www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

Add support for extracting the msUPN and dnsSRV forms

Browse Source 
of subjectAltName entries of type "otherName" into
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment
variables. Addresses PR 58020.

* docs/manual/mod/mod_ssl.xml: add SSL_*_SAN_OTHER_*_n entries to the
  environment variables table

* modules/ssl/ssl_engine_vars.c: add support for retrieving the
  SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n variables

* modules/ssl/ssl_util_ssl.c: add parse_otherName_value, which
  currently recognizes the "msUPN" (1.3.6.1.4.1.311.20.2.3) and
  "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7) otherName forms, and
  adapt modssl_X509_getSAN to take an optional otherName form
  argument for the GEN_OTHERNAME case

* modules/ssl/ssl_util_ssl.h: adapt modssl_X509_getSAN prototype

* modules/ssl/mod_ssl.c: register the id-on-dnsSRV otherName form
  OID (1.3.6.1.5.5.7.8.7) in OpenSSL's objects table


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1693792 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Kaspar Brand
2015-08-02 07:30:45 +00:00
parent addb6fac9a
commit 73dbf35961
6 changed files with 112 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
modules/ssl/ssl_engine_vars.c
View File

@@ -664,6 +664,7 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
{
int type, numlen;
const char *onf = NULL;
apr_array_header_t *entries;
if (strcEQn(var, "Email_", 6)) {
@@ -674,6 +675,20 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
type = GEN_DNS;
var += 4;
}
else if (strcEQn(var, "OTHER_", 6)) {
type = GEN_OTHERNAME;
var += 6;
if (strEQn(var, "msUPN_", 6)) {
var += 6;
onf = "msUPN";
}
else if (strEQn(var, "dnsSRV_", 7)) {
var += 7;
onf = "id-on-dnsSRV";
}
else
return NULL;
}
else
return NULL;
@@ -682,11 +697,11 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
return NULL;
if (modssl_X509_getSAN(p, xs, type, atoi(var), &entries))
/* return the first entry from this 1-element array */
return APR_ARRAY_IDX(entries, 0, char *);
if (modssl_X509_getSAN(p, xs, type, onf, atoi(var), &entries))
/* return the first entry from this 1-element array */
return APR_ARRAY_IDX(entries, 0, char *);
else
return NULL;
return NULL;
}
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
@@ -1032,24 +1047,31 @@ void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
/* subjectAltName entries of the server certificate */
xs = SSL_get_certificate(ssl);
if (xs) {
if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
if (modssl_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
}
if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
if (modssl_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
}
if (modssl_X509_getSAN(p, xs, GEN_OTHERNAME, "id-on-dnsSRV", -1,
&entries)) {
extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);
}
/* no need to free xs (refcount does not increase) */
}
/* subjectAltName entries of the client certificate */
xs = SSL_get_peer_certificate(ssl);
if (xs) {
if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
if (modssl_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
}
if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
if (modssl_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
}
if (modssl_X509_getSAN(p, xs, GEN_OTHERNAME, "msUPN", -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);
}
X509_free(xs);
}
}