httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: Thinkng something like this for mod_auth_svn
Date Mon, 01 Aug 2005 13:42:51 GMT

David, Martin,

The code below may be of help while thesting the CA code.

It simply extracts any OID listed in the config - and when not
recognized/in the hardcoded set of OpenSSL it will still convert it
provided that it is one of the 4 simple string type s(not 7). Apart from
those 4 we may want t allow a sequence of strings.

I am intentionally -not- setting any of the flags on X509V3_EXT_print() as
otherwise a bogus ASN1 string in a client cert may trigger that segfault.

Ultimately I guess this needs to be farmed out to openssl.

Dw.


Index: ssl_expr_eval.c
===================================================================
--- ssl_expr_eval.c     (revision 226665)
+++ ssl_expr_eval.c     (working copy)
@@ -199,7 +199,6 @@
 }

 #define NUM_OID_ELTS 8 /* start with 8 oid slots, resize when needed */
-
 apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr)
 {
     int count = 0, j;
@@ -229,7 +228,28 @@
     /* Loop over all extensions, extract the desired oids */
     for (j = 0; j < count; j++) {
         X509_EXTENSION *ext = X509_get_ext(xs, j);
+#if 0
+       {
+               char buff[16*1024];
+                BUF_MEM *buf;
+               BIO *bio = BIO_new(BIO_s_mem());
+               OBJ_obj2txt(buff, sizeof(buff), ext->object, 0);

+               if (X509V3_EXT_print(bio, ext, /* X509V3_EXT_ERROR_UNKNOWN */ X509V3_EXT_PARSE_UNKNOWN
/*  X509V3_EXT_DUMP_UNKNOWN */, 0) == 1) {
+                       BIO_get_mem_ptr(bio, &buf);
+
+                       /* XXX for some reason the PARSE_UNK do not have a trailing \0 */
+                       buf->data[ buf->length -1 ] = 0;
+
+                       ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Extension
'%s': %s", buff,buf->data);
+               };
+               BIO_vfree(bio);
+
+       };
+#endif
+/* XXX not the most efficient way of doing this - we propably want to cache
+ *     the strings extracted for repeated lookups on new oidstr's.
+ */
         if (OBJ_cmp(ext->object, oid) == 0) {
             BIO *bio = BIO_new(BIO_s_mem());

@@ -238,9 +258,24 @@
                 char **new = apr_array_push(val_array);

                 BIO_get_mem_ptr(bio, &buf);
-
                 *new = apr_pstrdup(r->pool, buf->data);
-            }
+               ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                       "X509v3 extension %s == '%s' found.", oidstr, *new);
+            } else
+           /* The above X509V3_EXT_print() only captures OID's which are a) hardcoded in
openssl its objects.txt
+             * file, b) referenced in the asn1 parsing and c) listed as valid in the 509v3
extension code. Below
+            * we simply also accept any fields which have a normalish string in them.
+             */
+           if (ext->value->data[0] == V_ASN1_IA5STRING ||
+               ext->value->data[0] == V_ASN1_T61STRING ||
+               ext->value->data[0] == V_ASN1_PRINTABLESTRING ||
+               ext->value->data[0] == V_ASN1_UTF8STRING)
+           {
+               char **new = apr_array_push(val_array);
+                *new = apr_pstrmemdup(r->pool, &(ext->value->data[2]), ext->value->data[1]);
+               ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                       "Raw X509v3 extension %s == <%s> found in client certificate",
oidstr, *new);
+           }

             BIO_vfree(bio);
         }


Mime
View raw message