Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(ssl): add get_server_certificate function #195

Closed
wants to merge 1 commit into from
+64 −0
Closed

feat(ssl): add get_server_certificate function #195

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions lib/resty/openssl.lua
View file
Original file line number Diff line number Diff line change
@@ -448,4 +448,11 @@ function _M.list_ssl_ciphers(cipher_list, ciphersuites, protocol)
return ssl_lib.get_ciphers(ssl)
end

function _M.get_server_certificate(ssl_ptr)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to use this route 48c5107 and add teh get_request_socket_ssl into it. It will be bit un-user-friendly to require
user to pass a raw SSL pointer to be able to use this function.

local ssl = { ctx = ssl_ptr }

local ssl_lib = require("resty.openssl.ssl")
return ssl_lib.get_server_certificate(ssl)
end

return _M
2 changes: 2 additions & 0 deletions lib/resty/openssl/include/ssl.lua
View file
Original file line number Diff line number Diff line change
@@ -62,6 +62,8 @@ ffi.cdef [[
int SSL_add_client_CA(SSL *ssl, X509 *cacert);

long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);

X509 *SSL_get_certificate(const SSL *ssl);
]]

if OPENSSL_3X then
18 changes: 18 additions & 0 deletions lib/resty/openssl/ssl.lua
View file
Original file line number Diff line number Diff line change
@@ -141,6 +141,24 @@ function _M:get_peer_cert_chain()
return chain_lib.dup(stack)
end

function _M:get_server_certificate()
local x509 = C.SSL_get_certificate(self.ctx)
if x509 == nil then
return nil
end
ffi.gc(x509, C.X509_free)

local err
-- always copy, although the ref counter of returned x509 is
-- already increased by one.
x509, err = x509_lib.dup(x509)
if err then
return nil, err
end

return x509
end

-- TLSv1.3
function _M:set_ciphersuites(ciphers)
if C.SSL_set_ciphersuites(self.ctx, ciphers) ~= 1 then
37 changes: 37 additions & 0 deletions t/openssl/ssl/ssl_server.t
View file
Original file line number Diff line number Diff line change
@@ -376,3 +376,40 @@ ok
[emerg]
--- skip_nginx
2: < 9.9.9

=== TEST 9: SSL (server) get_server_certificate
--- http_config
server {
listen unix:/tmp/nginx-s9.sock ssl;
server_name test.com;
ssl_protocols TLSv1.2;
ssl_certificate ../../../t/fixtures/test.crt;
ssl_certificate_key ../../../t/fixtures/test.key;
ssl_ciphers ECDHE-RSA-AES128-SHA;

location /t {
content_by_lua_block {
local ssl = require "resty.openssl.ssl"
local sess = myassert(ssl.from_request())

local crt = myassert(sess:get_server_certificate())
ngx.say(myassert(crt:get_subject_name():tostring()))
}
}
}
--- config
location /t {
proxy_pass https://unix:/tmp/nginx-s9.sock:;
proxy_ssl_server_name on;
proxy_ssl_name test.com;
# valgrind be happy
proxy_ssl_session_reuse off;
}
--- request
GET /t
--- response_body
CN=test.com

--- no_error_log
[error]
[emerg]