diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index a22e37438efec580186ad5491ef3fa74c1ff93ad..29ae6a9855c42b5dedd966fb96c806ce8cbe6638 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -519,7 +519,7 @@ static uint32_t X509_get_extension_flags(X509* x)
static bool is_ca(X509* cert)
{
- return X509_get_extension_flags(cert) & EXFLAG_CA;
+ return X509_check_ca(cert) != 0;
}
static bool is_proxy(X509* cert)
@@ -544,11 +544,18 @@ static X509* get_ee_cert(ngx_http_request_t* r)
// find first non-proxy and non-ca cert
for (int i = 0; i != sk_X509_num(chain); ++i) {
auto cert = sk_X509_value(chain, i);
- if (cert && !is_proxy(cert) && !is_ca(cert)) {
+ if (cert && is_ca(cert)) {
+ break;
+ }
+ if (cert && !is_proxy(cert)) {
ee_cert = cert;
break;
}
}
+
+ if (!ee_cert) {
+ ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
+ }
}
return ee_cert;
diff --git a/t/certs/9.key.pem b/t/certs/9.key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..c5d719027890beb934a79f348e68301376c08c5b
--- /dev/null
+++ b/t/certs/9.key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAysba8IaGdu0scSEo5UalpgVgelPjf8VtpEtblH60EWr+mrlb
+ZrRFuOSeOFU4t1lumNdd0QcJkuqFvt5c8gQWVT6p4Vff1ZE8S6fN4BlVbxwE4BoJ
+I3k8SLDhPk5DygKGSf0BXAnz4d1nWdwDSNeFmJADPVV7Em4dqJArFhmuKOqc7dz7
+dcypMjuD1tHAZJXrQyJiStr7n7g1TZuyM/8t//KWPKdzKIsGxfz3Um2u10AMQVlC
+TKGpXofMcvB0kTp+7RdmpcaAyx+EFoaelA59q7zlrHgalDD1xY7FItf65MNaBwIz
+K6E5OZS9eRiNCxneXU1aKZClxW002MUpD89TCwIDAQABAoIBAQCEcGTG+9YPDtEc
+AoBnX0EJsjFVND0+UoBN8joaPrb1OWCZRb8A0XVIUWlVebPVbL/ja6aGw4XpQuuf
+wjQKjcjYXFkwKOi04Gr1LuA0Ide+/hnhFKArXx+UipJS02NLKWL0KB8fMhDr0GOU
+OTKb/Mfw4P58rLv5SZptYdwCTzuE1KwL++ty6+v7qZC9WLjPnQ6zalBW/0rTn87o
+cA866a3qHlw9MJz7C7qqMrXCu9UrWQCeSuTz5mtxt8+mwoGfl8xTKQW+7yR2qOmG
+wLGoyLemgIUxL8xJn9YVTcDVSfVehRUsnPYYsHy7f0RqtJ3NPDcwoxN1BGnO1lY8
+hZHodX3BAoGBAPwicjNq51XBHEQ12h9dD3eC7cIRGjj+0WL5NrmOK/IoJLR6VP1D
+S4e54zMEtP34mxDmzf1E7AqelVnGI5AzfjgVJFpPfAFOsilO3CPx+TnEeWx9HU3q
+fyFf4vrjJ8RVolTthX3rksBP37zM28QjZQTaZ7Db+n4kBw/gy2YfYZpDAoGBAM3i
+scOr7N5E/7EUARbxn95TLrHG+P4JKo5vSkBTw4kLMG42s9BsEuTBnsFH2c0IL4tH
+VjaEHOAtqZH/rj6RNZEbVRpncECIquIphYoaO+wWMxBkXLRZPalOFX40C4kE0MKV
+Xx97fV7uwTpQv+146C+UxyixRkJPIH+GJrLBTcuZAoGAcfFbLLNmIhHoJUc08LGM
+mNTZf7dc41783z6Cpa6DW6cal1klaWLtEkRGUbsR1ChyY1v6wTdReKccFXr+fV9X
+7h5X1FxRTQH0b8iMoc3rdFi/CvEruhd8Jmf/2qOnSAnvF3RTvIkmQ7SVBuyJcIUS
+VPQiogF3nWPIsTtEkD0kTaMCgYAz+sHqpuNckosDiAtmYYZ9OP8W/ycp6+KEp3BV
+oVBCr0KA8Oqg+kgi3QdZwOwqKaDnRxFrHhu0NZMUOzsgrMSbaA0qZ2cdw+Nwyg7e
++RSb3Fb0EoKdPdKlhgNDI5yt8TtLhS7I4gKbDyhVssFiER59tNA7Y9ZbM2L/Dz2B
+7+/WMQKBgQDQVr4avU3VW1vo2P9UOUI+HAKw/nBVrRafOHqGDSzi+K7X0Rhy5lW6
+5GEwvW8sl3J6GtHAe3nKjztiTM9FzLkvUsMYASeczVJNOLQzsgLVHoSmWttpDUwA
+6PoOMroAOGR1r9WDBi4RwAk4c/2m5Z+l9CCp4wS6zBch140p5FH2tg==
+-----END RSA PRIVATE KEY-----
diff --git a/t/certs/9.pem b/t/certs/9.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9feb47db99e60329ee61670c26fc597e71d0545c
--- /dev/null
+++ b/t/certs/9.pem
@@ -0,0 +1,43 @@
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIJAMzDwAv7o5VUMA0GCSqGSIb3DQEBBQUAMC0xCzAJBgNV
+BAYTAklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTIwOTI2
+MTUwMDU0WhcNMjIwOTI0MTUwMDU0WjAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwD
+SUdJMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9u4Fgtj7YpMRql3NAasEUmP6Byv/CH+dPZNzSxfNCMOPqARLBWS/2Ora
+m5cRpoBByT0LpjDCFBJhLrBKvCvmWOTfS1jYsQwSpC/5scButthlcNOhLKQSZblS
+8Pa7HoFS4zQFwCwWOYbOLF+FblYRgSY30WMi361giydeV8iei8KNH2FIoDyo9kjV
+gYQKp76LFv7urGhc5sHA+HWq7+AfyivtZC+a55Rw6EHXOQ+vih5TPXa1t5RL7IkY
+4U7Ld5ExptBIDx0UkSihYexAY4RGXVUaq535dGtJQ8/NYMrJ5NMGt2X0bRszArnE
+EKc/qdAcgcalgoiaZtVkq45eXADXzwIDAQABo4GiMIGfMB0GA1UdDgQWBBSRdzZ7
+LrRp8yfqt/YIi0ojohFJxjBdBgNVHSMEVjBUgBSRdzZ7LrRp8yfqt/YIi0ojohFJ
+xqExpC8wLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVz
+dCBDQYIJAMzDwAv7o5VUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
+MA0GCSqGSIb3DQEBBQUAA4IBAQB379cvZmfCLvGdoGbW+6ppDNy3pT9hqYmZAlfV
+FGZSEaTKjGCbPuErUNC6+7zhij5CmMtMRhccI3JswjPHPQGm12jiEC492J6Avj/x
+PL8vcBRofe4whXefDVgUw8G1nkQYr2BF0jzeiN72ToISGMbt/q94QV70lYCo/Tog
+UQQ6F+XhztffxQyRgsUXhR4qq1D4h7UifqfQGBzknS23RMLQUdKXG4MhTLMVmxJC
+uY9Oi0It3hk9Qtn0nlZ7rvo5weJGxuRBbZ85Nvw2tIhH7G2osc6zqmHTmUAR4FXb
+l8/ElwGVrURMMuJLDbISVXjBNFuVOS2BdlyEe4x5kfQAWITZ
+-----END CERTIFICATE-----
diff --git a/t/certs/README.md b/t/certs/README.md
index 268417521cf4a06d137562ffefcd9cf9aaaf0ebe..ac9e76cdba4c57347b0c35f9a500491b01bf6633 100644
