net: populate raw TNetTlsContext.PeerCert on OpenSSL

synopse · Jan 17, 2025 · 5580fa7 · 5580fa7
1 parent aee236d
commit 5580fa7
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/src/lib/mormot.lib.openssl11.pas b/src/lib/mormot.lib.openssl11.pas
@@ -10289,6 +10289,7 @@ function AfterConnectionPeerVerify(
   c := _PeerVerify;
   c.fContext.PeerIssuer := peer.IssuerName;
   c.fContext.PeerSubject := peer.SubjectName;
+  c.fContext.PeerCert := peer;
   try
     result := ord(c.fContext.OnEachPeerVerify(
       c.fSocket, c.fContext, wasok <> 0, c.fSsl, peer));
@@ -10384,6 +10385,7 @@ procedure TOpenSslNetTls.AfterConnection(Socket: TNetSocket;
   Context.PeerIssuer := '';
   Context.PeerSubject := '';
   Context.PeerInfo := '';
+  Context.PeerCert := nil;
   Context.LastError := '';
   // prepare TLS connection properties
   fCtx := SSL_CTX_new(TLS_client_method);
@@ -10430,6 +10432,7 @@ procedure TOpenSslNetTls.AfterConnection(Socket: TNetSocket;
         // writeln(fPeer.SetUsage([kuCodeSign, kuDigitalSignature, kuTlsServer, kuTlsClient]));
         Context.PeerIssuer := fPeer.IssuerName;
         Context.PeerSubject := fPeer.SubjectName;
+        Context.PeerCert := fPeer;
         if Context.WithPeerInfo or
            (not Context.IgnoreCertificateErrors and
             not fSsl.IsVerified(@Context.LastError)) then

diff --git a/src/mormot.commit.inc b/src/mormot.commit.inc
@@ -1 +1 @@
-'2.3.9414'
+'2.3.9415'
diff --git a/src/net/mormot.net.sock.pas b/src/net/mormot.net.sock.pas
@@ -775,7 +775,7 @@ procedure RegisterKnownHost(const HostName, Ip4: RawUtf8);
   // - wasok=true if the TLS library did validate the incoming certificate
   // - should process the supplied peer information, and return true to continue
   // and accept the connection, or false to abort the connection
-  // - Context.PeerIssuer and PeerSubject have been properly populated from Peer
+  // - Context.PeerIssuer, PeerSubject and PeerCert have been properly populated
   // - TLS and Peer are opaque structures, typically OpenSSL PSSL and PX509 pointers
   TOnNetTlsEachPeerVerify = function(Socket: TNetSocket; Context: PNetTlsContext;
     wasok: boolean; TLS, Peer: pointer): boolean of object;
@@ -901,8 +901,7 @@   TNetTlsContext = record
     // - only populated if WithPeerInfo was set to true, or an error occurred
     PeerInfo: RawUtf8;
     /// output: full detailed raw information about the connected Peer
-    // - is a PWinCertInfo from mormot.lib.sspi on SChannel
-    // - not used on OpenSSL
+    // - is a PX509 on OpenSSL, or a PWinCertInfo from mormot.lib.sspi on SChannel
     PeerCert: pointer;
     /// output: low-level details about the last error at TLS level
     // - typically one X509_V_ERR_* integer constant