Add new ssl variable: ssl_client_ms_upn

Dave Bevan dave.bevan at bbc.co.uk
Wed Feb 22 23:35:48 UTC 2017 

Attempt #2 - have removed previously-proposed ssl_client_s_cn and ssl_client_email vars as these are now satisfied, as advised, by map constructs.

# HG changeset patch
# User Dave Bevan <dave.bevan at bbc.co.uk>
# Date 1487806316 0
#      Wed Feb 22 23:31:56 2017 +0000
# Node ID e0a82e49175e9092b63fb7d86054a698d8fc3085
# Parent  00903b2132edb863e8aed2e84e216817fcc07c90
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).

Retrieved from a client cert, this identity string is used in corporate
environments as a primary key when interacting with Active Directory.

Commonly used to set REMOTE_USER param. Brings equivalence with
Apache 2.4.17 which introduced access to the same data:

  https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

  Changes with Apache 2.4.17

  *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
       of subjectAltName entries of type "otherName" into
       SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
       variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
       Kaspar Brand]

diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.c    Wed Feb 22 23:31:56 2017 +0000
@@ -4081,6 +4081,60 @@
 }


+ngx_int_t
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    int                      i;
+    BIO                     *bio;
+    X509                    *cert;
+    GENERAL_NAME            *altname;
+    STACK_OF(GENERAL_NAME)  *altnames;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+    if (altnames) {
+        for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
+            altname = sk_GENERAL_NAME_value(altnames, i);
+
+            if (altname->type != GEN_OTHERNAME) {
+                continue;
+            }
+
+            if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {
+                continue;
+            }
+
+            BIO_printf(bio, "%s",
+                (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));
+            break;
+        }
+    }
+
+    s->len = BIO_pending(bio);
+    s->data = ngx_pnalloc(pool, s->len);
+
+    BIO_read(bio, s->data, s->len);
+    BIO_free(bio);
+    X509_free(cert);
+    GENERAL_NAMES_free(altnames);
+
+    return NGX_OK;
+}
+
+
 static time_t
 ngx_ssl_parse_time(
 #if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.h    Wed Feb 22 23:31:56 2017 +0000
@@ -226,6 +226,8 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);


 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 00903b2132ed -r e0a82e49175e src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/http/modules/ngx_http_ssl_module.c    Wed Feb 22 23:31:56 2017 +0000
@@ -328,6 +328,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

diff -r 00903b2132ed -r e0a82e49175e src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/stream/ngx_stream_ssl_module.c    Wed Feb 22 23:31:56 2017 +0000
@@ -272,6 +272,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };


Rgds,
--
Dave Bevan
Senior Broadcast Systems Developer
News Labs, BBC Design & Engineering

bbc<http://bbcnewslabs.co.uk/>newslabs.co.uk<http://bbcnewslabs.co.uk/>  bbc.co.uk/news<http://bbc.co.uk/news/>



----------------------------

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

---------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170222/5798eeda/attachment.html>

More information about the nginx-devel mailing list