Access to OpenSSL Context

oatpp / oatpp-openssl

OpenSSL adaptor for Oat++ applications

https://oatpp.io/

Apache License 2.0

13 stars 22 forks source link

Access to OpenSSL Context #10

Open MHaselmaier opened 2 years ago

MHaselmaier commented 2 years ago

As far as I'm aware there is currently no way to access the information of the client certificate using oatpp-openssl. However, it could be easily available if oatpp::openssl::Connection would provide a getter for the OpenSSL context.

Would you be open to add such a getter? Users could then e.g. implement a oatpp::web::server::interceptor::RequestInterceptor and dynamic_cast the request->getConnection() to oatpp::openssl::Connection and access the OpenSSL context to retrieve any available information.

lganzzzo commented 2 years ago

@MHaselmaier ,

Please find my comment here - https://github.com/oatpp/oatpp-openssl/pull/11#issuecomment-999151343

lganzzzo commented 2 years ago

Even though #11 is merged - you should consider not using the proposed fix.

MHaselmaier commented 2 years ago

Should we somehow provide a way which information is relevant, which then gets added to the requests bundle? This way only oatpp-openssl has to know about the client certificate but we could access the information in a key-value-pair from everywhere where we have access to the request.

lganzzzo commented 2 years ago

Unfortunately, the connection provider knows nothing about requests. When the connection provider issues connection there is no Request object yet created.

We could probably put something to connection properties, however those, at the moment, are capable of storing strings only.

@MHaselmaier , can you please provide some more details about the use case? Why do you want to access the client-cert info exactly at the endpoint? You should be able to setup client-cert verification via ContextConfigurer

MHaselmaier commented 2 years ago

Yes I used the ContextConfigurer to enable Client Certificate authentication. However I would like to access the infomation of the certificate to used it for e.g. authorization. Meaning giving different certificate holders different access to data / endpoints.

lganzzzo commented 2 years ago

It is possible to use stream::Context::Properties in connection provider to store needed information see here - https://github.com/oatpp/oatpp/blob/master/src/oatpp/network/tcp/server/ConnectionProvider.cpp#L358

We have to modify the connection provider so that it will include Client Cert Info in the stream context.

@MHaselmaier

MHaselmaier commented 2 years ago

Ok, I'll have a look at it.