From 29dfc49c4ea4d3b5717cdf5327984a90361d8fb7 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Sat, 9 Mar 2019 03:03:56 +0300 Subject: [PATCH] SSL: support for parsing PEM certificates from memory. This makes it possible to provide certificates directly via variables in ssl_certificate / ssl_certificate_key directives, without using intermediate files. --- src/event/ngx_event_openssl.c | 68 ++++++++++++++++++++++------------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index 0a0afdc5c..bee264c9f 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -611,23 +611,29 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, X509 *x509, *temp; u_long n; - if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) - != NGX_OK) - { - *err = NULL; - return NULL; - } + if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { - /* - * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't - * allow to access certificate later from SSL_CTX, so we reimplement - * it here - */ + bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, + cert->len - (sizeof("data:") - 1)); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NULL; + } - bio = BIO_new_file((char *) cert->data, "r"); - if (bio == NULL) { - *err = "BIO_new_file() failed"; - return NULL; + } else { + + if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, cert) + != NGX_OK) + { + *err = NULL; + return NULL; + } + + bio = BIO_new_file((char *) cert->data, "r"); + if (bio == NULL) { + *err = "BIO_new_file() failed"; + return NULL; + } } /* certificate itself */ @@ -743,17 +749,29 @@ ngx_ssl_load_certificate_key(ngx_pool_t *pool, char **err, #endif } - if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) - != NGX_OK) - { - *err = NULL; - return NULL; - } + if (ngx_strncmp(key->data, "data:", sizeof("data:") - 1) == 0) { - bio = BIO_new_file((char *) key->data, "r"); - if (bio == NULL) { - *err = "BIO_new_file() failed"; - return NULL; + bio = BIO_new_mem_buf(key->data + sizeof("data:") - 1, + key->len - (sizeof("data:") - 1)); + if (bio == NULL) { + *err = "BIO_new_mem_buf() failed"; + return NULL; + } + + } else { + + if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, key) + != NGX_OK) + { + *err = NULL; + return NULL; + } + + bio = BIO_new_file((char *) key->data, "r"); + if (bio == NULL) { + *err = "BIO_new_file() failed"; + return NULL; + } } if (passwords) {