diff options
| author | Steve Powell <steve@rabbitmq.com> | 2012-02-23 15:26:15 +0000 |
|---|---|---|
| committer | Steve Powell <steve@rabbitmq.com> | 2012-02-23 15:26:15 +0000 |
| commit | 122fbb80c5c56980966860d6eeec4fdd6b2abdee (patch) | |
| tree | 3f3db9ba9d4d28ace988864342056ea711b2d0b3 /src | |
| parent | 2725b8ce01c2636ac6fbfe375d1c936653363d8e (diff) | |
| parent | 399867cfd72dd67f0aa3e49964fd82826ebc15b6 (diff) | |
| download | rabbitmq-server-git-122fbb80c5c56980966860d6eeec4fdd6b2abdee.tar.gz | |
Merge bug24182 into default
Diffstat (limited to 'src')
| -rw-r--r-- | src/rabbit_ssl.erl | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/src/rabbit_ssl.erl b/src/rabbit_ssl.erl index 3025d981d4..22ff555ff0 100644 --- a/src/rabbit_ssl.erl +++ b/src/rabbit_ssl.erl @@ -21,7 +21,7 @@ -include_lib("public_key/include/public_key.hrl"). -export([peer_cert_issuer/1, peer_cert_subject/1, peer_cert_validity/1]). --export([peer_cert_subject_items/2]). +-export([peer_cert_subject_items/2, peer_cert_auth_name/1]). %%-------------------------------------------------------------------------- @@ -36,6 +36,8 @@ -spec(peer_cert_validity/1 :: (certificate()) -> string()). -spec(peer_cert_subject_items/2 :: (certificate(), tuple()) -> [string()] | 'not_found'). +-spec(peer_cert_auth_name/1 :: + (certificate()) -> binary() | 'not_found' | 'unsafe'). -endif. @@ -76,6 +78,43 @@ peer_cert_validity(Cert) -> format_asn1_value(End)]) end, Cert). +%% Extract a username from the certificate +peer_cert_auth_name(Cert) -> + {ok, Mode} = application:get_env(rabbit, ssl_cert_login_from), + peer_cert_auth_name(Mode, Cert). + +peer_cert_auth_name(distinguished_name, Cert) -> + case auth_config_sane() of + true -> iolist_to_binary(peer_cert_subject(Cert)); + false -> unsafe + end; + +peer_cert_auth_name(common_name, Cert) -> + %% If there is more than one CN then we join them with "," in a + %% vaguely DN-like way. But this is more just so we do something + %% more intelligent than crashing, if you actually want to escape + %% things properly etc, use DN mode. + case auth_config_sane() of + true -> case peer_cert_subject_items(Cert, ?'id-at-commonName') of + not_found -> not_found; + CNs -> list_to_binary(string:join(CNs, ",")) + end; + false -> unsafe + end. + +auth_config_sane() -> + {ok, Opts} = application:get_env(rabbit, ssl_options), + case {proplists:get_value(fail_if_no_peer_cert, Opts), + proplists:get_value(verify, Opts)} of + {true, verify_peer} -> + true; + {F, V} -> + rabbit_log:warning("SSL certificate authentication disabled, " + "fail_if_no_peer_cert=~p; " + "verify=~p~n", [F, V]), + false + end. + %%-------------------------------------------------------------------------- cert_info(F, Cert) -> |