nghttpx: Add --client-private-key-file and --client-cert-file options

69967aee · Tatsuhiro Tsujikawa · 5bb70664 · 69967aee · 69967aee · 69967aee
Commit 69967aee authored Nov 02, 2013 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 52 additions and 0 deletions

src/shrpx.cc src/shrpx.cc +21 -0

src/shrpx_config.cc src/shrpx_config.cc +6 -0

src/shrpx_config.h src/shrpx_config.h +4 -0

src/shrpx_ssl.cc src/shrpx_ssl.cc +21 -0

No files found.
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -418,6 +418,8 @@ void fill_default_config()
  mod_config()->npn_list = nullptr;
  mod_config()->verify_client = false;
  mod_config()->verify_client_cacert = nullptr;
+  mod_config()->client_private_key_file = nullptr;
+  mod_config()->client_cert_file = nullptr;
 }
 } // namespace

@@ -600,6 +602,13 @@ void print_help(std::ostream& out)
      << "                       to verify client certificate.\n"
      << "                       The file must be in PEM format. It can\n"
      << "                       contain multiple certificates.\n"
+      << "    --client-private-key-file=<PATH>\n"
+      << "                       Path to file that contains client private\n"
+      << "                       key used in backend client authentication.\n"
+      << "    --client-cert-file=<PATH>\n"
+      << "                       Path to file that contains client\n"
+      << "                       certificate used in backend client\n"
+      << "                       authentication.\n"
      << "\n"
      << "  HTTP/2.0 and SPDY:\n"
      << "    -c, --spdy-max-concurrent-streams=<NUM>\n"
@@ -739,8 +748,11 @@ int main(int argc, char **argv)
      {"npn-list", required_argument, &flag, 38},
      {"verify-client", no_argument, &flag, 39},
      {"verify-client-cacert", required_argument, &flag, 40},
+      {"client-private-key-file", required_argument, &flag, 41},
+      {"client-cert-file", required_argument, &flag, 42},
      {nullptr, 0, nullptr, 0 }
    };
+
    int option_index = 0;
    int c = getopt_long(argc, argv, "DL:b:c:f:hkn:psv", long_options,
                        &option_index);
@@ -951,6 +963,15 @@ int main(int argc, char **argv)
        cmdcfgs.push_back(std::make_pair(SHRPX_OPT_VERIFY_CLIENT_CACERT,
                                         optarg));
        break;
+      case 41:
+        // --client-private-key-file
+        cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE,
+                                         optarg));
+        break;
+      case 42:
+        // --client-cert-file
+        cmdcfgs.push_back(std::make_pair(SHRPX_OPT_CLIENT_CERT_FILE, optarg));
+        break;
      default:
        break;
      }

--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -102,6 +102,8 @@ const char SHRPX_OPT_WRITE_BURST[] = "write-burst";
 const char SHRPX_OPT_NPN_LIST[] = "npn-list";
 const char SHRPX_OPT_VERIFY_CLIENT[] = "verify-client";
 const char SHRPX_OPT_VERIFY_CLIENT_CACERT[] = "verify-client-cacert";
+const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[] = "client-private-key-file";
+const char SHRPX_OPT_CLIENT_CERT_FILE[] = "client-cert-file";

 namespace {
 Config *config = nullptr;
@@ -412,6 +414,10 @@ int parse_config(const char *opt, const char *optarg)
    mod_config()->verify_client = util::strieq(optarg, "yes");
  } else if(util::strieq(opt, SHRPX_OPT_VERIFY_CLIENT_CACERT)) {
    set_config_str(&mod_config()->verify_client_cacert, optarg);
+  } else if(util::strieq(opt, SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE)) {
+    set_config_str(&mod_config()->client_private_key_file, optarg);
+  } else if(util::strieq(opt, SHRPX_OPT_CLIENT_CERT_FILE)) {
+    set_config_str(&mod_config()->client_cert_file, optarg);
  } else if(util::strieq(opt, "conf")) {
    LOG(WARNING) << "conf is ignored";
  } else {

--- a/src/shrpx_config.h
+++ b/src/shrpx_config.h
@@ -93,6 +93,8 @@ extern const char SHRPX_OPT_WRITE_BURST[];
 extern const char SHRPX_OPT_NPN_LIST[];
 extern const char SHRPX_OPT_VERIFY_CLIENT[];
 extern const char SHRPX_OPT_VERIFY_CLIENT_CACERT[];
+extern const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[];
+extern const char SHRPX_OPT_CLIENT_CERT_FILE[];

 union sockaddr_union {
  sockaddr sa;
@@ -191,6 +193,8 @@ struct Config {
  // Path to file containing CA certificate solely used for client
  // certificate validation
  char *verify_client_cacert;
+  char *client_private_key_file;
+  char *client_cert_file;
 };

 const Config* get_config();

--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -296,6 +296,27 @@ SSL_CTX* create_ssl_client_context()
    }
  }

+  if(get_config()->client_private_key_file) {
+    if(SSL_CTX_use_PrivateKey_file(ssl_ctx,
+                                   get_config()->client_private_key_file,
+                                   SSL_FILETYPE_PEM) != 1) {
+      LOG(FATAL) << "Could not load client private key from "
+                 << get_config()->client_private_key_file << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+  if(get_config()->client_cert_file) {
+    if(SSL_CTX_use_certificate_chain_file(ssl_ctx,
+                                          get_config()->client_cert_file)
+       != 1) {
+      LOG(FATAL) << "Could not load client certificate from "
+                 << get_config()->client_cert_file << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
  SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, nullptr);
  return ssl_ctx;
 }