[nginx] SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Dmitry Volyntsev
xeioex at nginx.com
Fri Oct 21 13:47:46 UTC 2016
details: http://hg.nginx.org/nginx/rev/56d6bfe6b609
branches:
changeset: 6780:56d6bfe6b609
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Fri Oct 21 16:28:39 2016 +0300
description:
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function. It produces a non standard output form and has
various quirks and inconsistencies.
The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.
diffstat:
src/event/ngx_event_openssl.c | 106 ++++++++++++++++++++++++++++++++-
src/event/ngx_event_openssl.h | 4 +
src/http/modules/ngx_http_ssl_module.c | 6 +
3 files changed, 115 insertions(+), 1 deletions(-)
diffs (153 lines):
diff -r e4b00a021cea -r 56d6bfe6b609 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Oct 21 15:18:44 2016 +0300
+++ b/src/event/ngx_event_openssl.c Fri Oct 21 16:28:39 2016 +0300
@@ -3438,6 +3438,109 @@ ngx_ssl_get_certificate(ngx_connection_t
ngx_int_t
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
+ BIO *bio;
+ X509 *cert;
+ X509_NAME *name;
+
+ s->len = 0;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ return NGX_OK;
+ }
+
+ name = X509_get_subject_name(cert);
+ if (name == NULL) {
+ return NGX_ERROR;
+ }
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ X509_free(cert);
+ return NGX_ERROR;
+ }
+
+ if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
+ goto failed;
+ }
+
+ s->len = BIO_pending(bio);
+ s->data = ngx_pnalloc(pool, s->len);
+ if (s->data == NULL) {
+ goto failed;
+ }
+
+ BIO_read(bio, s->data, s->len);
+
+ BIO_free(bio);
+ X509_free(cert);
+
+ return NGX_OK;
+
+failed:
+
+ BIO_free(bio);
+ X509_free(cert);
+
+ return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ BIO *bio;
+ X509 *cert;
+ X509_NAME *name;
+
+ s->len = 0;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ return NGX_OK;
+ }
+
+ name = X509_get_issuer_name(cert);
+ if (name == NULL) {
+ return NGX_ERROR;
+ }
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ X509_free(cert);
+ return NGX_ERROR;
+ }
+
+ if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
+ goto failed;
+ }
+
+ s->len = BIO_pending(bio);
+ s->data = ngx_pnalloc(pool, s->len);
+ if (s->data == NULL) {
+ goto failed;
+ }
+
+ BIO_read(bio, s->data, s->len);
+
+ BIO_free(bio);
+ X509_free(cert);
+
+ return NGX_OK;
+
+failed:
+
+ BIO_free(bio);
+ X509_free(cert);
+
+ return NGX_ERROR;
+}
+
+
+ngx_int_t
+ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s)
+{
char *p;
size_t len;
X509 *cert;
@@ -3478,7 +3581,8 @@ ngx_ssl_get_subject_dn(ngx_connection_t
ngx_int_t
-ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s)
{
char *p;
size_t len;
diff -r e4b00a021cea -r 56d6bfe6b609 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Oct 21 15:18:44 2016 +0300
+++ b/src/event/ngx_event_openssl.h Fri Oct 21 16:28:39 2016 +0300
@@ -205,6 +205,10 @@ ngx_int_t ngx_ssl_get_subject_dn(ngx_con
ngx_str_t *s);
ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
+ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
diff -r e4b00a021cea -r 56d6bfe6b609 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Oct 21 15:18:44 2016 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Fri Oct 21 16:28:39 2016 +0300
@@ -298,6 +298,12 @@ static ngx_http_variable_t ngx_http_ssl
{ ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+ { ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
More information about the nginx-devel
mailing list