# HG changeset patch # User Dave Bevan <dave.be...@bbc.co.uk> # Date 1487943997 0 # Fri Feb 24 13:46:37 2017 +0000 # Node ID 5ccdcc88e98c31c4694fa47d6876934d2af0fcfd # Parent 00903b2132edb863e8aed2e84e216817fcc07c90 Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).
Retrieved from a client cert, this identity string is used in corporate environments as a primary key when interacting with Active Directory. Commonly used to set REMOTE_USER param. Brings equivalence with Apache 2.4.17 which introduced access to the same data: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES Changes with Apache 2.4.17 *) mod_ssl: Add support for extracting the msUPN and dnsSRV forms of subjectAltName entries of type "otherName" into SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>, Kaspar Brand] Includes enhanced error checking (thanks Andrey K) diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Wed Feb 22 12:26:41 2017 +0800 +++ b/src/event/ngx_event_openssl.c Fri Feb 24 13:46:37 2017 +0000 @@ -4081,6 +4081,67 @@ } +ngx_int_t +ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + int i; + BIO *bio; + X509 *cert; + GENERAL_NAME *altname; + STACK_OF(GENERAL_NAME) *altnames; + + s->len = 0; + + cert = SSL_get_peer_certificate(c->ssl->connection); + if (cert == NULL) { + return NGX_OK; + } + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) { + X509_free(cert); + return NGX_ERROR; + } + + altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); + + if (altnames) { + for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) { + altname = sk_GENERAL_NAME_value(altnames, i); + + if (altname->type != GEN_OTHERNAME) { + continue; + } + + if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) { + continue; + } + + BIO_printf(bio, "%s", + (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string)); + break; + } + } + + s->len = BIO_pending(bio); + s->data = ngx_pnalloc(pool, s->len); + if (s->data == NULL) { + BIO_free(bio); + X509_free(cert); + GENERAL_NAMES_free(altnames); + return NGX_ERROR; + } + + BIO_read(bio, s->data, s->len); + + BIO_free(bio); + X509_free(cert); + GENERAL_NAMES_free(altnames); + + return NGX_OK; +} + + static time_t ngx_ssl_parse_time( #if OPENSSL_VERSION_NUMBER > 0x10100000L diff -r 00903b2132ed -r 5ccdcc88e98c src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Wed Feb 22 12:26:41 2017 +0800 +++ b/src/event/ngx_event_openssl.h Fri Feb 24 13:46:37 2017 +0000 @@ -226,6 +226,8 @@ ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff -r 00903b2132ed -r 5ccdcc88e98c src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 12:26:41 2017 +0800 +++ b/src/http/modules/ngx_http_ssl_module.c Fri Feb 24 13:46:37 2017 +0000 @@ -328,6 +328,9 @@ { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_null_string, NULL, NULL, 0, 0, 0 } }; diff -r 00903b2132ed -r 5ccdcc88e98c src/stream/ngx_stream_ssl_module.c --- a/src/stream/ngx_stream_ssl_module.c Wed Feb 22 12:26:41 2017 +0800 +++ b/src/stream/ngx_stream_ssl_module.c Fri Feb 24 13:46:37 2017 +0000 @@ -272,6 +272,9 @@ { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable, + (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 }, + { ngx_null_string, NULL, NULL, 0, 0, 0 } };
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
