Attempt #2 - have removed previously-proposed ssl_client_s_cn and ssl_client_email vars as these are now satisfied, as advised, by map constructs.

# HG changeset patch
# User Dave Bevan <dave.bevan@bbc.co.uk>
# Date 1487806316 0
# Wed Feb 22 23:31:56 2017 +0000
# Node ID e0a82e49175e9092b63fb7d86054a698d8fc3085
# Parent 00903b2132edb863e8aed2e84e216817fcc07c90
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).

Retrieved from a client cert, this identity string is used in corporate
environments as a primary key when interacting with Active Directory.

Commonly used to set REMOTE_USER param. Brings equivalence with
Apache 2.4.17 which introduced access to the same data:

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES

Changes with Apache 2.4.17

*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,
Kaspar Brand]

diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.c Wed Feb 22 23:31:56 2017 +0000
@@ -4081,6 +4081,60 @@
}


+ngx_int_t
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ int i;
+ BIO *bio;
+ X509 *cert;
+ GENERAL_NAME *altname;
+ STACK_OF(GENERAL_NAME) *altnames;
+
+ s->len = 0;
+
+ cert = SSL_get_peer_certificate(c->ssl->connection);
+ if (cert == NULL) {
+ return NGX_OK;
+ }
+
+ bio = BIO_new(BIO_s_mem());
+ if (bio == NULL) {
+ X509_free(cert);
+ return NGX_ERROR;
+ }
+
+ altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+ if (altnames) {
+ for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
+ altname = sk_GENERAL_NAME_value(altnames, i);
+
+ if (altname->type != GEN_OTHERNAME) {
+ continue;
+ }
+
+ if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {
+ continue;
+ }
+
+ BIO_printf(bio, "%s",
+ (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));
+ break;
+ }
+ }
+
+ s->len = BIO_pending(bio);
+ s->data = ngx_pnalloc(pool, s->len);
+
+ BIO_read(bio, s->data, s->len);
+ BIO_free(bio);
+ X509_free(cert);
+ GENERAL_NAMES_free(altnames);
+
+ return NGX_OK;
+}
+
+
static time_t
ngx_ssl_parse_time(
#if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Wed Feb 22 12:26:41 2017 +0800
+++ b/src/event/ngx_event_openssl.h Wed Feb 22 23:31:56 2017 +0000
@@ -226,6 +226,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);


ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 00903b2132ed -r e0a82e49175e src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 23:31:56 2017 +0000
@@ -328,6 +328,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};

diff -r 00903b2132ed -r e0a82e49175e src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c Wed Feb 22 12:26:41 2017 +0800
+++ b/src/stream/ngx_stream_ssl_module.c Wed Feb 22 23:31:56 2017 +0000
@@ -272,6 +272,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};


Rgds,
--
Dave Bevan
Senior Broadcast Systems Developer
News Labs, BBC Design & Engineering

bbchttp://bbcnewslabs.co.uk/newslabs.co.ukhttp://bbcnewslabs.co.uk/ bbc.co.uk/newshttp://bbc.co.uk/news/



----------------------------

http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

---------------------
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel