Add tls_client_issuer_name log variable and expose it to mruby
This commit is contained in:
parent
05e1fd5e77
commit
22502182d0
|
@ -376,6 +376,10 @@ respectively.
|
||||||
|
|
||||||
Return the SHA-1 fingerprint of a client certificate.
|
Return the SHA-1 fingerprint of a client certificate.
|
||||||
|
|
||||||
|
.. rb:attr_reader:: tls_client_issuer_name
|
||||||
|
|
||||||
|
Return the issuer name of a client certificate.
|
||||||
|
|
||||||
.. rb:attr_reader:: tls_client_subject_name
|
.. rb:attr_reader:: tls_client_subject_name
|
||||||
|
|
||||||
Return the subject name of a client certificate.
|
Return the subject name of a client certificate.
|
||||||
|
|
|
@ -194,6 +194,7 @@ LOGVARS = [
|
||||||
"tls_client_fingerprint_sha256",
|
"tls_client_fingerprint_sha256",
|
||||||
"tls_client_fingerprint_sha1",
|
"tls_client_fingerprint_sha1",
|
||||||
"tls_client_subject_name",
|
"tls_client_subject_name",
|
||||||
|
"tls_client_issuer_name",
|
||||||
"backend_host",
|
"backend_host",
|
||||||
"backend_port",
|
"backend_port",
|
||||||
]
|
]
|
||||||
|
|
|
@ -2500,6 +2500,8 @@ Logging:
|
||||||
client certificate.
|
client certificate.
|
||||||
* $tls_client_subject_name: subject name in client
|
* $tls_client_subject_name: subject name in client
|
||||||
certificate.
|
certificate.
|
||||||
|
* $tls_client_issuer_name: issuer name in client
|
||||||
|
certificate.
|
||||||
* $tls_protocol: protocol for SSL/TLS connection.
|
* $tls_protocol: protocol for SSL/TLS connection.
|
||||||
* $tls_session_id: session ID for SSL/TLS connection.
|
* $tls_session_id: session ID for SSL/TLS connection.
|
||||||
* $tls_session_reused: "r" if SSL/TLS session was
|
* $tls_session_reused: "r" if SSL/TLS session was
|
||||||
|
|
|
@ -510,6 +510,15 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
case 22:
|
||||||
|
switch (name[21]) {
|
||||||
|
case 'e':
|
||||||
|
if (util::strieq_l("tls_client_issuer_nam", name, 21)) {
|
||||||
|
return SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
break;
|
||||||
case 23:
|
case 23:
|
||||||
switch (name[22]) {
|
switch (name[22]) {
|
||||||
case 'e':
|
case 'e':
|
||||||
|
|
|
@ -557,6 +557,7 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
|
||||||
std::tie(p, last) = copy_hex_low(buf.data(), len, p, last);
|
std::tie(p, last) = copy_hex_low(buf.data(), len, p, last);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
case SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME:
|
||||||
case SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME: {
|
case SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME: {
|
||||||
if (!lgsp.ssl) {
|
if (!lgsp.ssl) {
|
||||||
std::tie(p, last) = copy('-', p, last);
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
@ -567,7 +568,9 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
|
||||||
std::tie(p, last) = copy('-', p, last);
|
std::tie(p, last) = copy('-', p, last);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
auto name = tls::get_x509_subject_name(balloc, x);
|
auto name = lf.type == SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME
|
||||||
|
? tls::get_x509_issuer_name(balloc, x)
|
||||||
|
: tls::get_x509_subject_name(balloc, x);
|
||||||
X509_free(x);
|
X509_free(x);
|
||||||
if (name.empty()) {
|
if (name.empty()) {
|
||||||
std::tie(p, last) = copy('-', p, last);
|
std::tie(p, last) = copy('-', p, last);
|
||||||
|
|
|
@ -140,6 +140,7 @@ enum LogFragmentType {
|
||||||
SHRPX_LOGF_TLS_SNI,
|
SHRPX_LOGF_TLS_SNI,
|
||||||
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA1,
|
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA1,
|
||||||
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA256,
|
SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA256,
|
||||||
|
SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME,
|
||||||
SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
|
SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
|
||||||
SHRPX_LOGF_BACKEND_HOST,
|
SHRPX_LOGF_BACKEND_HOST,
|
||||||
SHRPX_LOGF_BACKEND_PORT,
|
SHRPX_LOGF_BACKEND_PORT,
|
||||||
|
|
|
