||
+		clientauth.CARaw != nil || clientauth.ca != nil
 }
 
 // ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
@@ -434,7 +609,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 		// otherwise, set a safe default mode
 		if len(clientauth.TrustedCACerts) > 0 ||
 			len(clientauth.TrustedCACertPEMFiles) > 0 ||
-			len(clientauth.TrustedLeafCerts) > 0 {
+			len(clientauth.TrustedLeafCerts) > 0 ||
+			clientauth.CARaw != nil {
 			cfg.ClientAuth = tls.RequireAndVerifyClientCert
 		} else {
 			cfg.ClientAuth = tls.RequireAnyClientCert
@@ -442,23 +618,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 	}
 
 	// enforce CA verification by adding CA certs to the ClientCAs pool
-	if len(clientauth.TrustedCACerts) > 0 || len(clientauth.TrustedCACertPEMFiles) > 0 {
+	if clientauth.ca != nil {
-		caPool := x509.NewCertPool()
+		cfg.ClientCAs = clientauth.ca.CertPool()
-		for _, clientCAString := range clientauth.TrustedCACerts {
-			clientCA, err := decodeBase64DERCert(clientCAString)
-			if err != nil {
-				return fmt.Errorf("parsing certificate: %v", err)
-			}
-			caPool.AddCert(clientCA)
-		}
-		for _, pemFile := range clientauth.TrustedCACertPEMFiles {
-			pemContents, err := os.ReadFile(pemFile)
-			if err != nil {
-				return fmt.Errorf("reading %s: %v", pemFile, err)
-			}
-			caPool.AppendCertsFromPEM(pemContents)
-		}
-		cfg.ClientCAs = caPool
 	}
 
 	// TODO: DEPRECATED: Only here for backwards compatibility.
@@ -600,3 +761,5 @@ type destructableWriter struct{ *os.File }
 func (d destructableWriter) Destruct() error { return d.Close() }
 
 var secretsLogPool = caddy.NewUsagePool()
+
+var _ caddyfile.Unmarshaler = (*ClientAuthentication)(nil)

