fixes #2173 New TLS cert API - replaces the properties for CN and ALTNAMES.

This will replace the NNG_OPT_TLS_PEER_ALTNAMES and NNG_OPT_TLS_PEER_CN
properties, and gives a bit more access to the certificate, as well as
direct access to the raw DER form, which should allow use in other APIs.

7 files changed, 31 insertions, 8 deletions

diff --git a/src/core/defs.h b/src/core/defs.h
index 64a43a04..23c17d8b 100644
--- a/src/core/defs.h
+++ b/src/core/defs.h
@@ -14,7 +14,7 @@
 #include <stdbool.h>
 #include <stdint.h>
 
-#include <nng/nng.h>
+#include "nng/nng.h"
 
 // C compilers may get unhappy when named arguments are not used.  While
 // there are things like __attribute__((unused)) which are arguably
diff --git a/src/core/pipe.c b/src/core/pipe.c
index bfc272b3..db2c4d41 100644
--- a/src/core/pipe.c
+++ b/src/core/pipe.c
@@ -430,3 +430,12 @@ nni_pipe_peer_addr(nni_pipe *p, char buf[NNG_MAXADDRSTRLEN])
 	nng_str_sockaddr(&sa, buf, NNG_MAXADDRSTRLEN);
 	return (buf);
 }
+
+nng_err
+nni_pipe_peer_cert(nni_pipe *p, nng_tls_cert **certp)
+{
+	if (p->p_tran_ops.p_peer_cert == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (p->p_tran_ops.p_peer_cert(p->p_tran_data, certp));
+}
diff --git a/src/core/pipe.h b/src/core/pipe.h
index b9a13a68..4ed61660 100644
--- a/src/core/pipe.h
+++ b/src/core/pipe.h
@@ -39,6 +39,9 @@ extern uint16_t nni_pipe_peer(nni_pipe *);
 extern nng_err nni_pipe_getopt(
     nni_pipe *, const char *, void *, size_t *, nni_opt_type);
 
+// nni_pipe_peer_cert obtains the peer TLS certificate, if available.
+extern nng_err nni_pipe_peer_cert(nni_pipe *, nng_tls_cert **);
+
 // nni_pipe_find finds a pipe given its ID.  It places a hold on the
 // pipe, which must be released by the caller when it is done.
 extern nng_err nni_pipe_find(nni_pipe **, uint32_t);
diff --git a/src/core/sockfd.h b/src/core/sockfd.h
index 8985c009..3b39ee60 100644
--- a/src/core/sockfd.h
+++ b/src/core/sockfd.h
@@ -10,7 +10,7 @@
 #ifndef CORE_FDC_H
 #define CORE_FDC_H
 
-#include "core/nng_impl.h"
+#include "nng/nng.h"
 
 // the nni_sfd_conn struct is provided by platform code to wrap
 // an arbitrary byte stream file descriptor (UNIX) or handle (Windows)
diff --git a/src/core/stream.c b/src/core/stream.c
index e0da3582..61a8a3ba 100644
--- a/src/core/stream.c
+++ b/src/core/stream.c
@@ -12,12 +12,13 @@
 
 #include <string.h>
 
-#include "core/nng_impl.h"
+#include "nng_impl.h"
 
-#include "core/sockfd.h"
-#include "core/tcp.h"
-#include "supplemental/tls/tls_api.h"
-#include "supplemental/websocket/websocket.h"
+#include "sockfd.h"
+#include "tcp.h"
+
+#include "../supplemental/tls/tls_api.h"
+#include "../supplemental/websocket/websocket.h"
 
 static struct {
 	const char *scheme;
@@ -385,6 +386,15 @@ nng_stream_get_addr(nng_stream *s, const char *n, nng_sockaddr *v)
 }
 
 nng_err
+nng_stream_peer_cert(nng_stream *s, nng_tls_cert **certp)
+{
+	if (s->s_peer_cert == NULL) {
+		return (NNG_ENOTSUP);
+	}
+	return (s->s_peer_cert(s, certp));
+}
+
+nng_err
 nng_stream_dialer_get_int(nng_stream_dialer *d, const char *n, int *v)
 {
 	return (nni_stream_dialer_get(d, n, v, NULL, NNI_TYPE_INT32));
diff --git a/src/core/stream.h b/src/core/stream.h
index 83c121cd..a9a17ec1 100644
--- a/src/core/stream.h
+++ b/src/core/stream.h
@@ -50,6 +50,7 @@ struct nng_stream {
 	void (*s_send)(void *, nng_aio *);
 	nng_err (*s_get)(void *, const char *, void *, size_t *, nni_type);
 	nng_err (*s_set)(void *, const char *, const void *, size_t, nni_type);
+	nng_err (*s_peer_cert)(void *, nng_tls_cert **);
 };
 
 // Dialer implementation.  Stream dialers create streams.
diff --git a/src/core/tcp.h b/src/core/tcp.h
index cc41dfac..58cac45a 100644
--- a/src/core/tcp.h
+++ b/src/core/tcp.h
@@ -10,7 +10,7 @@
 #ifndef CORE_TCP_H
 #define CORE_TCP_H
 
-#include "core/nng_impl.h"
+#include "nng/nng.h"
 
 // These are interfaces we use for TCP internally.  These are not exposed
 // to the public API.