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -13,6 +13,7 @@ Proxy certificates are generated using [VOMS client 3.3.1](http://italiangrid.gi
* 7.pem: long-lived proxy (3 delegations), without VOMS attributes;
* 8.pem: long-lived proxy (3 delegations), without VOMS attributes, plus CA
certificate included in the chain;
+ * 9.pem: EEC plus CA certificate included in the chain.
To obtain such certificates the following command is used:
diff --git a/t/eec_cert.t b/t/eec_cert.t
index 12c1179ab4c75747724065ac72b426344b413ea1..ec83f8f2a1c447212f58e487d2bf91647d53c35f 100644
--- a/t/eec_cert.t
+++ b/t/eec_cert.t
@@ -55,3 +55,57 @@ GET /
vDxcPMc/wmnMa+smNal0sJ6m
-----END CERTIFICATE-----
--- error_code: 200
+
+
+=== TEST 2: EEC
+
+--- main_config
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $ssl_client_ee_cert;
+ }
+ }
+--- config
+ location = / {
+ error_log logs/error-proxy.log debug;
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/test0.cert.pem;
+ proxy_ssl_certificate_key ../../certs/9.key.pem;
+ }
+--- request
+GET /
+--- response_body
+-----BEGIN CERTIFICATE-----
+ MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+ MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+ DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+ A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+ hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+ BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+ CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+ 2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+ xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+ kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+ fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+ CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+ BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+ gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+ AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+ d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+ SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+ 49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+ C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+ vDxcPMc/wmnMa+smNal0sJ6m
+ -----END CERTIFICATE-----
+--- error_code: 200
diff --git a/t/eec_chain.t b/t/eec_chain.t
new file mode 100644
index 0000000000000000000000000000000000000000..4b0c32ca68d32c316c6a0f325d9c22179062b524
--- /dev/null
+++ b/t/eec_chain.t
@@ -0,0 +1,57 @@
+use Test::Nginx::Socket 'no_plan';
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: EEC chain containing CA certificate
+--- main_config
+ env X509_VOMS_DIR=t/vomsdir;
+ env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+ server {
+ error_log logs/error.log debug;
+ listen 8443 ssl;
+ ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+ ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+ ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+ ssl_verify_depth 10;
+ ssl_verify_client on;
+ location = / {
+ default_type text/plain;
+ echo $ssl_client_ee_cert;
+ }
+ }
+--- config
+ location = / {
+ error_log logs/error-proxy.log debug;
+ proxy_pass https://localhost:8443/;
+ proxy_ssl_certificate ../../certs/9.pem;
+ proxy_ssl_certificate_key ../../certs/9.key.pem;
+ }
+--- request
+GET /
+--- response_body
+-----BEGIN CERTIFICATE-----
+ MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+ MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+ DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+ A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+ hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+ BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+ CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+ 2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+ xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+ kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+ fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+ CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+ BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+ gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+ AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+ d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+ SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+ 49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+ C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+ vDxcPMc/wmnMa+smNal0sJ6m
+ -----END CERTIFICATE-----
+--- error_code: 200