[PATCH] Add ssl_client_not_before and ssl_client_not_after request

Andrey Kulikov Mon, 07 Sep 2015 10:19:21 -0700

Hello,

Nginx SSL module allow to use some variables:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
But sometimes tey are not enough.


Please find attached patch, adding two more:
$ssl_client_not_before - Validity date from client certificate 'Not Before'
$ssl_client_not_after   -  Validity date from client certificate 'Not After'

After applying changes you may use them in configuration along with other
variables:

    location /test_headers/ {
        proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial;
        proxy_set_header X-ClientCert-NotBefore     $ssl_client_not_before;
        proxy_set_header X-ClientCert-NotAfter      $ssl_client_not_after;
        proxy_pass http://192.168.88.156/;
    }

And it will appears in (in this case) in proxied content in the following
form:

X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F
X-ClientCert-NotBefore: Jul  9 22:20:31 2015 GMT
X-ClientCert-NotAfter: Oct  9 22:30:31 2015 GMT


Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4.

Feel free to ask any questions regarding this matter.

Best wishes,
Andrey

From 10a79b48105fb9fdf59c1a995016d4d0f18e23c1 Mon Sep 17 00:00:00 2001
From: Andrey Kulikov <kuli...@infort-it.ru>
Date: Mon, 7 Sep 2015 19:52:12 +0300
Subject: [PATCH] Add ssl_client_not_before and ssl_client_not_after request
 variables.

---
 src/event/ngx_event_openssl.c          |   76 ++++++++++++++++++++++++++++++++
 src/event/ngx_event_openssl.h          |    4 ++
 src/http/modules/ngx_http_ssl_module.c |    6 +++
 3 files changed, 86 insertions(+)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 1b789e6..04348ac 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3399,6 +3399,82 @@ ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 
 
 ngx_int_t
+ngx_ssl_get_client_not_before(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    X509    *cert;
+    BIO     *bio;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    ASN1_TIME_print(bio, X509_get_notBefore(cert));
+    len = BIO_pending(bio);
+
+    s->len = len;
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, len);
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+}
+
+ngx_int_t
+ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    X509    *cert;
+    BIO     *bio;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    ASN1_TIME_print(bio, X509_get_notAfter(cert));
+    len = BIO_pending(bio);
+
+    s->len = len;
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, len);
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+}
+
+ngx_int_t
 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     X509          *cert;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 08eff64..932cc7f 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -185,6 +185,10 @@ ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_not_before(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 275febe..48aaa7a 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -307,6 +307,12 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_not_before, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+    { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_not_after, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };
 
-- 
1.7.10.4

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] Add ssl_client_not_before and ssl_client_not_after request

Reply via email to