add support for ssl_client_ee_s_dn and ssl_client_ee_i_dn

See issue #14 (closed)

src/ngx_http_voms_module.cpp

@@ -33,6 +33,8 @@ using X509Ptr = std::unique_ptr<X509, decltype(&X509_free)>;
 using VomsAc = voms;
 using MaybeVomsAc = boost::optional<VomsAc>;
 
+enum class EeDn { SUBJECT, ISSUER };
+
 static ngx_int_t add_variables(ngx_conf_t* cf);
 
 static ngx_http_module_t ctx = {
@@ -68,6 +70,11 @@ static ngx_int_t generic_getter(  //
     ngx_http_variable_value_t* v,
     uintptr_t data);
 
+static ngx_int_t get_ssl_client_ee_dn(  //
+    ngx_http_request_t* r,
+    ngx_http_variable_value_t* v,
+    uintptr_t data);
+
 using getter_t = std::string(VomsAc const& voms);
 static getter_t get_voms_user;
 static getter_t get_voms_user_ca;
@@ -170,9 +177,131 @@ static ngx_http_variable_t variables[] = {
         NGX_HTTP_VAR_NOCACHEABLE,
         0  //
     },
+    {
+        ngx_string("ssl_client_ee_s_dn"),
+        NULL,
+        get_ssl_client_ee_dn,
+        static_cast<uintptr_t>(EeDn::SUBJECT),
+        NGX_HTTP_VAR_NOCACHEABLE,
+        0  //
+    },
+    {
+        ngx_string("ssl_client_ee_i_dn"),
+        NULL,
+        get_ssl_client_ee_dn,
+        static_cast<uintptr_t>(EeDn::ISSUER),
+        NGX_HTTP_VAR_NOCACHEABLE,
+        0  //
+    },
     ngx_http_null_variable  //
 };
 
+static std::string to_rfc2253(X509_NAME* name)
+{
+  std::string result;
+
+  BioPtr bio(BIO_new(BIO_s_mem()), &BIO_free);
+  if (!bio) {
+    return result;
+  }
+
+  if (X509_NAME_print_ex(bio.get(), name, 0, XN_FLAG_RFC2253) < 0) {
+    return result;
+  }
+
+  auto len = BIO_pending(bio.get());
+  result.resize(len);
+
+  BIO_read(bio.get(), &result[0], result.size());
+
+  return result;
+}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static uint32_t X509_get_extension_flags(X509* x)
+{
+  return x->ex_flags;
+}
+#endif
+
+static bool is_proxy(X509* cert)
+{
+  return X509_get_extension_flags(cert) & EXFLAG_PROXY;
+}
+
+static ngx_int_t get_ssl_client_ee_dn(ngx_http_request_t* r,
+                                      ngx_http_variable_value_t* v,
+                                      uintptr_t data)
+{
+  ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
+
+  v->not_found = 1;
+  v->valid = 0;
+
+  auto chain = SSL_get_peer_cert_chain(r->connection->ssl->connection);
+  if (!chain) {
+    ngx_log_error(
+        NGX_LOG_ERR, r->connection->log, 0, "SSL_get_peer_cert_chain() failed");
+    return NGX_OK;
+  }
+
+  X509* ee_cert = nullptr;
+
+  if (sk_X509_num(chain) == 0) {
+    ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
+  } else {
+    // find first non-proxy
+    for (int i = 0; i != sk_X509_num(chain); ++i) {
+      auto cert = sk_X509_value(chain, i);
+      if (cert && !is_proxy(cert)) {
+        ee_cert = cert;
+        break;
+      }
+    }
+  }
+
+  if (!ee_cert) {
+    ngx_log_error(NGX_LOG_DEBUG,
+                  r->connection->log,
+                  0,
+                  "cannot identify end-entity certificate");
+    return NGX_OK;
+  }
+
+  X509_NAME* dn;
+
+  switch (static_cast<EeDn>(data)) {
+    case EeDn::SUBJECT:
+      dn = X509_get_subject_name(ee_cert);
+      break;
+    case EeDn::ISSUER:
+      dn = X509_get_issuer_name(ee_cert);
+      break;
+    default:
+      dn = nullptr;
+  }
+
+  if (!dn) {
+    ngx_log_error(
+        NGX_LOG_DEBUG, r->connection->log, 0, "cannot get DN from certificate");
+    return NGX_OK;
+  }
+  std::string value = to_rfc2253(dn);
+
+  auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
+  if (!buffer) {
+    return NGX_OK;
+  }
+  ngx_memcpy(buffer, value.c_str(), value.size());
+
+  v->data = buffer;
+  v->len = value.size();
+  v->valid = 1;
+  v->not_found = 0;
+  v->no_cacheable = 0;
+  return NGX_OK;
+}
+
 static ngx_int_t add_variables(ngx_conf_t* cf)
 {
   for (ngx_http_variable_t* v = variables; v->name.len; ++v) {
@@ -194,10 +323,7 @@ static MaybeVomsAc retrieve_voms_ac_from_proxy(ngx_http_request_t* r)
   ngx_log_error(NGX_LOG_DEBUG, r->connection->log, 0, "%s", __func__);
 
   if (!r->http_connection->ssl) {
-    ngx_log_error(NGX_LOG_ERR,
-                  r->connection->log,
-                  0,
-                  "SSL not enabled");
+    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "SSL not enabled");
     return boost::none;
   }
 
@@ -302,7 +428,6 @@ static ngx_int_t generic_getter(ngx_http_request_t* r,
 
   auto buffer = static_cast<u_char*>(ngx_pnalloc(r->pool, value.size()));
   if (!buffer) {
-    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "ngx_pnalloc() failed");
     return NGX_OK;
   }
   ngx_memcpy(buffer, value.c_str(), value.size());