Skip to content

Commit fcd0827

Browse files
shukitchanCopilot
shukitchan
and
Copilot
authored
Add support for retrieving cert info in lua plugin (#12683)
* Add support for retrieving cert info in lua plugin * fix format error * fix format error * fix compile error * Update plugins/lua/ts_lua_client_cert_helpers.h Co-authored-by: Copilot <[email protected]> * fix error checking * fix error checking * fix error checking * fix error checking * fix error checking * Update plugins/lua/ts_lua_client_cert_helpers.h Co-authored-by: Copilot <[email protected]> * fix error checking * fix error checking * fix compile error --------- Co-authored-by: Copilot <[email protected]>
1 parent 0d52043 commit fcd0827

File tree

3 files changed

+1545
-0
lines changed

3 files changed

+1545
-0
lines changed

doc/admin-guide/plugins/lua.en.rst

Lines changed: 347 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1340,6 +1340,353 @@ Here is an example:
13401340
end
13411341

13421342

1343+
:ref:`TOP <admin-plugins-ts-lua>`
1344+
1345+
ts.client_request.client_cert_get_pem
1346+
-----------------------------------------------
1347+
**syntax:** *ts.client_request.client_cert_get_pem()*
1348+
1349+
**context:** do_remap/do_os_response or do_global_* or later
1350+
1351+
**description**: Get the PEM-encoded client certificate (for mTLS connections).
1352+
1353+
Returns the client certificate in PEM format, or nil if no client certificate is present.
1354+
1355+
Here is an example:
1356+
1357+
::
1358+
1359+
function do_global_read_request()
1360+
pem = ts.client_request.client_cert_get_pem()
1361+
if pem then
1362+
ts.debug('Client cert PEM: ' .. pem)
1363+
end
1364+
end
1365+
1366+
1367+
:ref:`TOP <admin-plugins-ts-lua>`
1368+
1369+
ts.client_request.client_cert_get_subject
1370+
-----------------------------------------------
1371+
**syntax:** *ts.client_request.client_cert_get_subject()*
1372+
1373+
**context:** do_remap/do_os_response or do_global_* or later
1374+
1375+
**description**: Get the subject DN from the client certificate.
1376+
1377+
Returns the subject distinguished name in RFC2253 format, or nil if not available.
1378+
1379+
Here is an example:
1380+
1381+
::
1382+
1383+
function do_global_read_request()
1384+
subject = ts.client_request.client_cert_get_subject()
1385+
if subject then
1386+
ts.debug('Client cert subject: ' .. subject)
1387+
end
1388+
end
1389+
1390+
1391+
:ref:`TOP <admin-plugins-ts-lua>`
1392+
1393+
ts.client_request.client_cert_get_issuer
1394+
-----------------------------------------------
1395+
**syntax:** *ts.client_request.client_cert_get_issuer()*
1396+
1397+
**context:** do_remap/do_os_response or do_global_* or later
1398+
1399+
**description**: Get the issuer DN from the client certificate.
1400+
1401+
Returns the issuer distinguished name in RFC2253 format, or nil if not available.
1402+
1403+
1404+
:ref:`TOP <admin-plugins-ts-lua>`
1405+
1406+
ts.client_request.client_cert_get_serial
1407+
-----------------------------------------------
1408+
**syntax:** *ts.client_request.client_cert_get_serial()*
1409+
1410+
**context:** do_remap/do_os_response or do_global_* or later
1411+
1412+
**description**: Get the serial number from the client certificate.
1413+
1414+
Returns the certificate serial number as a string, or nil if not available.
1415+
1416+
1417+
:ref:`TOP <admin-plugins-ts-lua>`
1418+
1419+
ts.client_request.client_cert_get_signature
1420+
-----------------------------------------------
1421+
**syntax:** *ts.client_request.client_cert_get_signature()*
1422+
1423+
**context:** do_remap/do_os_response or do_global_* or later
1424+
1425+
**description**: Get the signature from the client certificate.
1426+
1427+
Returns the certificate signature as a colon-separated hex string, or nil if not available.
1428+
1429+
1430+
:ref:`TOP <admin-plugins-ts-lua>`
1431+
1432+
ts.client_request.client_cert_get_not_before
1433+
-----------------------------------------------
1434+
**syntax:** *ts.client_request.client_cert_get_not_before()*
1435+
1436+
**context:** do_remap/do_os_response or do_global_* or later
1437+
1438+
**description**: Get the "not before" timestamp from the client certificate.
1439+
1440+
Returns the certificate validity start date/time as a string, or nil if not available.
1441+
1442+
1443+
:ref:`TOP <admin-plugins-ts-lua>`
1444+
1445+
ts.client_request.client_cert_get_not_after
1446+
-----------------------------------------------
