From 69967aeef83d6d3b05fef0a87b651ba2b1023f07 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 2 Nov 2013 22:58:02 +0900
Subject: [PATCH] nghttpx: Add --client-private-key-file and --client-cert-file
 options

---
 src/shrpx.cc        | 21 +++++++++++++++++++++
 src/shrpx_config.cc |  6 ++++++
 src/shrpx_config.h  |  4 ++++
 src/shrpx_ssl.cc    | 21 +++++++++++++++++++++
 4 files changed, 52 insertions(+)

diff --git a/src/shrpx.cc b/src/shrpx.cc
index c6f85e7f..87bb9c38 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -418,6 +418,8 @@ void fill_default_config()
   mod_config()->npn_list = nullptr;
   mod_config()->verify_client = false;
   mod_config()->verify_client_cacert = nullptr;
+  mod_config()->client_private_key_file = nullptr;
+  mod_config()->client_cert_file = nullptr;
 }
 } // namespace
 
@@ -600,6 +602,13 @@ void print_help(std::ostream& out)
       << "                       to verify client certificate.\n"
       << "                       The file must be in PEM format. It can\n"
       << "                       contain multiple certificates.\n"
+      << "    --client-private-key-file=<PATH>\n"
+      << "                       Path to file that contains client private\n"
+      << "                       key used in backend client authentication.\n"
+      << "    --client-cert-file=<PATH>\n"
+      << "                       Path to file that contains client\n"
+      << "                       certificate used in backend client\n"
+      << "                       authentication.\n"
       << "\n"
       << "  HTTP/2.0 and SPDY:\n"
       << "    -c, --spdy-max-concurrent-streams=<NUM>\n"
@@ -739,8 +748,11 @@ int main(int argc, char **argv)
       {"npn-list", required_argument, &flag, 38},
       {"verify-client", no_argument, &flag, 39},
       {"verify-client-cacert", required_argument, &flag, 40},
+      {"client-private-key-file", required_argument, &flag, 41},
+      {"client-cert-file", required_argument, &flag, 42},
       {nullptr, 0, nullptr, 0 }
     };
+
     int option_index = 0;
     int c = getopt_long(argc, argv, "DL:b:c:f:hkn:psv", long_options,
                         &option_index);
@@ -951,6 +963,15 @@ int main(int argc, char **argv)
         cmdcfgs.push_back(std::make_pair(SHRPX_OPT_VERIFY_CLIENT_CACERT,
                                          optarg));
         break;
+      case 41:
+        // --client-private-key-file
+        cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE,
+                                         optarg));
+        break;
+      case 42:
+        // --client-cert-file
+        cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_CERT_FILE, optarg));
+        break;
       default:
         break;
       }
diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index beccb16f..0e351185 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -102,6 +102,8 @@ const char SHRPX_OPT_WRITE_BURST[] = "write-burst";
 const char SHRPX_OPT_NPN_LIST[] = "npn-list";
 const char SHRPX_OPT_VERIFY_CLIENT[] = "verify-client";
 const char SHRPX_OPT_VERIFY_CLIENT_CACERT[] = "verify-client-cacert";
+const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[] = "client-private-key-file";
+const char SHRPX_OPT_CLIENT_CERT_FILE[] = "client-cert-file";
 
 namespace {
 Config *config = nullptr;
@@ -412,6 +414,10 @@ int parse_config(const char *opt, const char *optarg)
     mod_config()->verify_client = util::strieq(optarg, "yes");
   } else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT_CACERT)) {
     set_config_str(&mod_config()->verify_client_cacert, optarg);
+  } else if(util::strieq(opt, SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE)) {
+    set_config_str(&mod_config()->client_private_key_file, optarg);
+  } else if(util::strieq(opt, SHRPX_OPT_CLIENT_CERT_FILE)) {
+    set_config_str(&mod_config()->client_cert_file, optarg);
   } else if(util::strieq(opt, "conf")) {
     LOG(WARNING) << "conf is ignored";
   } else {
diff --git a/src/shrpx_config.h b/src/shrpx_config.h
index a38b8a35..77b4614b 100644
--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -93,6 +93,8 @@ extern const char SHRPX_OPT_WRITE_BURST[];
 extern const char SHRPX_OPT_NPN_LIST[];
 extern const char SHRPX_OPT_VERIFY_CLIENT[];
 extern const char SHRPX_OPT_VERIFY_CLIENT_CACERT[];
+extern const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[];
+extern const char SHRPX_OPT_CLIENT_CERT_FILE[];
 
 union sockaddr_union {
   sockaddr sa;
@@ -191,6 +193,8 @@ struct Config {
   // Path to file containing CA certificate solely used for client
   // certificate validation
   char *verify_client_cacert;
+  char *client_private_key_file;
+  char *client_cert_file;
 };
 
 const Config* get_config();
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 867dc97c..d54fa78f 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -296,6 +296,27 @@ SSL_CTX* create_ssl_client_context()
     }
   }
 
+  if(get_config()->client_private_key_file) {
+    if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
+                                   get_config()->client_private_key_file,
+                                   SSL_FILETYPE_PEM) != 1) {
+      LOG(FATAL) << "Could not load client private key from "
+                 << get_config()->client_private_key_file << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+  if(get_config()->client_cert_file) {
+    if(SSL_CTX_use_certificate_chain_file(ssl_ctx,
+                                          get_config()->client_cert_file)
+       != 1) {
+      LOG(FATAL) << "Could not load client certificate from "
+                 << get_config()->client_cert_file << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
   SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, nullptr);
   return ssl_ctx;
 }