Copyright © https://mongoose-os.com

Mongoose OS Forum

frame
ATTENTION! This forum has moved to:

https://community.mongoose-os.com

Do not post any new messages.

Accessing Client Certificate Attributes

Enviroment: embedded C / C++

I have a secure server-client setup (https / wss) which works great, but the client cert has some additional custom attributes embedded within it (OIDS) which in this case, contains a user access level for certain functions. I've been searching docs and web, but can't seem to find a way to access this additional information. I'm guessing I would want to do this during the MG_EV_WEBSOCKET_HANDSHAKE_DONE event and that the client cert data is contained in mg_connection. To that end I'm using the follwing rountine to retrieve the peer (i.e. client) cert - but combing through it in debug session I just don't see these custom attributes (OIDS).

struct mbedtls_x509_crt* webServer::getPeerCertificate(struct mg_connection* nc)
{
    mbedtls_ssl_context* ctx = (mbedtls_ssl_context*) mg_ssl_if_context(nc);
    if (ctx) {
        mbedtls_ssl_session* session_in = ctx->session_in;
        if (session_in && session_in->peer_cert) {
            return session_in->peer_cert;
        }
    }
    return NULL;
}

Any clues here would be very much appreciated :)

Comments

  • rojerrojer Dublin, Ireland

    currently mongoose does not provide a standard API for accessing client certificate after connection.
    but you may be able to get to the desired state by going to the SSL context.
    which SSL library are you using? mbedtls or openssl?

  • Using mbedtls - hmm - I'll take another look at ssl library functions. Thanks.

  • rojerrojer Dublin, Ireland
    edited October 2018

    right. on the mongoose side, nc->ssl_if_data will hold a pointer to this struct which has pointers to configuration and connection context.
    the struct definition is not public, so you'll have to improvise here (wink). it's unlikely that the first two members will change in the future (though no guarantees).
    once you have your hands on the connection context, ctx->session->peer_cert should give you the peer's certificate.
    with the certificate, you can examine its subject field - e.g. call mbedtls_x509_dn_gets on it, etc.

  • Ok - I'm seeing it now. Thanks for the kick in the head - not sure why I thought this would be a Mongoose function - duh.

Sign In or Register to comment.