httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From minf...@apache.org
Subject svn commit: r1661258 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_engine_vars.c
Date Sat, 21 Feb 2015 00:33:34 GMT
Author: minfrin
Date: Sat Feb 21 00:33:34 2015
New Revision: 1661258

URL: http://svn.apache.org/r1661258
Log:
mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
a combination of certificate serialNumber and issuer as defined by
CertificateExactMatch in RFC4523.

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1661258&r1=1661257&r2=1661258&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Feb 21 00:33:34 2015
@@ -6,6 +6,10 @@ Changes with Apache 2.5.0
      calls r:wsupgrade() can cause a child process crash. 
      [Edward Lu <Chaosed0 gmail.com>]
 
+  *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+     a combination of certificate serialNumber and issuer as defined by
+     CertificateExactMatch in RFC4523. [Graham Leggett]
+
   *) suexec: Filter out the HTTP_PROXY environment variable because it is
      treated as alias for http_proxy by some programs. [Stefan Fritsch]
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1661258&r1=1661257&r2=1661258&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Sat Feb 21 00:33:34 2015
@@ -86,6 +86,7 @@ compatibility variables.</p>
 <tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>
   <td>Algorithm used for the public key of client's certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>
   <td>PEM-encoded client certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td>
<td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
+<tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td>   <td>string</td>
   <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion
in RFC4523</td></tr>
 <tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>
   <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code>
or <code>FAILED:</code><em>reason</em></td></tr>
 <tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>
   <td>The version of the server certificate</td></tr>
 <tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>
   <td>The serial of the server certificate</td></tr>

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1661258&r1=1661257&r2=1661258&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Feb 21 00:33:34 2015
@@ -1136,6 +1136,7 @@ static const char *ssl_hook_Fixup_vars[]
     "SSL_CLIENT_I_DN",
     "SSL_CLIENT_A_KEY",
     "SSL_CLIENT_A_SIG",
+    "SSL_CLIENT_CERT_RFC4523_CEA",
     "SSL_SERVER_M_VERSION",
     "SSL_SERVER_M_SERIAL",
     "SSL_SERVER_V_START",

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1661258&r1=1661257&r2=1661258&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Feb 21 00:33:34 2015
@@ -47,6 +47,7 @@ static char *ssl_var_lookup_ssl_cert_val
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
 static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
@@ -435,6 +436,9 @@ static char *ssl_var_lookup_ssl(apr_pool
         sk = SSL_get_peer_cert_chain(ssl);
         result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
     }
+    else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
+        result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
+    }
     else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
         result = ssl_var_lookup_ssl_cert_verify(p, c);
     }
@@ -782,6 +786,37 @@ static char *ssl_var_lookup_ssl_cert_cha
     return result;
 }
 
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
+{
+    char *result;
+    X509 *xs;
+
+    ASN1_INTEGER *serialNumber;
+
+    if (!(xs = SSL_get_peer_certificate(ssl))) {
+        return NULL;
+    }
+
+    result = NULL;
+
+    serialNumber = X509_get_serialNumber(xs);
+    if (serialNumber) {
+        X509_NAME *issuer = X509_get_issuer_name(xs);
+        if (issuer) {
+            BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
+            char *decimal = BN_bn2dec(bn);
+            result = apr_pstrcat(p, "{ serialNumber ", decimal,
+                    ", issuer rdnSequence:\"",
+                    SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+            OPENSSL_free(decimal);
+            BN_free(bn);
+        }
+    }
+
+    X509_free(xs);
+    return result;
+}
+
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
 {
     char *result;



Mime
View raw message