MINOR: ssl: add ssl_sock_get_cert_sig function

ssl_sock_get_cert_sig can be used to report cert signature short name
to log and ppv2 (RSA-SHA256).

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 91456e2204e35237b5219d259a4b16855e39a1ea..d43ad69e7b479e45d0ee7634dea634c10df23d24 100644 (file)
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -50,6 +50,7 @@ void ssl_sock_free_srv_ctx(struct server *srv);
 void ssl_sock_free_all_ctx(struct bind_conf *bind_conf);
 int ssl_sock_load_ca(struct bind_conf *bind_conf);
 void ssl_sock_free_ca(struct bind_conf *bind_conf);
+const char *ssl_sock_get_cert_sig(struct connection *conn);
 const char *ssl_sock_get_cipher_name(struct connection *conn);
 const char *ssl_sock_get_proto_version(struct connection *conn);
 void ssl_sock_set_servername(struct connection *conn, const char *hostname);

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 555c7c4eca96326a99959e646a5fd9ae6fa7ca3f..0e39d10e6dabdca06c145c790d4b33307fed7190 100644 (file)
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5768,6 +5768,21 @@ int ssl_sock_get_pkey_algo(struct connection *conn, struct chunk *out)
        return 1;
 }
 
+/* used for ppv2 cert signature (can be used for logging) */
+const char *ssl_sock_get_cert_sig(struct connection *conn)
+{
+       __OPENSSL_110_CONST__ ASN1_OBJECT *algorithm;
+       X509 *crt;
+
+       if (!ssl_sock_is_ssl(conn))
+               return NULL;
+       crt = SSL_get_certificate(conn->xprt_ctx);
+       if (!crt)
+               return NULL;
+       X509_ALGOR_get0(&algorithm, NULL, NULL, X509_get0_tbs_sigalg(crt));
+       return OBJ_nid2sn(OBJ_obj2nid(algorithm));
+}
+
 /* used for logging/ppv2, may be changed for a sample fetch later */
 const char *ssl_sock_get_cipher_name(struct connection *conn)
 {