feature: implement ssl.verify_client()

ArchangelSDY · ArchangelSDY · commit 978e01228489 · 2020-03-20T13:59:21.000+08:00
diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua
@@ -35,6 +35,7 @@ local ngx_lua_ffi_set_cert
 local ngx_lua_ffi_set_priv_key
 local ngx_lua_ffi_free_cert
 local ngx_lua_ffi_free_priv_key
+local ngx_lua_ffi_ssl_verify_client
 
 
 if subsystem == 'http' then
@@ -78,6 +79,9 @@ if subsystem == 'http' then
     void ngx_http_lua_ffi_free_cert(void *cdata);
 
     void ngx_http_lua_ffi_free_priv_key(void *cdata);
+
+    int ngx_http_lua_ffi_ssl_verify_client(void *r,
+        int depth, void *cdata, char **err);
     ]]
 
     ngx_lua_ffi_ssl_set_der_certificate =
@@ -97,6 +101,7 @@ if subsystem == 'http' then
     ngx_lua_ffi_set_priv_key = C.ngx_http_lua_ffi_set_priv_key
     ngx_lua_ffi_free_cert = C.ngx_http_lua_ffi_free_cert
     ngx_lua_ffi_free_priv_key = C.ngx_http_lua_ffi_free_priv_key
+    ngx_lua_ffi_ssl_verify_client = C.ngx_http_lua_ffi_ssl_verify_client
 
 elseif subsystem == 'stream' then
     ffi.cdef[[
@@ -140,6 +145,9 @@ elseif subsystem == 'stream' then
     void ngx_stream_lua_ffi_free_cert(void *cdata);
 
     void ngx_stream_lua_ffi_free_priv_key(void *cdata);
+
+    int ngx_stream_lua_ffi_ssl_verify_client(void *r,
+        int depth, void *cdata, char **err);
     ]]
 
     ngx_lua_ffi_ssl_set_der_certificate =
@@ -159,6 +167,7 @@ elseif subsystem == 'stream' then
     ngx_lua_ffi_set_priv_key = C.ngx_stream_lua_ffi_set_priv_key
     ngx_lua_ffi_free_cert = C.ngx_stream_lua_ffi_free_cert
     ngx_lua_ffi_free_priv_key = C.ngx_stream_lua_ffi_free_priv_key
+    ngx_lua_ffi_ssl_verify_client = C.ngx_stream_lua_ffi_ssl_verify_client
 end
 
 
@@ -380,6 +389,21 @@ function _M.set_priv_key(priv_key)
 end
 
 
+function _M.verify_client(depth, ca_certs)
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    local rc = ngx_lua_ffi_ssl_verify_client(r, depth, ca_certs, errmsg)
+    if rc == FFI_OK then
+        return true
+    end
+
+    return nil, ffi_str(errmsg[0])
+end
+
+
 do
     _M.SSL3_VERSION = 0x0300
     _M.TLS1_VERSION = 0x0301
diff --git a/lib/ngx/ssl.md b/lib/ngx/ssl.md
@@ -475,6 +475,28 @@ This function was first added in version `0.1.7`.
 
 [Back to TOC](#table-of-contents)
 
+verify_client
+------------
+**syntax:** *ok, err = ssl.verify_client(depth, ca_certs)*
+
+**context:** *ssl_certificate_by_lua&#42;*
+
+Requires a client certificate during TLS handshake.
+
+The `depth` is the verification depth in the client certificates chain.
+
+The `ca_certs` is the CA certificate chain opaque pointer returned by the
+[parse_pem_cert](#parse_pem_cert) function for the current SSL connection.
+
+Returns `true` on success, or a `nil` value and a string describing the error otherwise.
+
+Note that TLS is not terminated when verification fails. You need to examine Nginx variable `$ssl_client_verify`
+later to determine next steps.
+
+This function was first added in version `0.1.18`.
+
+[Back to TOC](#table-of-contents)
+
 Community
 =========
 