modules/caddytls/connpolicy_test.go

@@ -0,0 +1,280 @@
+// Copyright 2015 Matthew Holt and The Caddy Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package caddytls
+
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"testing"
+
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
+)
+
+func TestClientAuthenticationUnmarshalCaddyfileWithDirectiveName(t *testing.T) {
+	const test_der_1 = `MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==`
+	const test_cert_file_1 = "../../caddytest/caddy.ca.cer"
+	type args struct {
+		d *caddyfile.Dispenser
+	}
+	tests := []struct {
+		name     string
+		args     args
+		expected ClientAuthentication
+		wantErr  bool
+	}{
+		{
+			name: "empty client_auth block does not error",
+			args: args{
+				d: caddyfile.NewTestDispenser(
+					`client_auth {
+					}`,
+				),
+			},
+			wantErr: false,
+		},
+		{
+			name: "providing both 'trust_pool' and 'trusted_ca_cert' returns an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(
+					`client_auth {
+					trust_pool inline MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+					trusted_ca_cert MIIDSzCCAjOgAwIBAgIUfIRObjWNUA4jxQ/0x8BOCvE2Vw4wDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLRWFzeS1SU0EgQ0EwHhcNMTkwODI4MTYyNTU5WhcNMjkwODI1MTYyNTU5WjAWMRQwEgYDVQQDDAtFYXN5LVJTQSBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK5m5elxhQfMp/3aVJ4JnpN9PUSz6LlP6LePAPFU7gqohVVFVtDkChJAG3FNkNQNlieVTja/bgH9IcC6oKbROwdY1h0MvNV8AHHigvl03WuJD8g2ReVFXXwsnrPmKXCFzQyMI6TYk3m2gYrXsZOU1GLnfMRC3KAMRgE2F45twOs9hqG169YJ6mM2eQjzjCHWI6S2/iUYvYxRkCOlYUbLsMD/AhgAf1plzg6LPqNxtdlwxZnA0ytgkmhK67HtzJu0+ovUCsMv0RwcMhsEo9T8nyFAGt9XLZ63X5WpBCTUApaAUhnG0XnerjmUWb6eUWw4zev54sEfY5F3x002iQaW6cECAwEAAaOBkDCBjTAdBgNVHQ4EFgQU4CBUbZsS2GaNIkGRz/cBsD5ivjswUQYDVR0jBEowSIAU4CBUbZsS2GaNIkGRz/cBsD5ivjuhGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghR8hE5uNY1QDiPFD/THwE4K8TZXDjAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAKB3V4HIzoiO/Ch6WMj9bLJ2FGbpkMrcb/Eq01hT5zcfKD66lVS1MlK+cRL446Z2b2KDP1oFyVs+qmrmtdwrWgD+nfe2sBmmIHo9m9KygMkEOfG3MghGTEcS+0cTKEcoHYWYyOqQh6jnedXY8Cdm4GM1hAc9MiL3/sqV8YCVSLNnkoNysmr06/rZ0MCUZPGUtRmfd0heWhrfzAKw2HLgX+RAmpOE2MZqWcjvqKGyaRiaZks4nJkP6521aC2Lgp0HhCz1j8/uQ5ldoDszCnu/iro0NAsNtudTMD+YoLQxLqdleIh6CW+illc2VdXwj7mn6J04yns9jfE2jRjW/yTLFuQ==
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "trust_pool without a module argument returns an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(
+					`client_auth {
+					trust_pool
+				}`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "providing more than 1 mode produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					client_auth {
+						mode require request
+					}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "not providing 'mode' argument produces an error",
+			args: args{d: caddyfile.NewTestDispenser(`
+				client_auth {
+					mode
+				}
+			`)},
+			wantErr: true,
+		},
+		{
+			name: "providing a single 'mode' argument sets the mode",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+					client_auth {
+						mode require
+					}
+				`),
+			},
+			expected: ClientAuthentication{
+				Mode: "require",
+			},
+			wantErr: false,
+		},
+		{
+			name: "not providing an argument to 'trusted_ca_cert' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				client_auth {
+					trusted_ca_cert
+				}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "not providing an argument to 'trusted_leaf_cert' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				client_auth {
+					trusted_leaf_cert
+				}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "not providing an argument to 'trusted_ca_cert_file' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				client_auth {
+					trusted_ca_cert_file
+				}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "not providing an argument to 'trusted_leaf_cert_file' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				client_auth {
+					trusted_leaf_cert_file
+				}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "using 'trusted_ca_cert' adapts sucessfully",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trusted_ca_cert %s
+				}`, test_der_1)),
+			},
+			expected: ClientAuthentication{
+				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
+			},
+		},
+		{
+			name: "using 'inline' trust_pool loads the module successfully",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+					client_auth {
+						trust_pool inline {
+							trust_der	%s
+						}
+					}
+				`, test_der_1)),
+			},
+			expected: ClientAuthentication{
+				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
+			},
+		},
+		{
+			name: "setting 'trusted_ca_cert' and 'trust_pool' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trusted_ca_cert %s
+					trust_pool inline {
+						trust_der	%s
+					}
+				}`, test_der_1, test_der_1)),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trust_pool inline {
+						trust_der	%s
+					}
+					trusted_ca_cert %s
+				}`, test_der_1, test_der_1)),
+			},
+			wantErr: true,
+		},
+		{
+			name: "setting 'trust_pool' and 'trusted_ca_cert' produces an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trust_pool inline {
+						trust_der	%s
+					}
+					trusted_ca_cert_file %s
+				}`, test_der_1, test_cert_file_1)),
+			},
+			wantErr: true,
+		},
+		{
+			name: "configuring 'trusted_ca_cert_file' without an argument is an error",
+			args: args{
+				d: caddyfile.NewTestDispenser(`
+				client_auth {
+					trusted_ca_cert_file
+				}
+				`),
+			},
+			wantErr: true,
+		},
+		{
+			name: "configuring 'trusted_ca_cert_file' produces config with 'inline' provider",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trusted_ca_cert_file %s
+				}`, test_cert_file_1),
+				),
+			},
+			expected: ClientAuthentication{
+				CARaw: json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
+			},
+			wantErr: false,
+		},
+		{
+			name: "configuring leaf certs does not conflict with 'trust_pool'",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trust_pool inline {
+						trust_der	%s
+					}
+					trusted_leaf_cert %s
+				}`, test_der_1, test_der_1)),
+			},
+			expected: ClientAuthentication{
+				CARaw:            json.RawMessage(fmt.Sprintf(`{"provider":"inline","trusted_ca_certs":["%s"]}`, test_der_1)),
+				TrustedLeafCerts: []string{test_der_1},
+			},
+		},
+		{
+			name: "providing trusted leaf certificate file loads the cert successfully",
+			args: args{
+				d: caddyfile.NewTestDispenser(fmt.Sprintf(`
+				client_auth {
+					trusted_leaf_cert_file %s
+				}`, test_cert_file_1)),
+			},
+			expected: ClientAuthentication{
+				TrustedLeafCerts: []string{test_der_1},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ca := &ClientAuthentication{}
+			if err := ca.UnmarshalCaddyfile(tt.args.d); (err != nil) != tt.wantErr {
+				t.Errorf("ClientAuthentication.UnmarshalCaddyfile() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !tt.wantErr && !reflect.DeepEqual(&tt.expected, ca) {
+				t.Errorf("ClientAuthentication.UnmarshalCaddyfile() = %v, want %v", ca, tt.expected)
+			}
+		})
+	}
+}