1447+
**syntax:** *ts.client_request.client_cert_get_not_after()*
1448+
1449+
**context:** do_remap/do_os_response or do_global_* or later
1450+
1451+
**description**: Get the "not after" timestamp from the client certificate.
1452+
1453+
Returns the certificate validity end date/time as a string, or nil if not available.
1454+
1455+
1456+
:ref:`TOP <admin-plugins-ts-lua>`
1457+
1458+
ts.client_request.client_cert_get_version
1459+
-----------------------------------------------
1460+
**syntax:** *ts.client_request.client_cert_get_version()*
1461+
1462+
**context:** do_remap/do_os_response or do_global_* or later
1463+
1464+
**description**: Get the X.509 version from the client certificate.
1465+
1466+
Returns the certificate version as an integer (typically 2 for v3 certificates), or nil if not available.
1467+
1468+
1469+
:ref:`TOP <admin-plugins-ts-lua>`
1470+
1471+
ts.client_request.client_cert_get_san_dns
1472+
-----------------------------------------------
1473+
**syntax:** *ts.client_request.client_cert_get_san_dns()*
1474+
1475+
**context:** do_remap/do_os_response or do_global_* or later
1476+
1477+
**description**: Get DNS Subject Alternative Names from the client certificate.
1478+
1479+
Returns a Lua table (array) of DNS names, or nil if none are present.
1480+
1481+
Here is an example:
1482+
1483+
::
1484+
1485+
function do_global_read_request()
1486+
dns_names = ts.client_request.client_cert_get_san_dns()
1487+
if dns_names then
1488+
for i, name in ipairs(dns_names) do
1489+
ts.debug('DNS SAN: ' .. name)
1490+
end
1491+
end
1492+
end
1493+
1494+
1495+
:ref:`TOP <admin-plugins-ts-lua>`
1496+
1497+
ts.client_request.client_cert_get_san_ip
1498+
-----------------------------------------------
1499+
**syntax:** *ts.client_request.client_cert_get_san_ip()*
1500+
1501+
**context:** do_remap/do_os_response or do_global_* or later
1502+
1503+
**description**: Get IP address Subject Alternative Names from the client certificate.
1504+
1505+
Returns a Lua table (array) of IP addresses, or nil if none are present.
1506+
1507+
1508+
:ref:`TOP <admin-plugins-ts-lua>`
1509+
1510+
ts.client_request.client_cert_get_san_email
1511+
-----------------------------------------------
1512+
**syntax:** *ts.client_request.client_cert_get_san_email()*
1513+
1514+
**context:** do_remap/do_os_response or do_global_* or later
1515+
1516+
**description**: Get email Subject Alternative Names from the client certificate.
1517+
1518+
Returns a Lua table (array) of email addresses, or nil if none are present.
1519+
1520+
1521+
:ref:`TOP <admin-plugins-ts-lua>`
1522+
1523+
ts.client_request.client_cert_get_san_uri
1524+
-----------------------------------------------
1525+
**syntax:** *ts.client_request.client_cert_get_san_uri()*
1526+
1527+
**context:** do_remap/do_os_response or do_global_* or later
1528+
1529+
**description**: Get URI Subject Alternative Names from the client certificate.
1530+
1531+
Returns a Lua table (array) of URIs, or nil if none are present.
1532+
1533+
1534+
:ref:`TOP <admin-plugins-ts-lua>`
1535+
1536+
ts.client_request.server_cert_get_pem
1537+
-----------------------------------------------
1538+
**syntax:** *ts.client_request.server_cert_get_pem()*
1539+
1540+
**context:** do_remap/do_os_response or do_global_* or later
1541+
1542+
**description**: Get the PEM-encoded server certificate (the certificate ATS presented to the client).
1543+
1544+
Returns the server certificate in PEM format, or nil if not available.
1545+
1546+
1547+
:ref:`TOP <admin-plugins-ts-lua>`
1548+
1549+
ts.client_request.server_cert_get_subject
1550+
-----------------------------------------------
1551+
**syntax:** *ts.client_request.server_cert_get_subject()*
1552+
1553+
**context:** do_remap/do_os_response or do_global_* or later
1554+
1555+
**description**: Get the subject DN from the server certificate.
1556+
1557+
Returns the subject distinguished name in RFC2253 format, or nil if not available.
1558+
1559+
1560+
:ref:`TOP <admin-plugins-ts-lua>`
1561+
1562+
ts.client_request.server_cert_get_issuer
1563+
-----------------------------------------------
1564+
**syntax:** *ts.client_request.server_cert_get_issuer()*
1565+
1566+
**context:** do_remap/do_os_response or do_global_* or later
1567+
1568+
**description**: Get the issuer DN from the server certificate.
1569+
1570+
Returns the issuer distinguished name in RFC2253 format, or nil if not available.
1571+
