From eca0a3025bcc3f64e0e51aee9e69971b941008c4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Thu, 16 Nov 2017 21:40:33 +0900
Subject: [PATCH] nghttpx: Add $tls_client_serial log variable

---
 gennghttpxfun.py    |  1 +
 src/shrpx.cc        |  2 ++
 src/shrpx_config.cc |  9 +++++++++
 src/shrpx_log.cc    | 19 +++++++++++++++++++
 src/shrpx_log.h     |  1 +
 5 files changed, 32 insertions(+)

diff --git a/gennghttpxfun.py b/gennghttpxfun.py
index ddfba421..7e391d21 100755
--- a/gennghttpxfun.py
+++ b/gennghttpxfun.py
@@ -195,6 +195,7 @@ LOGVARS = [
     "tls_client_fingerprint_sha1",
     "tls_client_subject_name",
     "tls_client_issuer_name",
+    "tls_client_serial",
     "backend_host",
     "backend_port",
 ]
diff --git a/src/shrpx.cc b/src/shrpx.cc
index a4f145b2..ac584772 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -2502,6 +2502,8 @@ Logging:
                 certificate.
               * $tls_client_issuer_name:   issuer   name   in   client
                 certificate.
+              * $tls_client_serial:    serial    number   in    client
+                certificate.
               * $tls_protocol: protocol for SSL/TLS connection.
               * $tls_session_id: session ID for SSL/TLS connection.
               * $tls_session_reused:  "r"   if  SSL/TLS   session  was
diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc
index f30e2522..734ce810 100644
--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -498,6 +498,15 @@ LogFragmentType log_var_lookup_token(const char *name, size_t namelen) {
       break;
     }
     break;
+  case 17:
+    switch (name[16]) {
+    case 'l':
+      if (util::strieq_l("tls_client_seria", name, 16)) {
+        return SHRPX_LOGF_TLS_CLIENT_SERIAL;
+      }
+      break;
+    }
+    break;
   case 18:
     switch (name[17]) {
     case 'd':
diff --git a/src/shrpx_log.cc b/src/shrpx_log.cc
index cc9f9da2..89559cab 100644
--- a/src/shrpx_log.cc
+++ b/src/shrpx_log.cc
@@ -579,6 +579,25 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
       std::tie(p, last) = copy(name, p, last);
       break;
     }
+    case SHRPX_LOGF_TLS_CLIENT_SERIAL: {
+      if (!lgsp.ssl) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      auto x = SSL_get_peer_certificate(lgsp.ssl);
+      if (!x) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      auto sn = tls::get_x509_serial(balloc, x);
+      X509_free(x);
+      if (sn.empty()) {
+        std::tie(p, last) = copy('-', p, last);
+        break;
+      }
+      std::tie(p, last) = copy(sn, p, last);
+      break;
+    }
     case SHRPX_LOGF_BACKEND_HOST:
       if (!downstream_addr) {
         std::tie(p, last) = copy('-', p, last);
diff --git a/src/shrpx_log.h b/src/shrpx_log.h
index 0e4e106e..6185b95a 100644
--- a/src/shrpx_log.h
+++ b/src/shrpx_log.h
@@ -141,6 +141,7 @@ enum LogFragmentType {
   SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA1,
   SHRPX_LOGF_TLS_CLIENT_FINGERPRINT_SHA256,
   SHRPX_LOGF_TLS_CLIENT_ISSUER_NAME,
+  SHRPX_LOGF_TLS_CLIENT_SERIAL,
   SHRPX_LOGF_TLS_CLIENT_SUBJECT_NAME,
   SHRPX_LOGF_BACKEND_HOST,
   SHRPX_LOGF_BACKEND_PORT,