@ -211,6 +211,30 @@ mrb_value env_get_tls_client_subject_name(mrb_state *mrb, mrb_value self) {
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
mrb_value env_get_tls_client_issuer_name(mrb_state *mrb, mrb_value self) {
|
||||||
|
auto data = static_cast<MRubyAssocData *>(mrb->ud);
|
||||||
|
auto downstream = data->downstream;
|
||||||
|
auto upstream = downstream->get_upstream();
|
||||||
|
auto handler = upstream->get_client_handler();
|
||||||
|
auto ssl = handler->get_ssl();
|
||||||
|
|
||||||
|
if (!ssl) {
|
||||||
|
return mrb_str_new_static(mrb, "", 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
auto x = SSL_get_peer_certificate(ssl);
|
||||||
|
if (!x) {
|
||||||
|
return mrb_str_new_static(mrb, "", 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
auto &balloc = downstream->get_block_allocator();
|
||||||
|
auto name = tls::get_x509_issuer_name(balloc, x);
|
||||||
|
X509_free(x);
|
||||||
|
return mrb_str_new(mrb, name.c_str(), name.size());
|
||||||
|
}
|
||||||
|
} // namespace
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
mrb_value env_get_tls_cipher(mrb_state *mrb, mrb_value self) {
|
mrb_value env_get_tls_cipher(mrb_state *mrb, mrb_value self) {
|
||||||
auto data = static_cast<MRubyAssocData *>(mrb->ud);
|
auto data = static_cast<MRubyAssocData *>(mrb->ud);
|
||||||
|
@ -320,6 +344,8 @@ void init_env_class(mrb_state *mrb, RClass *module) {
|
||||||
env_get_tls_client_fingerprint_sha256, MRB_ARGS_NONE());
|
env_get_tls_client_fingerprint_sha256, MRB_ARGS_NONE());
|
||||||
mrb_define_method(mrb, env_class, "tls_client_fingerprint_sha1",
|
mrb_define_method(mrb, env_class, "tls_client_fingerprint_sha1",
|
||||||
env_get_tls_client_fingerprint_sha1, MRB_ARGS_NONE());
|
env_get_tls_client_fingerprint_sha1, MRB_ARGS_NONE());
|
||||||
|
mrb_define_method(mrb, env_class, "tls_client_issuer_name",
|
||||||
|
env_get_tls_client_issuer_name, MRB_ARGS_NONE());
|
||||||
mrb_define_method(mrb, env_class, "tls_client_subject_name",
|
mrb_define_method(mrb, env_class, "tls_client_subject_name",
|
||||||
env_get_tls_client_subject_name, MRB_ARGS_NONE());
|
env_get_tls_client_subject_name, MRB_ARGS_NONE());
|
||||||
mrb_define_method(mrb, env_class, "tls_cipher", env_get_tls_cipher,
|
mrb_define_method(mrb, env_class, "tls_cipher", env_get_tls_cipher,
|
||||||
|
|
|
@ -1929,9 +1929,8 @@ ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
|
||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
|
namespace {
|
||||||
auto nm = X509_get_subject_name(x);
|
StringRef get_x509_name(BlockAllocator &balloc, X509_NAME *nm) {
|
||||||
|
|
||||||
auto b = BIO_new(BIO_s_mem());
|
auto b = BIO_new(BIO_s_mem());
|
||||||
if (!b) {
|
if (!b) {
|
||||||
return StringRef{};
|
return StringRef{};
|
||||||
|
@ -1950,6 +1949,15 @@ StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
|
||||||
iov.base[slen] = '\0';
|
iov.base[slen] = '\0';
|
||||||
return StringRef{iov.base, static_cast<size_t>(slen)};
|
return StringRef{iov.base, static_cast<size_t>(slen)};
|
||||||
}
|
}
|
||||||
|
} // namespace
|
||||||
|
|
||||||
|
StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x) {
|
||||||
|
return get_x509_name(balloc, X509_get_subject_name(x));
|
||||||
|
}
|
||||||
|
|
||||||
|
StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
|
||||||
|
return get_x509_name(balloc, X509_get_issuer_name(x));
|
||||||
|
}
|
||||||
|
|
||||||
} // namespace tls
|
} // namespace tls
|
||||||
|
|
||||||
|
|
|
@ -280,6 +280,10 @@ ssize_t get_x509_fingerprint(uint8_t *dst, size_t dstlen, const X509 *x,
|
||||||
// name, it returns an empty string.
|
// name, it returns an empty string.
|
||||||
StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x);
|
StringRef get_x509_subject_name(BlockAllocator &balloc, X509 *x);
|
||||||
|
|
||||||
|
// Returns issuer name of |x|. If this function fails to get issuer
|
||||||
|
// name, it returns an empty string.
|
||||||
|
StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x);
|
||||||
|
|
||||||
} // namespace tls
|
} // namespace tls
|
||||||
|
|
||||||
} // namespace shrpx
|
} // namespace shrpx
|
||||||
|
|
Loading…
Reference in New Issue