extract qcstatement from eidas in nginx

Question

we are working on extracting qcstatement from an eIDAS certificate which is send as a incoming request to nginx. I have found that nginx java script njs module is native to nginx and can be used for scripting. our requirement would be that the raw certificate would be in $ssl_client_raw_cert , which should be an input to njs and it should extract the qcstatement from certificate and send back to the request. Can njs handle that part? or if there is any alternative method we should try ?

we have installed njs on our system and analyzing code features.

Answer 1

IMO analysing qcStatement directly from NGINX could be a little challenging even if you would have njs and I'm not sure if it's worth it. I'd rather pass the raw certificate to the application layer and do necessary checks there.

Here is how you can extract client certification and pass it to your application through a customer header in NGINX (the example below uses openresty):

server {
    listen       443 ssl;

    ssl_certificate         /app/server.crt;
    ssl_certificate_key     /app/server.key;
    ssl_verify_client       optional;
    ssl_client_certificate  /app/certificates; // trusted client CAs

    error_page 495          /ca_error.json;
    location = /ca_error.json {
                root /app;
                internal;
            }

    set_by_lua_block $client_cert {
            ngx.req.clear_header("X-CLIENT-CERTIFICATE")
            local client_certificate = ngx.var.ssl_client_raw_cert
            -- ngx.log(ngx.STDERR, ngx.var.ssl_client_raw_cert)
            if (client_certificate ~= nil) then
                client_certificate = string.gsub(client_certificate, "\n", "")
                ngx.req.set_header("X-CLIENT-CERTIFICATE", client_certificate)
            end
            return client_certificate
    }

    location / {
        proxy_pass http://localhost:8080;
    }
}