From 8f63d38e993e74a4d811438aca9f6c8e69dea479 Mon Sep 17 00:00:00 2001
From: sarmurug <sarmurug@cisco.com>
Date: Tue, 29 Mar 2022 18:24:44 +0530
Subject: tls:  Support for client certificate-key pair

Type: improvement

Signed-off-by: sarmurug <sarmurug@cisco.com>
Change-Id: Ibbfe827b9c4c603a6fe7cc49970a46bd683194ce
---
 src/plugins/tlsopenssl/tls_openssl.c | 50 ++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

(limited to 'src/plugins/tlsopenssl')

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index 74b8142a68d..740ba059e77 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -627,6 +627,52 @@ openssl_ctx_read (tls_ctx_t *ctx, session_t *ts)
     return openssl_ctx_read_dtls (ctx, ts);
 }
 
+static int
+openssl_set_ckpair (SSL *ssl_connection, u32 ckpair_index)
+{
+  app_cert_key_pair_t *ckpair;
+  BIO *cert_bio;
+  EVP_PKEY *pkey;
+  X509 *srvcert;
+
+  ckpair = app_cert_key_pair_get_if_valid (ckpair_index);
+  if (!ckpair)
+    return -1;
+
+  if (!ckpair->cert || !ckpair->key)
+    {
+      TLS_DBG (1, "tls cert and/or key not configured");
+      return -1;
+    }
+  /*
+   * Set the key and cert
+   */
+  cert_bio = BIO_new (BIO_s_mem ());
+  BIO_write (cert_bio, ckpair->cert, vec_len (ckpair->cert));
+  srvcert = PEM_read_bio_X509 (cert_bio, NULL, NULL, NULL);
+  if (!srvcert)
+    {
+      clib_warning ("unable to parse certificate");
+      return -1;
+    }
+  SSL_use_certificate (ssl_connection, srvcert);
+  BIO_free (cert_bio);
+
+  cert_bio = BIO_new (BIO_s_mem ());
+  BIO_write (cert_bio, ckpair->key, vec_len (ckpair->key));
+  pkey = PEM_read_bio_PrivateKey (cert_bio, NULL, NULL, NULL);
+  if (!pkey)
+    {
+      clib_warning ("unable to parse pkey");
+      return -1;
+    }
+  SSL_use_PrivateKey (ssl_connection, pkey);
+  BIO_free (cert_bio);
+  TLS_DBG (1, "TLS client using ckpair index: %d", ckpair_index);
+
+  return 0;
+}
+
 static int
 openssl_ctx_init_client (tls_ctx_t * ctx)
 {
@@ -694,6 +740,10 @@ openssl_ctx_init_client (tls_ctx_t * ctx)
       TLS_DBG (1, "Couldn't set hostname");
       return -1;
     }
+  if (openssl_set_ckpair (oc->ssl, ctx->ckpair_index))
+    {
+      TLS_DBG (1, "Couldn't set client certificate-key pair");
+    }
 
   /*
    * 2. Do the first steps in the handshake.
-- 
cgit 1.2.3-korg