[nginx] SSL: the $ssl_client_escaped_cert variable (ticket #857).
Maxim Dounin
mdounin at mdounin.ru
Tue Aug 22 13:03:20 UTC 2017
details: http://hg.nginx.org/nginx/rev/82f0b8dcca27
branches:
changeset: 7091:82f0b8dcca27
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue Aug 22 15:18:10 2017 +0300
description:
SSL: the $ssl_client_escaped_cert variable (ticket #857).
This variable contains URL-encoded client SSL certificate. In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.
The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
diffstat:
src/event/ngx_event_openssl.c | 30 ++++++++++++++++++++++++++++++
src/event/ngx_event_openssl.h | 2 ++
src/http/modules/ngx_http_ssl_module.c | 4 ++++
src/stream/ngx_stream_ssl_module.c | 4 ++++
4 files changed, 40 insertions(+), 0 deletions(-)
diffs (80 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3663,6 +3663,36 @@ ngx_ssl_get_certificate(ngx_connection_t
ngx_int_t
+ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s)
+{
+ ngx_str_t cert;
+ uintptr_t n;
+
+ if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (cert.len == 0) {
+ s->len = 0;
+ return NGX_OK;
+ }
+
+ n = ngx_escape_uri(NULL, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
+
+ s->len = cert.len + n * 2;
+ s->data = ngx_pnalloc(pool, s->len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_escape_uri(s->data, cert.data, cert.len, NGX_ESCAPE_URI_COMPONENT);
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
BIO *bio;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -212,6 +212,8 @@ ngx_int_t ngx_ssl_get_raw_certificate(ng
ngx_str_t *s);
ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_escaped_certificate(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -299,6 +299,10 @@ static ngx_http_variable_t ngx_http_ssl
(uintptr_t) ngx_ssl_get_raw_certificate,
NGX_HTTP_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_client_escaped_cert"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_escaped_certificate,
+ NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_client_s_dn"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_subject_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -249,6 +249,10 @@ static ngx_stream_variable_t ngx_stream
(uintptr_t) ngx_ssl_get_raw_certificate,
NGX_STREAM_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_client_escaped_cert"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_escaped_certificate,
+ NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_client_s_dn"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_subject_dn, NGX_STREAM_VAR_CHANGEABLE, 0 },
More information about the nginx-devel
mailing list