SSL: $ssl_peer_sigalg

The variable contains the signature algorithm the remote peer used for signing messages during the handshake and at the local side, we can use it to verify the peer's signature.
2025-06-11 12:22:41 +08:00 · 2025-02-25 18:30:10 +08:00 · 2025-02-25 18:30:10 +08:00 · f9035f9c5e
commit f9035f9c5e
parent 99631ab772
4 changed files with 42 additions and 0 deletions
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -5881,6 +5881,40 @@ ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }


+ngx_int_t
+ngx_ssl_get_peer_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    int         nid;
+    int         rc;
+    const char *sn;
+
+    rc = SSL_get_peer_signature_type_nid(c->ssl->connection, &nid);
+
+    if (rc && nid != NID_undef) {
+        sn = OBJ_nid2sn(nid);
+        if (sn == NULL) {
+            s->len = sizeof("0x0000") - 1;
+
+            s->data = ngx_pnalloc(pool, s->len);
+            if (s->data == NULL) {
+                return NGX_ERROR;
+            }
+
+            ngx_sprintf(s->data, "0x%04xd", nid & 0xffff);
+
+            return NGX_OK;
+        }
+
+        s->len = ngx_strlen(sn);
+        s->data = (u_char *) sn;
+        return NGX_OK;
+    }
+
+    s->len = 0;
+    return NGX_OK;
+}
+
+
 static time_t
 ngx_ssl_parse_time(
 #if OPENSSL_VERSION_NUMBER > 0x10100000L
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@ -337,6 +337,8 @@ ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
+ngx_int_t ngx_ssl_get_peer_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);


 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@ -411,6 +411,9 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_peer_sigalg"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_peer_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
      ngx_http_null_variable
 };

--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -400,6 +400,9 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },

+    { ngx_string("ssl_peer_sigalg"), NULL, ngx_stream_ssl_variable,
+      (uintptr_t) ngx_ssl_get_peer_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
+
      ngx_stream_null_variable
 };