mirror of
https://github.com/nginx/nginx.git
synced 2024-12-19 05:33:52 -06:00
SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Originally, the variables kept a result of X509_NAME_oneline(), which is, according to the official documentation, a legacy function. It produces a non standard output form and has various quirks and inconsistencies. The RFC2253 compliant behavior is introduced for these variables. The original variables are available through $ssl_client_s_dn_legacy and $ssl_client_i_dn_legacy.
This commit is contained in:
Dmitry Volyntsev
parent
9ec0b1fe12
commit
71c93a8e09
@ -3437,6 +3437,109 @@ ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
|
{
|
||||||
|
BIO *bio;
|
||||||
|
X509 *cert;
|
||||||
|
X509_NAME *name;
|
||||||
|
|
||||||
|
s->len = 0;
|
||||||
|
|
||||||
|
cert = SSL_get_peer_certificate(c->ssl->connection);
|
||||||
|
if (cert == NULL) {
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
name = X509_get_subject_name(cert);
|
||||||
|
if (name == NULL) {
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
bio = BIO_new(BIO_s_mem());
|
||||||
|
if (bio == NULL) {
|
||||||
|
X509_free(cert);
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
|
||||||
|
goto failed;
|
||||||
|
}
|
||||||
|
|
||||||
|
s->len = BIO_pending(bio);
|
||||||
|
s->data = ngx_pnalloc(pool, s->len);
|
||||||
|
if (s->data == NULL) {
|
||||||
|
goto failed;
|
||||||
|
}
|
||||||
|
|
||||||
|
BIO_read(bio, s->data, s->len);
|
||||||
|
|
||||||
|
BIO_free(bio);
|
||||||
|
X509_free(cert);
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
|
||||||
|
failed:
|
||||||
|
|
||||||
|
BIO_free(bio);
|
||||||
|
X509_free(cert);
|
||||||
|
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
||||||
|
{
|
||||||
|
BIO *bio;
|
||||||
|
X509 *cert;
|
||||||
|
X509_NAME *name;
|
||||||
|
|
||||||
|
s->len = 0;
|
||||||
|
|
||||||
|
cert = SSL_get_peer_certificate(c->ssl->connection);
|
||||||
|
if (cert == NULL) {
|
||||||
|
return NGX_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
name = X509_get_issuer_name(cert);
|
||||||
|
if (name == NULL) {
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
bio = BIO_new(BIO_s_mem());
|
||||||
|
if (bio == NULL) {
|
||||||
|
X509_free(cert);
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253) < 0) {
|
||||||
|
goto failed;
|
||||||
|
}
|
||||||
|
|
||||||
|
s->len = BIO_pending(bio);
|
||||||
|
s->data = ngx_pnalloc(pool, s->len);
|
||||||
|
if (s->data == NULL) {
|
||||||
|
goto failed;
|
||||||
|
}
|
||||||
|
|
||||||
|
BIO_read(bio, s->data, s->len);
|
||||||
|
|
||||||
|
BIO_free(bio);
|
||||||
|
X509_free(cert);
|
||||||
|
|
||||||
|
return NGX_OK;
|
||||||
|
|
||||||
|
failed:
|
||||||
|
|
||||||
|
BIO_free(bio);
|
||||||
|
X509_free(cert);
|
||||||
|
|
||||||
|
return NGX_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
ngx_int_t
|
||||||
|
ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s)
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
size_t len;
|
size_t len;
|
||||||
@ -3478,7 +3581,8 @@ ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
|||||||
|
|
||||||
|
|
||||||
ngx_int_t
|
ngx_int_t
|
||||||
ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
|
ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s)
|
||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
size_t len;
|
size_t len;
|
||||||
|
|||||||
@ -205,6 +205,10 @@ ngx_int_t ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool,
|
|||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
|
ngx_int_t ngx_ssl_get_subject_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s);
|
||||||
|
ngx_int_t ngx_ssl_get_issuer_dn_legacy(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
ngx_str_t *s);
|
ngx_str_t *s);
|
||||||
ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
|
ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
|
||||||
|
|||||||
@ -298,6 +298,12 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|||||||
{ ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
|
{ ngx_string("ssl_client_i_dn"), NULL, ngx_http_ssl_variable,
|
||||||
(uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_issuer_dn, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_client_s_dn_legacy"), NULL, ngx_http_ssl_variable,
|
||||||
|
(uintptr_t) ngx_ssl_get_subject_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
|
{ ngx_string("ssl_client_i_dn_legacy"), NULL, ngx_http_ssl_variable,
|
||||||
|
(uintptr_t) ngx_ssl_get_issuer_dn_legacy, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
{ ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
|
{ ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
|
||||||
(uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
(uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user