diff options
| author | tb <> | 2024-12-10 08:40:30 +0000 |
|---|---|---|
| committer | tb <> | 2024-12-10 08:40:30 +0000 |
| commit | d3da05396af6da5d0c94da0425031aa4fd529ac9 (patch) | |
| tree | 2542f39bf15e49eda926e59376de19e797b35c50 /src/lib/libtls/tls_conninfo.c | |
| parent | 7e43c6720cf4443c7393025b1c48ff7890c760b2 (diff) | |
| download | openbsd-d3da05396af6da5d0c94da0425031aa4fd529ac9.tar.gz openbsd-d3da05396af6da5d0c94da0425031aa4fd529ac9.tar.bz2 openbsd-d3da05396af6da5d0c94da0425031aa4fd529ac9.zip | |
Provide tls_peer_cert_common_name()
There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.
Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.
ok beck
Diffstat (limited to 'src/lib/libtls/tls_conninfo.c')
| -rw-r--r-- | src/lib/libtls/tls_conninfo.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index bf525170f1..8fb56c92b7 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_conninfo.c,v 1.27 2024/03/26 06:31:22 jsing Exp $ */ | 1 | /* $OpenBSD: tls_conninfo.c,v 1.28 2024/12/10 08:40:30 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> |
| 4 | * Copyright (c) 2015 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2015 Bob Beck <beck@openbsd.org> |
| @@ -119,6 +119,14 @@ tls_get_peer_cert_subject(struct tls *ctx, char **subject) | |||
| 119 | } | 119 | } |
| 120 | 120 | ||
| 121 | static int | 121 | static int |
| 122 | tls_get_peer_cert_common_name(struct tls *ctx, char **common_name) | ||
| 123 | { | ||
| 124 | if (ctx->ssl_peer_cert == NULL) | ||
| 125 | return (-1); | ||
| 126 | return tls_get_common_name(ctx, ctx->ssl_peer_cert, NULL, common_name); | ||
| 127 | } | ||
| 128 | |||
| 129 | static int | ||
| 122 | tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, | 130 | tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, |
| 123 | time_t *notafter) | 131 | time_t *notafter) |
| 124 | { | 132 | { |
| @@ -158,6 +166,9 @@ tls_get_peer_cert_info(struct tls *ctx) | |||
| 158 | goto err; | 166 | goto err; |
| 159 | if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) | 167 | if (tls_get_peer_cert_issuer(ctx, &ctx->conninfo->issuer) == -1) |
| 160 | goto err; | 168 | goto err; |
| 169 | if (tls_get_peer_cert_common_name(ctx, | ||
| 170 | &ctx->conninfo->common_name) == -1) | ||
| 171 | goto err; | ||
| 161 | if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore, | 172 | if (tls_get_peer_cert_times(ctx, &ctx->conninfo->notbefore, |
| 162 | &ctx->conninfo->notafter) == -1) | 173 | &ctx->conninfo->notafter) == -1) |
| 163 | goto err; | 174 | goto err; |
| @@ -298,6 +309,7 @@ tls_conninfo_free(struct tls_conninfo *conninfo) | |||
| 298 | free(conninfo->servername); | 309 | free(conninfo->servername); |
| 299 | free(conninfo->version); | 310 | free(conninfo->version); |
| 300 | 311 | ||
| 312 | free(conninfo->common_name); | ||
| 301 | free(conninfo->hash); | 313 | free(conninfo->hash); |
| 302 | free(conninfo->issuer); | 314 | free(conninfo->issuer); |
| 303 | free(conninfo->subject); | 315 | free(conninfo->subject); |