Access to OpenSSL Context

Question

Access to OpenSSL Context

MHaselmaier opened this issue 3 years ago · comments

Matthias Haselmaier commented 3 years ago

As far as I'm aware there is currently no way to access the information of the client certificate using oatpp-openssl.
However, it could be easily available if oatpp::openssl::Connection would provide a getter for the OpenSSL context.

Would you be open to add such a getter?
Users could then e.g. implement a oatpp::web::server::interceptor::RequestInterceptor and dynamic_cast the request->getConnection() to oatpp::openssl::Connection and access the OpenSSL context to retrieve any available information.

Leonid Stryzhevskyi · Answer 1 · Wed Dec 22 2021 07:02:54 GMT+0800 (China Standard Time)

@MHaselmaier ,

Please find my comment here - #11 (comment)

Leonid Stryzhevskyi · Answer 2 · Wed Dec 22 2021 07:04:34 GMT+0800 (China Standard Time)

Even though #11 is merged - you should consider not using the proposed fix.

Matthias Haselmaier · Answer 3 · Wed Dec 22 2021 15:21:35 GMT+0800 (China Standard Time)

Should we somehow provide a way which information is relevant, which then gets added to the requests bundle?
This way only oatpp-openssl has to know about the client certificate but we could access the information in a key-value-pair from everywhere where we have access to the request.

Leonid Stryzhevskyi · Answer 4 · Thu Dec 23 2021 00:40:35 GMT+0800 (China Standard Time)

Unfortunately, the connection provider knows nothing about requests.
When the connection provider issues connection there is no Request object yet created.

We could probably put something to connection properties, however those, at the moment, are capable of storing strings only.

@MHaselmaier ,
can you please provide some more details about the use case?
Why do you want to access the client-cert info exactly at the endpoint?
You should be able to setup client-cert verification via ContextConfigurer

Matthias Haselmaier · Answer 5 · Thu Dec 23 2021 14:55:05 GMT+0800 (China Standard Time)

Yes I used the ContextConfigurer to enable Client Certificate authentication. However I would like to access the infomation of the certificate to used it for e.g. authorization. Meaning giving different certificate holders different access to data / endpoints.

Leonid Stryzhevskyi · Answer 6 · Tue Jan 04 2022 00:57:07 GMT+0800 (China Standard Time)

It is possible to use stream::Context::Properties in connection provider to store needed information see here - https://github.com/oatpp/oatpp/blob/master/src/oatpp/network/tcp/server/ConnectionProvider.cpp#L358

We have to modify the connection provider so that it will include Client Cert Info in the stream context.

@MHaselmaier

Matthias Haselmaier · Answer 7 · Tue Jan 04 2022 15:20:48 GMT+0800 (China Standard Time)

Ok, I'll have a look at it.