[PATCH 4 of 5] SSL: introduce certificate list support.
Filipe DA SILVA
fdasilva at ingima.com
Mon Apr 27 15:39:52 UTC 2015
# HG changeset patch
# User Filipe da Silva <fdasilva at ingima.com>
# Date 1430147821 -7200
# Mon Apr 27 17:17:01 2015 +0200
# Node ID e465a170ec3889eef1ab2d5d9f59cf8b12e97055
# Parent 1b79826c93a4822fa3c11bc4139ca76e5189b14c
SSL: introduce certificate list support.
Arguments are now a list of certificates and list of keys.
Split ngx_ssl_certificate to loop separately on cert and keys.
SSL session_id_context value is build with every configured certificate.
Compatible with 'stable-1.8'
diff -r 1b79826c93a4 -r e465a170ec38 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl.c Mon Apr 27 17:17:01 2015 +0200
@@ -33,6 +33,10 @@ static void ngx_ssl_connection_error(ngx
ngx_err_t err, char *text);
static void ngx_ssl_clear_error(ngx_log_t *log);
+static ngx_int_t ngx_ssl_server_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_str_t *cert);
+static ngx_int_t ngx_ssl_private_key(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_str_t *key, ngx_array_t *passwords);
static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl,
ngx_str_t *sess_ctx);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
@@ -338,14 +342,39 @@ ngx_ssl_get_next_server_certificate(ngx_
ngx_int_t
-ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
- ngx_str_t *key, ngx_array_t *passwords)
+ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs,
+ ngx_array_t *keys, ngx_array_t *passwords)
+{
+ ngx_uint_t i, j;
+ ngx_str_t *cert;
+ ngx_str_t *key;
+
+ /* Load server certificates */
+ cert = certs->elts;
+ for (i = 0; i < certs->nelts; i++, cert++) {
+ if (ngx_ssl_server_certificate(cf, ssl, cert) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ /* Load private keys */
+ key = keys->elts;
+ for (j = 0; j < keys->nelts; j++, key++) {
+ if (ngx_ssl_private_key(cf, ssl, key, passwords) != NGX_OK) {
+ return NGX_ERROR;
+ }
+ }
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_ssl_server_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert)
{
BIO *bio;
X509 *x509;
u_long n;
- ngx_str_t *pwd;
- ngx_uint_t tries;
if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
return NGX_ERROR;
@@ -441,6 +470,17 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
BIO_free(bio);
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_ssl_private_key(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *key,
+ ngx_array_t *passwords)
+{
+ ngx_str_t *pwd;
+ ngx_uint_t tries;
+
if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
#ifndef OPENSSL_NO_ENGINE
@@ -2205,17 +2245,23 @@ ngx_ssl_session_id_context(ngx_ssl_t *ss
cert = ngx_ssl_get_server_certificate(ssl);
- if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "X509_digest() failed");
- goto failed;
+ while (cert) {
+
+ if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "X509_digest() failed");
+ goto failed;
+ }
+
+ if (EVP_DigestUpdate(&md, buf, len) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "EVP_DigestUpdate() failed");
+ goto failed;
+ }
+
+ cert = ngx_ssl_get_next_server_certificate(ssl);
}
- if (EVP_DigestUpdate(&md, buf, len) == 0) {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "EVP_DigestUpdate() failed");
- goto failed;
- }
list = SSL_CTX_get_client_CA_list(ssl->ctx);
diff -r 1b79826c93a4 -r e465a170ec38 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Mon Apr 27 17:17:01 2015 +0200
+++ b/src/event/ngx_event_openssl.h Mon Apr 27 17:17:01 2015 +0200
@@ -122,8 +122,8 @@ typedef struct {
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
-ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords);
+ngx_int_t ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_array_t *certs, ngx_array_t *keys, ngx_array_t *passwords);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
More information about the nginx-devel
mailing list