On Tue, Aug 02, 2005 at 12:00:24PM +0100, Joe Orton wrote: > On Fri, Jul 22, 2005 at 02:24:50PM +0200, Sander Striker wrote: > > Joe Orton wrote: > > >On Fri, Jul 22, 2005 at 12:11:56PM -0000, Martin Kraemer wrote: > > > > > >>Author: martin > > >>Date: Fri Jul 22 05:11:55 2005 > > >>New Revision: 220307 > > >> > > >>URL: http://svn.apache.org/viewcvs?rev=220307&view=rev > > >>Log: > > >>Allow extraction of the values of SSL certificate extensions into > > >>environment variables, so that their value can be used by any > > >>module that is aware of environment variables, as in: > > > > > > > > >So what is the point in posting patches for review if you don't actually > > >wait for anyone to review them before committing? > > > > That would be my fault. We're here at ApacheCon and when Martin said > > he posted to the list first I asked him why he didn't commit to trunk > > directly, since that is C-T-R. It's a reasonable smallish patch, with > > little impact on existing functionality; hence the nudge. > > C-T-R is a good way to accumulate a codebase full of unfinished changes > if the R bit is ignored by the committer. Ping Martin. > > http://mail-archives.apache.org/mod_mbox/httpd-dev/200507.mbox/%3c20050722101207.GB17365@redhat.com%3e > http://mail-archives.apache.org/mod_mbox/httpd-dev/200507.mbox/%3c20050722110229.GA20303@redhat.com%3e > http://mail-archives.apache.org/mod_mbox/httpd-dev/200507.mbox/%3c20050722121821.GB19040@redhat.com%3e Oops, sorry. Thanks for pinging. >> 1) this is a pretty specific to way to code it. Is there no way to make >> it more general so that OID() is just a function like file() and can be >> used e.g. in regex matches too? The problem with the OID() "function" is that it where file() (or another file() like function) return a single value, what OID() stands for is an "array of zero or more values". But there is no syntax to deal with arrays in place of expressions. I tried to implement it as function first, but noticed that it would break when an OID was specified more than once. In the ASF scenario, the intention is to add multiple extensions with this OID, each one containing as value a group name of which the client is member. Because of the pre-existing syntax " in {value,value}", and because "{value,value}" is effectively an array, I chose to implement the OID() "function" as a special case of the " in" operator. Do you have a good idea how to use a function-like syntax, and still maintain the "is an array" property? >> 2) you must always check in the regenerated generated scanner source >> along with changes to the lex file. My bad, sorry for missing that. Committed right now. >> 3) oid() is a terrible name for this; it's simply the type of the >> parameter. It would be like calling malloc() "size()". The function >> expands (conceptually) to the values of an extension in the peer's >> certificate, identified by OID; so call it peerext() or something >> meaningful like that. Good point - Thanks a lot -- that is a *very* good idea, and (if nobody objects) I'd want to follow this suggestion. I had been a little unhappy with OID() myself. peerext() is especially good because it also documents where the certificate came from. >> > SetEnvIf OID("2.16.840.1.113730.1.13") "(.*) Generated (Certificate)" ca=$1 >> >> -1 on the naming since OID is completely entirely meaningless in this >> context. In the context of mod_setenvif, I'd even use "SSLPeerExt()" because it makes it clear that we are dealing with an SSL-related thing. Patch <> attached. In <> there is a patch which changes OID() to SSLPeerExt() for mod_ssl. Martin -- | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-48332 | 81730 Munich, Germany