httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Reid <da...@jetnet.co.uk>
Subject Re: [PATCH] get a pointer to the raw cert from mod_ssl
Date Mon, 14 Feb 2005 17:51:50 GMT
Joe Orton wrote:
> Here's an alternative implementation: does it work for you?

This looks good to me and seems to work as required.

Care to commit it?

david

> 
> Index: ssl_private.h
> ===================================================================
> --- ssl_private.h	(revision 153210)
> +++ ssl_private.h	(working copy)
> @@ -641,6 +641,9 @@
>  /*  Variables  */
>  void         ssl_var_register(void);
>  char        *ssl_var_lookup(apr_pool_t *, server_rec *, conn_rec *, request_rec *, char
*);
> +
> +const char  *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer, const char *oid);
> +
>  void         ssl_var_log_config_register(apr_pool_t *p);
>  
>  #define APR_SHM_MAXSIZE (64 * 1024 * 1024)
> Index: ssl_engine_vars.c
> ===================================================================
> --- ssl_engine_vars.c	(revision 153210)
> +++ ssl_engine_vars.c	(working copy)
> @@ -61,6 +61,7 @@
>  {
>      APR_REGISTER_OPTIONAL_FN(ssl_is_https);
>      APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
> +    APR_REGISTER_OPTIONAL_FN(ssl_ext_lookup);
>      return;
>  }
>  
> @@ -655,6 +656,58 @@
>      return result;
>  }
>  
> +const char *ssl_ext_lookup(apr_pool_t *p, conn_rec *c, int peer,
> +                           const char *oidnum)
> +{
> +    SSLConnRec *sslconn = myConnConfig(c);
> +    SSL *ssl = sslconn->ssl;
> +    X509 *xs = NULL;
> +    ASN1_OBJECT *oid;
> +    int count = 0, j;
> +    char *result = NULL;
> +    
> +    oid = OBJ_txt2obj(oidnum, 1);
> +    if (!oid) {
> +        ERR_clear_error();
> +        return NULL;
> +    }
> +    
> +    xs = peer ? SSL_get_peer_certificate(ssl) : SSL_get_certificate(ssl);
> +    if (xs == NULL) {
> +        return NULL;
> +    }
> +    
> +    count = X509_get_ext_count(xs);
> +
> +    for (j = 0; j < count; j++) {
> +        X509_EXTENSION *ext = X509_get_ext(xs, j);
> +
> +        if (OBJ_cmp(ext->object, oid) == 0) {
> +            BIO *bio = BIO_new(BIO_s_mem());
> +            BUF_MEM *buf;
> +
> +            if (X509V3_EXT_print(bio, ext, 0, 0) != 1) {
> +                ERR_clear_error();
> +                BIO_vfree(bio);
> +                return NULL;
> +            }
> +            
> +            BIO_get_mem_ptr(bio, &buf);
> +            result = apr_pstrmemdup(p, buf->data, buf->length);
> +            BIO_vfree(bio);
> +            break;
> +        }
> +    }
> +
> +    if (peer) {
> +        /* only SSL_get_peer_certificate raises the refcount */
> +        X509_free(xs);
> +    }
> +
> +    return result;
> +}
> +
> +
>  /*  _________________________________________________________________
>  **
>  **  SSL Extension to mod_log_config
> Index: mod_ssl.h
> ===================================================================
> --- mod_ssl.h	(revision 153210)
> +++ mod_ssl.h	(working copy)
> @@ -27,6 +27,16 @@
>                           conn_rec *, request_rec *,
>                           char *));
>  
> +/* The ssl_ext_lookup() optional function retrieves the value of a SSL
> + * certificate X.509 extension.  The client certificate is used if
> + * peer is non-zero; the server certificate is used otherwise.  The
> + * oidnum parameter specifies the numeric OID (e.g. "1.2.3.4") of the
> + * desired extension.  The string value of the extension is returned,
> + * or NULL on error. */
> +APR_DECLARE_OPTIONAL_FN(const char *, ssl_ext_lookup,
> +                        (apr_pool_t *p, conn_rec *c, int peer,
> +                         const char *oidnum));
> +
>  /* An optional function which returns non-zero if the given connection
>   * is using SSL/TLS. */
>  APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));


Mime
View raw message