diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-09 03:03:56 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-09 03:03:56 +0300 |
| commit | 59c34b67952c2ebee6760ca3115ba19e65060b58 (patch) | |
| tree | d4f29354328019a348fdd48469f9d074c23447ac | |
| parent | 762d98abedd89c834713451cd1ba3d33777c63d9 (diff) | |
| download | nginx-59c34b67952c2ebee6760ca3115ba19e65060b58.tar.gz nginx-59c34b67952c2ebee6760ca3115ba19e65060b58.tar.bz2 | |
SSL: support for parsing PEM certificates from memory.
This makes it possible to provide certificates directly via variables
in ssl_certificate / ssl_certificate_key directives, without using
intermediate files.
| -rw-r--r-- | src/event/ngx_event_openssl.c | 68 |
1 files changed, 43 insertions, 25 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 0a0afdc5c..bee264c9f 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -611,23 +611,29 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, X509 *x509, *temp; u_long n; - if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) - != NGX_OK) - { - *err = NULL; - return NULL; - } + if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { - /* - * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't - * allow to access certificate later from SSL_CTX, so we reimplement - * it here - */ + bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, + cert->len - (sizeof("data:") - 1)); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NULL; + } - bio = BIO_new_file((char *) cert->data, "r"); - if (bio == NULL) { - *err = "BIO_new_file() failed"; - return NULL; + } else { + + if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) + != NGX_OK) + { + *err = NULL; + return NULL; + } + + bio = BIO_new_file((char *) cert->data, "r"); + if (bio == NULL) { + *err = "BIO_new_file() failed"; + return NULL; + } } /* certificate itself */ @@ -743,17 +749,29 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, #endif } - if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) - != NGX_OK) - { - *err = NULL; - return NULL; - } + if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { - bio = BIO_new_file((char *) key->data, "r"); - if (bio == NULL) { - *err = "BIO_new_file() failed"; - return NULL; + bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, + key->len - (sizeof("data:") - 1)); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NULL; + } + + } else { + + if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) + != NGX_OK) + { + *err = NULL; + return NULL; + } + + bio = BIO_new_file((char *) key->data, "r"); + if (bio == NULL) { + *err = "BIO_new_file() failed"; + return NULL; + } } if (passwords) { |