New ssl var: $ssl_client_ms_upn

Dave Bevan dave.bevan at bbc.co.uk
Fri Feb 24 13:48:27 UTC 2017


# HG changeset patch
# User Dave Bevan <dave.bevan at bbc.co.uk>
# Date 1487943997 0
#      Fri Feb 24 13:46:37 2017 +0000
# Node ID 5ccdcc88e98c31c4694fa47d6876934d2af0fcfd
# Parent  00903b2132edb863e8aed2e84e216817fcc07c90
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).

Retrieved from a client cert, this identity string is used in corporate
environments as a primary key when interacting with Active Directory.

Commonly used to set REMOTE_USER param. Brings equivalence with
Apache 2.4.17 which introduced access to the same data:

  https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

  Changes with Apache 2.4.17

  *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
       of subjectAltName entries of type "otherName" into
       SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
       variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
       Kaspar Brand]

Includes enhanced error checking (thanks Andrey K)

diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.c    Fri Feb 24 13:46:37 2017 +0000
@@ -4081,6 +4081,67 @@
 }


+ngx_int_t
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    int                      i;
+    BIO                     *bio;
+    X509                    *cert;
+    GENERAL_NAME            *altname;
+    STACK_OF(GENERAL_NAME)  *altnames;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+    if (altnames) {
+        for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
+            altname = sk_GENERAL_NAME_value(altnames, i);
+
+            if (altname->type != GEN_OTHERNAME) {
+                continue;
+            }
+
+            if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {
+                continue;
+            }
+
+            BIO_printf(bio, "%s",
+                (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));
+            break;
+        }
+    }
+
+    s->len = BIO_pending(bio);
+    s->data = ngx_pnalloc(pool, s->len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        GENERAL_NAMES_free(altnames);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, s->len);
+
+    BIO_free(bio);
+    X509_free(cert);
+    GENERAL_NAMES_free(altnames);
+
+    return NGX_OK;
+}
+
+
 static time_t
 ngx_ssl_parse_time(
 #if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.h    Fri Feb 24 13:46:37 2017 +0000
@@ -226,6 +226,8 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);


 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 00903b2132ed -r 5ccdcc88e98c src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/http/modules/ngx_http_ssl_module.c    Fri Feb 24 13:46:37 2017 +0000
@@ -328,6 +328,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

diff -r 00903b2132ed -r 5ccdcc88e98c src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/stream/ngx_stream_ssl_module.c    Fri Feb 24 13:46:37 2017 +0000
@@ -272,6 +272,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170224/34d8b7fb/attachment.html>


More information about the nginx-devel mailing list