Provide tls_peer_cert_common_name()

There is currently no sane way of getting your hands on the common name or
subject alternative name of the peer certificate from libtls. It is possible
to extract it from the peer cert's PEM by hand, but that way lies madness.
While the common name is close to being deprecated in the webpki, it is
still the de facto standard to identify client certs. It would be nice to
have a way to access the subject alternative names as well, but this is a
lot more difficult to expose in a clean and sane C interface due to its
multivaluedness.

Initial diff from henning, with input from beck, jsing and myself
henning and bluhm have plans of using this in syslogd.

ok beck

1 files changed, 4 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 5ff48ed7c9..8e566a34e0 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.85 2024/03/26 06:24:52 joshua Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.86 2024/12/10 08:40:30 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -129,6 +129,7 @@ struct tls_conninfo {
         int session_resumed;
         char *version;
 
+        char *common_name;
         char *hash;
         char *issuer;
         char *subject;
@@ -238,6 +239,8 @@ struct tls_config *tls_config_new_internal(void);
 struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 
+int tls_get_common_name(struct tls *_ctx, X509 *_cert, const char *_in_name,
+    char **_out_common_name);
 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername,
     int *match);
 int tls_configure_server(struct tls *ctx);