httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Reid <da...@jetnet.co.uk>
Subject Re: [PATCH] get a pointer to the raw cert from mod_ssl
Date Fri, 11 Feb 2005 16:44:26 GMT
Joe Orton wrote:

>Here's an alternative implementation: does it work for you?
>
>  
>
I'll try it out tomorrow as time won't permit me to look at it today.

Looks good though.

david

>Index: ssl_private.h
>===================================================================
>--- ssl_private.h	(revision 153210)
>+++ ssl_private.h	(working copy)
>@@ -641,6 +641,9 @@
> /*  Variables  */
> void         ssl_var_register(void);
> char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char
*);
>+
>+const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
>+
> void         ssl_var_log_config_register(apr_pool_t *p);
> 
> #define APR_SHM_MAXSIZE (64 * 1024 * 1024)
>Index: ssl_engine_vars.c
>===================================================================
>--- ssl_engine_vars.c	(revision 153210)
>+++ ssl_engine_vars.c	(working copy)
>@@ -61,6 +61,7 @@
> {
>     APR_REGISTER_OPTIONAL_FN(ssl_is_https);
>     APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
>+    APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
>     return;
> }
> 
>@@ -655,6 +656,58 @@
>     return result;
> }
> 
>+const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
>+                           const char *oidnum)
>+{
>+    SSLConnRec *sslconn = myConnConfig(c);
>+    SSL *ssl = sslconn->ssl;
>+    X509 *xs = NULL;
>+    ASN1_OBJECT *oid;
>+    int count = 0, j;
>+    char *result = NULL;
>+    
>+    oid = OBJ_txt2obj(oidnum, 1);
>+    if (!oid) {
>+        ERR_clear_error();
>+        return NULL;
>+    }
>+    
>+    xs = peer ? SSL_get_peer_certificate(ssl) : SSL_get_certificate(ssl);
>+    if (xs == NULL) {
>+        return NULL;
>+    }
>+    
>+    count = X509_get_ext_count(xs);
>+
>+    for (j = 0; j < count; j++) {
>+        X509_EXTENSION *ext = X509_get_ext(xs, j);
>+
>+        if (OBJ_cmp(ext->object, oid) == 0) {
>+            BIO *bio = BIO_new(BIO_s_mem());
>+            BUF_MEM *buf;
>+
>+            if (X509V3_EXT_print(bio, ext, 0, 0) != 1) {
>+                ERR_clear_error();
>+                BIO_vfree(bio);
>+                return NULL;
>+            }
>+            
>+            BIO_get_mem_ptr(bio, &buf);
>+            result = apr_pstrmemdup(p, buf->data, buf->length);
>+            BIO_vfree(bio);
>+            break;
>+        }
>+    }
>+
>+    if (peer) {
>+        /* only SSL_get_peer_certificate raises the refcount */
>+        X509_free(xs);
>+    }
>+
>+    return result;
>+}
>+
>+
> /*  _________________________________________________________________
> **
> **  SSL Extension to mod_log_config
>Index: mod_ssl.h
>===================================================================
>--- mod_ssl.h	(revision 153210)
>+++ mod_ssl.h	(working copy)
>@@ -27,6 +27,16 @@
>                          conn_rec *, request_rec *,
>                          char *));
> 
>+/* The ssl_ext_lookup() optional function retrieves the value of a SSL
>+ * certificate X.509 extension.  The client certificate is used if
>+ * peer is non-zero; the server certificate is used otherwise.  The
>+ * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
>+ * desired extension.  The string value of the extension is returned,
>+ * or NULL on error. */
>+APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
>+                        (apr_pool_t *p, conn_rec *c, int peer,
>+                         const char *oidnum));
>+
> /* An optional function which returns non-zero if the given connection
>  * is using SSL/TLS. */
> APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
>  
>


Mime
View raw message