feat(ssl): add function to get upstream ssl certificate

FTI-6676

Signed-off-by: Walker Zhao <[email protected]>

Author: findns94

lualib/resty/kong/tls.lua

@@ -35,6 +35,7 @@ local errmsg = base.get_errmsg_ptr()
 local FFI_OK = base.FFI_OK
 base.allows_subsystem('http', 'stream')
 
+local kong_lua_kong_ffi_get_full_upstream_certificate
 local kong_lua_kong_ffi_get_full_client_certificate_chain
 local kong_lua_kong_ffi_disable_session_reuse
 local kong_lua_kong_ffi_set_upstream_client_cert_and_key
@@ -49,6 +50,8 @@ if subsystem == "http" then
     typedef struct ssl_st SSL;
     typedef struct ngx_http_lua_socket_tcp_upstream_s ngx_http_lua_socket_tcp_upstream_t;
 
+    int ngx_http_lua_kong_ffi_get_full_upstream_certificate(
+        ngx_http_request_t *r, char *buf, size_t *buf_len);
     int ngx_http_lua_kong_ffi_get_full_client_certificate_chain(
         ngx_http_request_t *r, char *buf, size_t *buf_len);
     const char *ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r);
@@ -67,6 +70,7 @@ if subsystem == "http" then
     int ngx_http_lua_ffi_disable_http2_alpn(ngx_http_request_t *r, char **err);
     ]])
 
+    kong_lua_kong_ffi_get_full_upstream_certificate = C.ngx_http_lua_kong_ffi_get_full_upstream_certificate
     kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain
     kong_lua_kong_ffi_disable_session_reuse = C.ngx_http_lua_kong_ffi_disable_session_reuse
     kong_lua_kong_ffi_set_upstream_client_cert_and_key = C.ngx_http_lua_kong_ffi_set_upstream_client_cert_and_key
@@ -98,6 +102,9 @@ elseif subsystem == 'stream' then
         void **ssl_conn);
     ]])
 
+    kong_lua_kong_ffi_get_full_upstream_certificate = function()
+        error("API not available for the current subsystem")
+    end
     kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_stream_lua_kong_ffi_get_full_client_certificate_chain
     kong_lua_kong_ffi_disable_session_reuse = C.ngx_stream_lua_kong_ffi_disable_session_reuse
     kong_lua_kong_ffi_set_upstream_client_cert_and_key = C.ngx_stream_lua_kong_ffi_set_upstream_client_cert_and_key
@@ -174,6 +181,42 @@ function _M.get_request_ssl_pointer()
 end
 
 
+function _M.get_full_upstream_certificate()
+    local r = get_request()
+
+    size_ptr[0] = DEFAULT_CERT_CHAIN_SIZE
+
+::again::
+
+    local buf = get_string_buf(size_ptr[0])
+
+    local ret = kong_lua_kong_ffi_get_full_upstream_certificate(
+        r, buf, size_ptr)
+    if ret == NGX_OK then
+        return ffi_string(buf, size_ptr[0])
+    end
+
+    if ret == NGX_ERROR then
+        return nil, "error while obtaining client certificate chain"
+    end
+
+    if ret == NGX_ABORT then
+        return nil,
+                "connection is not TLS or TLS support for Nginx not enabled"
+    end
+
+    if ret == NGX_DECLINED then
+        return nil
+    end
+
+    if ret == NGX_AGAIN then
+        goto again
+    end
+
+    error("unknown return code: " .. tostring(ret))
+end
+
+
 do
     local ALLOWED_PHASES = {
         ['rewrite'] = true,

src/ngx_http_lua_kong_ssl.c

@@ -36,6 +36,30 @@ ngx_http_lua_kong_ffi_disable_session_reuse(ngx_http_request_t *r)
 }
 
 
+int
+ngx_http_lua_kong_ffi_get_full_upstream_certificate(ngx_http_request_t *r,
+    char *buf, size_t *buf_len)
+{
+#if (NGX_SSL)
+    ngx_http_upstream_t *u = r->upstream;
+    if (u == NULL) {
+        return NGX_ABORT;
+    }
+    ngx_peer_connection_t *peer = &(u->peer);
+    if (peer == NULL) {
+        return NGX_ABORT;
+    }
+    ngx_connection_t *c = peer->connection;
+    if (c == NULL) {
+        return NGX_ABORT;
+    }
+    return ngx_lua_kong_ssl_get_full_upstream_certificate(c, buf, buf_len);
+#else
+    return NGX_ABORT;
+#endif
+}
+
+
 int
 ngx_http_lua_kong_ffi_get_full_client_certificate_chain(ngx_http_request_t *r,
     char *buf, size_t *buf_len)

src/ssl/ngx_lua_kong_ssl.c

@@ -127,6 +127,68 @@ ngx_lua_kong_ssl_disable_session_reuse(ngx_connection_t *c)
 }
 
 
+int
+ngx_lua_kong_ssl_get_full_upstream_certificate(ngx_connection_t *c,
+    char *buf, size_t *buf_len)
+{
+    ngx_ssl_conn_t      *sc;
+    STACK_OF(X509)      *chain;
+    X509                *cert;
+    int                  i, n;
+    size_t               len;
+    BIO                 *bio;
+    int                  ret;
+    
+    if (c->ssl == NULL) {
+        return NGX_ABORT;
+    }
+
+    cert = SSL_get_peer_certificate(c->ssl->connection);
+    if (cert == NULL) {
+        /* client did not present a certificate or server did not request it */
+        return NGX_DECLINED;
+    }
+
+    bio = BIO_new(BIO_s_mem());
+    if (bio == NULL) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed");
+
+        X509_free(cert);
+        ret = NGX_ERROR;
+        goto done;
+    }
+
+    if (PEM_write_bio_X509(bio, cert) == 0) {
+        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed");
+
+        X509_free(cert);
+        ret = NGX_ERROR;
+        goto done;
+    }
+
+    X509_free(cert);
+
+    len = BIO_pending(bio);
+    if (len > *buf_len) {
+        *buf_len = len;
+
+        ret = NGX_AGAIN;
+        goto done;
+    }
+
+    BIO_read(bio, buf, len);
+    *buf_len = len;
+
+    ret = NGX_OK;
+
+done:
+
+    BIO_free(bio);
+
+    return ret;
+}
+
+
 int
 ngx_lua_kong_ssl_get_full_client_certificate_chain(ngx_connection_t *c,
     char *buf, size_t *buf_len)

src/ssl/ngx_lua_kong_ssl.h

@@ -33,6 +33,8 @@ ngx_int_t ngx_lua_kong_ssl_init(ngx_conf_t *cf);
 const char *ngx_lua_kong_ssl_disable_session_reuse(ngx_connection_t *c);
 int ngx_lua_kong_ssl_get_full_client_certificate_chain(ngx_connection_t *c,
     char *buf, size_t *buf_len);
+int ngx_lua_kong_ssl_get_full_upstream_certificate(ngx_connection_t *c,
+    char *buf, size_t *buf_len);
 
 void ngx_lua_kong_ssl_set_upstream_ssl(ngx_lua_kong_ssl_ctx_t *ctx, ngx_connection_t *c);
 void ngx_lua_kong_ssl_cleanup(ngx_lua_kong_ssl_ctx_t *ctx);