New ssl var: $ssl_client_ms_upn

Dave Bevan dave.bevan at bbc.co.uk
Fri Mar 3 12:08:56 UTC 2017


Hi.

At the risk of being shot down in flames, what else do I need to do to comply with your requirements to get my patch accepted such that it appears at http://hg.nginx.org/nginx/ ?

I'm happy to contribute documentation, add a test case to the nginx-test repo etc.

Many thanks,
--
Dave Bevan
Senior Broadcast Systems Developer
News Labs, BBC Design & Engineering

bbcnewslabs.co.uk  bbc.co.uk/news

________________________________________
From: nginx-devel [nginx-devel-bounces at nginx.org] on behalf of nginx-devel-request at nginx.org [nginx-devel-request at nginx.org]
Sent: 25 February 2017 12:00
To: nginx-devel at nginx.org
Subject: nginx-devel Digest, Vol 88, Issue 35

Send nginx-devel mailing list submissions to
        nginx-devel at nginx.org

To subscribe or unsubscribe via the World Wide Web, visit
        http://mailman.nginx.org/mailman/listinfo/nginx-devel
or, via email, send a message with subject or body 'help' to
        nginx-devel-request at nginx.org

You can reach the person managing the list at
        nginx-devel-owner at nginx.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of nginx-devel digest..."


Today's Topics:

   1. New ssl var: $ssl_client_ms_upn (Dave Bevan)


----------------------------------------------------------------------

Message: 1
Date: Fri, 24 Feb 2017 13:48:27 +0000
From: Dave Bevan <dave.bevan at bbc.co.uk>
To: "nginx-devel at nginx.org" <nginx-devel at nginx.org>
Subject: New ssl var: $ssl_client_ms_upn
Message-ID: <8B4260EB2A248F47B816B86AAB389ECD8CB863AF at bgb01xud1008>
Content-Type: text/plain; charset="iso-8859-1"

# HG changeset patch
# User Dave Bevan <dave.bevan at bbc.co.uk>
# Date 1487943997 0
#      Fri Feb 24 13:46:37 2017 +0000
# Node ID 5ccdcc88e98c31c4694fa47d6876934d2af0fcfd
# Parent  00903b2132edb863e8aed2e84e216817fcc07c90
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).

Retrieved from a client cert, this identity string is used in corporate
environments as a primary key when interacting with Active Directory.

Commonly used to set REMOTE_USER param. Brings equivalence with
Apache 2.4.17 which introduced access to the same data:

  https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

  Changes with Apache 2.4.17

  *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
       of subjectAltName entries of type "otherName" into
       SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
       variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
       Kaspar Brand]

Includes enhanced error checking (thanks Andrey K)

diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.c    Fri Feb 24 13:46:37 2017 +0000
@@ -4081,6 +4081,67 @@
 }


+ngx_int_t
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    int                      i;
+    BIO                     *bio;
+    X509                    *cert;
+    GENERAL_NAME            *altname;
+    STACK_OF(GENERAL_NAME)  *altnames;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+    if (altnames) {
+        for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
+            altname = sk_GENERAL_NAME_value(altnames, i);
+
+            if (altname->type != GEN_OTHERNAME) {
+                continue;
+            }
+
+            if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {
+                continue;
+            }
+
+            BIO_printf(bio, "%s",
+                (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));
+            break;
+        }
+    }
+
+    s->len = BIO_pending(bio);
+    s->data = ngx_pnalloc(pool, s->len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        GENERAL_NAMES_free(altnames);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, s->len);
+
+    BIO_free(bio);
+    X509_free(cert);
+    GENERAL_NAMES_free(altnames);
+
+    return NGX_OK;
+}
+
+
 static time_t
 ngx_ssl_parse_time(
 #if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.h    Fri Feb 24 13:46:37 2017 +0000
@@ -226,6 +226,8 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);


 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 00903b2132ed -r 5ccdcc88e98c src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/http/modules/ngx_http_ssl_module.c    Fri Feb 24 13:46:37 2017 +0000
@@ -328,6 +328,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

diff -r 00903b2132ed -r 5ccdcc88e98c src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c    Wed Feb 22 12:26:41 2017 +0800
+++ b/src/stream/ngx_stream_ssl_module.c    Fri Feb 24 13:46:37 2017 +0000
@@ -272,6 +272,9 @@
     { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20170224/34d8b7fb/attachment-0001.html>

------------------------------

Subject: Digest Footer

_______________________________________________
nginx-devel mailing list
nginx-devel at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

------------------------------

End of nginx-devel Digest, Vol 88, Issue 35
*******************************************


-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------


More information about the nginx-devel mailing list