MINOR: ssl: add new sample ssl_c_r_dn This patch addresses #1514, adds the ability to fetch DN of the root ca that was in the chain when client certificate was verified during SSL handshake.

commit: df97f472fad4ec7c2621d2e13db837a591742d9e [log] [tgz]
author: Abhijeet Rastogi <abhijeet.1989@gmail.com> Sat May 13 20:04:45 2023 -0700
committer: William Lallemand <wlallemand@haproxy.org> Mon May 15 10:48:05 2023 +0200
tree: cde98f87386beb1f1f3b11769a13015339cc7827
parent: 7f954691634a794019e5f8720b8edb95f9f90258 [diff] [blame]
diff --git a/src/ssl_utils.c b/src/ssl_utils.c
index 836f054..03d4341 100644
--- a/src/ssl_utils.c
+++ b/src/ssl_utils.c

@@ -318,6 +318,33 @@
 }
 
 /*
+ * This function fetches the x509* for the root CA of client certificate
+ * from the verified chain. We use the SSL_get0_verified_chain and get the
+ * last certificate in the x509 stack.
+ *
+ * Returns NULL in case of failure.
+*/
+X509* ssl_sock_get_verified_chain_root(SSL *ssl)
+{
+	STACK_OF(X509) *chain = NULL;
+	X509 *crt = NULL;
+	int i;
+
+	chain = SSL_get0_verified_chain(ssl);
+	if (!chain)
+		return NULL;
+
+	for (i = 0; i < sk_X509_num(chain); i++) {
+		crt = sk_X509_value(chain, i);
+
+		if (X509_check_issued(crt, crt) == X509_V_OK)
+			break;
+	}
+
+	return crt;
+}
+
+/*
  * Take an OpenSSL version in text format and return a numeric openssl version
  * Return 0 if it failed to parse the version
  *
commit	df97f472fad4ec7c2621d2e13db837a591742d9e	[log] [tgz]
author	Abhijeet Rastogi <abhijeet.1989@gmail.com>	Sat May 13 20:04:45 2023 -0700
committer	William Lallemand <wlallemand@haproxy.org>	Mon May 15 10:48:05 2023 +0200
tree	cde98f87386beb1f1f3b11769a13015339cc7827
parent	7f954691634a794019e5f8720b8edb95f9f90258 [diff] [blame]