1572+
1573+
:ref:`TOP <admin-plugins-ts-lua>`
1574+
1575+
ts.client_request.server_cert_get_serial
1576+
-----------------------------------------------
1577+
**syntax:** *ts.client_request.server_cert_get_serial()*
1578+
1579+
**context:** do_remap/do_os_response or do_global_* or later
1580+
1581+
**description**: Get the serial number from the server certificate.
1582+
1583+
Returns the certificate serial number as a string, or nil if not available.
1584+
1585+
1586+
:ref:`TOP <admin-plugins-ts-lua>`
1587+
1588+
ts.client_request.server_cert_get_signature
1589+
-----------------------------------------------
1590+
**syntax:** *ts.client_request.server_cert_get_signature()*
1591+
1592+
**context:** do_remap/do_os_response or do_global_* or later
1593+
1594+
**description**: Get the signature from the server certificate.
1595+
1596+
Returns the certificate signature as a colon-separated hex string, or nil if not available.
1597+
1598+
1599+
:ref:`TOP <admin-plugins-ts-lua>`
1600+
1601+
ts.client_request.server_cert_get_not_before
1602+
-----------------------------------------------
1603+
**syntax:** *ts.client_request.server_cert_get_not_before()*
1604+
1605+
**context:** do_remap/do_os_response or do_global_* or later
1606+
1607+
**description**: Get the "not before" timestamp from the server certificate.
1608+
1609+
Returns the certificate validity start date/time as a string, or nil if not available.
1610+
1611+
1612+
:ref:`TOP <admin-plugins-ts-lua>`
1613+
1614+
ts.client_request.server_cert_get_not_after
1615+
-----------------------------------------------
1616+
**syntax:** *ts.client_request.server_cert_get_not_after()*
1617+
1618+
**context:** do_remap/do_os_response or do_global_* or later
1619+
1620+
**description**: Get the "not after" timestamp from the server certificate.
1621+
1622+
Returns the certificate validity end date/time as a string, or nil if not available.
1623+
1624+
1625+
:ref:`TOP <admin-plugins-ts-lua>`
1626+
1627+
ts.client_request.server_cert_get_version
1628+
-----------------------------------------------
1629+
**syntax:** *ts.client_request.server_cert_get_version()*
1630+
1631+
**context:** do_remap/do_os_response or do_global_* or later
1632+
1633+
**description**: Get the X.509 version from the server certificate.
1634+
1635+
Returns the certificate version as an integer (typically 2 for v3 certificates), or nil if not available.
1636+
1637+
1638+
:ref:`TOP <admin-plugins-ts-lua>`
1639+
1640+
ts.client_request.server_cert_get_san_dns
1641+
-----------------------------------------------
1642+
**syntax:** *ts.client_request.server_cert_get_san_dns()*
1643+
1644+
**context:** do_remap/do_os_response or do_global_* or later
1645+
1646+
**description**: Get DNS Subject Alternative Names from the server certificate.
1647+
1648+
Returns a Lua table (array) of DNS names, or nil if none are present.
1649+
1650+
1651+
:ref:`TOP <admin-plugins-ts-lua>`
1652+
1653+
ts.client_request.server_cert_get_san_ip
1654+
-----------------------------------------------
1655+
**syntax:** *ts.client_request.server_cert_get_san_ip()*
1656+
1657+
**context:** do_remap/do_os_response or do_global_* or later
1658+
1659+
**description**: Get IP address Subject Alternative Names from the server certificate.
1660+
1661+
Returns a Lua table (array) of IP addresses, or nil if none are present.
1662+
1663+
1664+
:ref:`TOP <admin-plugins-ts-lua>`
1665+
1666+
ts.client_request.server_cert_get_san_email
1667+
-----------------------------------------------
1668+
**syntax:** *ts.client_request.server_cert_get_san_email()*
1669+
1670+
**context:** do_remap/do_os_response or do_global_* or later
1671+
1672+
**description**: Get email Subject Alternative Names from the server certificate.
1673+
1674+
Returns a Lua table (array) of email addresses, or nil if none are present.
1675+
1676+
1677+
:ref:`TOP <admin-plugins-ts-lua>`
1678+
1679+
ts.client_request.server_cert_get_san_uri
1680+
-----------------------------------------------
1681+
**syntax:** *ts.client_request.server_cert_get_san_uri()*
1682+
1683+
**context:** do_remap/do_os_response or do_global_* or later
1684+
1685+
**description**: Get URI Subject Alternative Names from the server certificate.
1686+
1687+
Returns a Lua table (array) of URIs, or nil if none are present.
1688+
1689+
13431690
:ref:`TOP <admin-plugins-ts-lua>`
13441691

13451692
ts.client_request.get_pp_info

0 commit comments

Comments
 (0)