httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] get a pointer to the raw cert from mod_ssl
Date Thu, 10 Feb 2005 14:59:22 GMT
Here's an alternative implementation: does it work for you?

Index: ssl_private.h
===================================================================
--- ssl_private.h	(revision 153210)
+++ ssl_private.h	(working copy)
@@ -641,6 +641,9 @@
 /*  Variables  */
 void         ssl_var_register(void);
 char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char *);
+
+const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
+
 void         ssl_var_log_config_register(apr_pool_t *p);
 
 #define APR_SHM_MAXSIZE (64 * 1024 * 1024)
Index: ssl_engine_vars.c
===================================================================
--- ssl_engine_vars.c	(revision 153210)
+++ ssl_engine_vars.c	(working copy)
@@ -61,6 +61,7 @@
 {
     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+    APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
     return;
 }
 
@@ -655,6 +656,58 @@
     return result;
 }
 
+const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
+                           const char *oidnum)
+{
+    SSLConnRec *sslconn = myConnConfig(c);
+    SSL *ssl = sslconn->ssl;
+    X509 *xs = NULL;
+    ASN1_OBJECT *oid;
+    int count = 0, j;
+    char *result = NULL;
+    
+    oid = OBJ_txt2obj(oidnum, 1);
+    if (!oid) {
+        ERR_clear_error();
+        return NULL;
+    }
+    
+    xs = peer ? SSL_get_peer_certificate(ssl) : SSL_get_certificate(ssl);
+    if (xs == NULL) {
+        return NULL;
+    }
+    
+    count = X509_get_ext_count(xs);
+
+    for (j = 0; j < count; j++) {
+        X509_EXTENSION *ext = X509_get_ext(xs, j);
+
+        if (OBJ_cmp(ext->object, oid) == 0) {
+            BIO *bio = BIO_new(BIO_s_mem());
+            BUF_MEM *buf;
+
+            if (X509V3_EXT_print(bio, ext, 0, 0) != 1) {
+                ERR_clear_error();
+                BIO_vfree(bio);
+                return NULL;
+            }
+            
+            BIO_get_mem_ptr(bio, &buf);
+            result = apr_pstrmemdup(p, buf->data, buf->length);
+            BIO_vfree(bio);
+            break;
+        }
+    }
+
+    if (peer) {
+        /* only SSL_get_peer_certificate raises the refcount */
+        X509_free(xs);
+    }
+
+    return result;
+}
+
+
 /*  _________________________________________________________________
 **
 **  SSL Extension to mod_log_config
Index: mod_ssl.h
===================================================================
--- mod_ssl.h	(revision 153210)
+++ mod_ssl.h	(working copy)
@@ -27,6 +27,16 @@
                          conn_rec *, request_rec *,
                          char *));
 
+/* The ssl_ext_lookup() optional function retrieves the value of a SSL
+ * certificate X.509 extension.  The client certificate is used if
+ * peer is non-zero; the server certificate is used otherwise.  The
+ * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
+ * desired extension.  The string value of the extension is returned,
+ * or NULL on error. */
+APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
+                        (apr_pool_t *p, conn_rec *c, int peer,
+                         const char *oidnum));
+
 /* An optional function which returns non-zero if the given connection
  * is using SSL/TLS. */
 APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));

Mime
View raw message