diff options
| author | Simon MacMullen <simon@rabbitmq.com> | 2012-02-20 12:32:58 +0000 |
|---|---|---|
| committer | Simon MacMullen <simon@rabbitmq.com> | 2012-02-20 12:32:58 +0000 |
| commit | 5336bdec39927c578fa84b7ba854610a323be5f3 (patch) | |
| tree | ed44fc54f8227934479cd182022d14fd1976fa3e | |
| parent | 17d941035a6cd790a00b47eacf558311bda74c0f (diff) | |
| download | rabbitmq-server-5336bdec39927c578fa84b7ba854610a323be5f3.tar.gz | |
Move code from rabbitmq-auth-mechanism-ssl onto the broker
| -rw-r--r-- | src/rabbit_ssl.erl | 39 |
1 files changed, 38 insertions, 1 deletions
diff --git a/src/rabbit_ssl.erl b/src/rabbit_ssl.erl index 3025d981..8877d8f2 100644 --- a/src/rabbit_ssl.erl +++ b/src/rabbit_ssl.erl @@ -21,7 +21,7 @@ -include_lib("public_key/include/public_key.hrl"). -export([peer_cert_issuer/1, peer_cert_subject/1, peer_cert_validity/1]). --export([peer_cert_subject_items/2]). +-export([peer_cert_subject_items/2, peer_cert_auth_name/2]). %%-------------------------------------------------------------------------- @@ -37,6 +37,10 @@ -spec(peer_cert_subject_items/2 :: (certificate(), tuple()) -> [string()] | 'not_found'). +-spec(peer_cert_auth_name/2 :: + ('distinguished_name' | 'common_name', certificate()) -> + binary() | 'not_found' | 'unsafe'). + -endif. %%-------------------------------------------------------------------------- @@ -76,6 +80,39 @@ peer_cert_validity(Cert) -> format_asn1_value(End)]) end, Cert). +%% For a given mode, extract a username from the certificate +peer_cert_auth_name(distinguished_name, Cert) -> + case auth_config_sane() of + true -> iolist_to_binary(peer_cert_subject(Cert)); + false -> unsafe + end; + +peer_cert_auth_name(common_name, Cert) -> + %% If there is more than one CN then we join them with "," in a + %% vaguely DN-like way. But this is more just so we do something + %% more intelligent than crashing, if you actually want to escape + %% things properly etc, use DN mode. + case auth_config_sane() of + true -> case peer_cert_subject_items(Cert, ?'id-at-commonName') of + not_found -> not_found; + CNs -> list_to_binary(string:join(CNs, ",")) + end; + false -> unsafe + end. + +auth_config_sane() -> + {ok, Opts} = application:get_env(rabbit, ssl_options), + case {proplists:get_value(fail_if_no_peer_cert, Opts), + proplists:get_value(verify, Opts)} of + {true, verify_peer} -> + true; + {F, V} -> + rabbit_log:warning("SSL certificate authentication disabled, " + "fail_if_no_peer_cert=~p; " + "verify=~p~n", [F, V]), + false + end. + %%-------------------------------------------------------------------------- cert_info(F, Cert) -> |