Re: [PATCH] Add ssl_client_not_before and ssl_client_not_after request

Mon, 07 Sep 2015 11:24:00 -0700 

Hello Maxim,

Thanks for comments!
Please find ammended patch attached.

As to example of usage: it's a real-world use-case - one of our customers
do want to see these values on backend server for whatever purpose.
But your example also have a right to be aplicable sometime.

Best wishes,
Andrey

On 7 September 2015 at 21:04, Maxim Dounin <mdou...@mdounin.ru> wrote:

> Hello!
>
> On Mon, Sep 07, 2015 at 08:18:29PM +0300, Andrey Kulikov wrote:
>
> > Hello,
> >
> > Nginx SSL module allow to use some variables:
> > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables
> > But sometimes tey are not enough.
> >
> > Please find attached patch, adding two more:
> > $ssl_client_not_before - Validity date from client certificate 'Not
> Before'
> > $ssl_client_not_after   -  Validity date from client certificate 'Not
> After'
> >
> > After applying changes you may use them in configuration along with other
> > variables:
> >
> >     location /test_headers/ {
> >         proxy_set_header X-ClientCert-SubjectSerial $ssl_client_serial;
> >         proxy_set_header X-ClientCert-NotBefore
>  $ssl_client_not_before;
> >         proxy_set_header X-ClientCert-NotAfter
> $ssl_client_not_after;
> >         proxy_pass http://192.168.88.156/;
> >     }
> >
> > And it will appears in (in this case) in proxied content in the following
> > form:
> >
> > X-ClientCert-SubjectSerial: 120005C82FBE782D06D89FF14800000005C82F
> > X-ClientCert-NotBefore: Jul  9 22:20:31 2015 GMT
> > X-ClientCert-NotAfter: Oct  9 22:30:31 2015 GMT
> >
> >
> > Tested on 1.8.0, tested that it can be cleanly applied to 1.9.4.
> >
> > Feel free to ask any questions regarding this matter.
>
> How do you expect these variables to be used?  For some form of
> warning like "your certificate will expire soon, please update
> it"?  Note that validity of the certificate was already checked at
> this point, these fields in particular, and that's not something a
> backend server needs to test.
>
> See also http://nginx.org/en/docs/contributing_changes.html for
> some hints on how we would prefer submissions to be done.
>
> [...]
>
> > +    return NGX_OK;
> > +}
> > +
> > +ngx_int_t
> > +ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool,
> ngx_str_t *s)
>
> Two empty lines between functions, please.
>
> [...]
>
> > +    return NGX_OK;
> > +}
> > +
> > +ngx_int_t
> >  ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
> ngx_str_t *s)
>
> Same here.
>
> [...]
>
> > --- a/src/http/modules/ngx_http_ssl_module.c
> > +++ b/src/http/modules/ngx_http_ssl_module.c
> > @@ -307,6 +307,12 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
> >      { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
> >        (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0
> },
> >
> > +    { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable,
> > +      (uintptr_t) ngx_ssl_get_client_not_before,
> NGX_HTTP_VAR_CHANGEABLE, 0 },
> > +
> > +    { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable,
> > +      (uintptr_t) ngx_ssl_get_client_not_after,
> NGX_HTTP_VAR_CHANGEABLE, 0 },
> > +
> >      { ngx_null_string, NULL, NULL, 0, 0, 0 }
> >  };
>
> It should be better to put these variables after $ssl_client_serial,
> much like the functions itself.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>

From 400afce04b59a7e67e9fda4920f944c05489cd42 Mon Sep 17 00:00:00 2001
From: Andrey Kulikov <kuli...@infort-it.ru>
Date: Mon, 7 Sep 2015 19:52:12 +0300
Subject: [PATCH] Add ssl_client_not_before and ssl_client_not_after request
 variables.

---
 src/event/ngx_event_openssl.c          |   78 ++++++++++++++++++++++++++++++++
 src/event/ngx_event_openssl.h          |    4 ++
 src/http/modules/ngx_http_ssl_module.c |    6 +++
 3 files changed, 88 insertions(+)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 1b789e6..c8b3622 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -3399,6 +3399,84 @@ ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 
 
 ngx_int_t
+ngx_ssl_get_client_not_before(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    X509    *cert;
+    BIO     *bio;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    ASN1_TIME_print(bio, X509_get_notBefore(cert));
+    len = BIO_pending(bio);
+
+    s->len = len;
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, len);
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    size_t   len;
+    X509    *cert;
+    BIO     *bio;
+
+    s->len = 0;
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        return NGX_OK;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    ASN1_TIME_print(bio, X509_get_notAfter(cert));
+    len = BIO_pending(bio);
+
+    s->len = len;
+    s->data = ngx_pnalloc(pool, len);
+    if (s->data == NULL) {
+        BIO_free(bio);
+        X509_free(cert);
+        return NGX_ERROR;
+    }
+
+    BIO_read(bio, s->data, len);
+    BIO_free(bio);
+    X509_free(cert);
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
 ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
     X509          *cert;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 08eff64..932cc7f 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -185,6 +185,10 @@ ngx_int_t ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_not_before(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_not_after(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 275febe..8ee5b8e 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -301,6 +301,12 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_client_serial"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_serial_number, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_client_not_before"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_not_before, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
+    { ngx_string("ssl_client_not_after"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_client_not_after, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_client_fingerprint"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_fingerprint, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-- 
1.7.10.4


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to