httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/ modules/ssl/
Date Sat, 03 Sep 2011 06:06:06 GMT
> Author: druggeri
> Date: Tue Aug 23 19:35:07 2011
> New Revision: 1160863
> 
> URL: http://svn.apache.org/viewvc?rev=1160863&view=rev
> Log:
> Add SSLProxyMachineCertificateChainFile directive and documentation for bug 50812

Sorry for being late with my comments...


> +        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
> +                     "client certificate %i has loaded %i "
> +                     "intermediary signers ", n, len);

Nit: could you replace "intermediary" by "intermediate" in all log
messages and comments? The former isn't really an X.509/PKIX term. (In
the above message, I suggest saying "intermediate CA certificates".)


> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1160863&r1=1160862&r2=1160863&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Tue Aug 23 19:35:07 2011
> @@ -434,6 +434,45 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t 
>      return ok;
>  }
>  
> +/*
> + * Construct a stack of X509_INFO containing only certificates
> + * that have signed the provided certificate or are an intermediary
> + * signer of the certificate
> +*/
> +int SSL_X509_INFO_create_chain(const X509 *x509,
> +                             STACK_OF(X509_INFO) *ca_certs,
> +                             STACK_OF(X509_INFO) *chain)
> +{
> +    int can_proceed=1;
> +    int len=0;
> +    int i;
> +    X509 *certificate = (X509 *)x509;
> +    X509_INFO *info;
> +    X509_NAME *cert_issuer_name, *ca_name, *ca_issuer_name;
> +
> +    while (can_proceed) {
> +        can_proceed = 0;
> +        cert_issuer_name = X509_get_issuer_name(certificate);
> +
> +        for (i = 0; i < sk_X509_INFO_num(ca_certs); i++) {
> +            info = sk_X509_INFO_value(ca_certs, i);
> +            ca_name = X509_get_subject_name(info->x509);
> +            ca_issuer_name = X509_get_issuer_name(info->x509);
> +
> +            if (X509_NAME_cmp(cert_issuer_name, ca_name) == 0) {
> +                /* Check for a self-signed cert (no issuer) */
> +                can_proceed=X509_NAME_cmp(ca_name, ca_issuer_name) == 0 ? 0 : 1;
> +                len++;
> +                certificate = info->x509;
> +                sk_X509_INFO_unshift(chain, info);
> +                break;
> +            }
> +        }
> +    }
> +
> +    return len;
> +}
> +

I think it's preferrable to let OpenSSL build the chain (instead of
doing it ourselves). There's no readily available function for this,
unfortunately, but could you try something along the lines in OpenSSL's
s3_both.c:ssl3_output_cert_chain()? See

  http://cvs.openssl.org/chngview?cn=18326

I.e., use X509_verify_cert(), ignore its result, but grab the chain from
the X509_STORE_CTX afterwards. (And when you're done, it's probably
wise to call ERR_clear_error, see http://cvs.openssl.org/chngview?cn=19472).

Kaspar

Mime
View raw message