On Wed, Feb 02, 2005 at 09:08:02PM +0000, David Reid wrote: > William A. Rowe, Jr. wrote: > >At 04:17 AM 2/2/2005, David Reid wrote: > > > >>Basically this allows us to gain access to the actual cert structure. > > > > > >Agreed that raw cert isn't that useful, and somewhat frightens > >me in the environment table. The PEM or DER formats would be > >generally useful. Unpacking the extended X509 attributes > >might be even more useful. > > > >Bill > > > > > This is the patch that provides me with the functionality I need. It's > generalised to a high degree and provides an easy way to get access to > extension data. It keeps the details hidden within mod_ssl where they > belong.
This is better but still: casting the extension value to an ASN1_STRING is cheating: it is *not* a string. The value can be converted to a real well-defined NUL-terminated string by printing it through a memory bio. The interface to "only return if value matches given value" is weird and inflexible; it would be cleaner to either pass in an index integer and return the Nth extension with the given OID; or to pass in an apr_array_t and return *all* matching extension values. It would be much simpler to just OBJ_txt2obj the passed-in oid and OBJ_cmp that rather than jumping through hoops to always compare oids as strings. I can hack up a revised patch to do all this if you like. joe
