Ok found the problem; turns out that if openssl does not have the
extension hardcoded in its objects.c (from objects.txt in crypto/objects;
compiled by a objects.pl perl scripts) then X509V3_EXT_print() does not do
anything sensible with that string unless the flag
X509V3_EXT_PARSE_UNKNOWN or X509V3_EXT_DUMP_UNKNOWN is passed. (And Martin
his code does then sensibly ignore it).
But once you pass either of these flags it then yields a string which is
not proberly terminated - hence making it possible for a bad cert to
segfault the server. Plus the format in any case not usable for any proper
access control.
So that perhaps means that this OID thing requires the re-use an existing
extension (like id-aca, role, etc) known to the locally installed version
of openssl or add to our code some ability, like a DER format string, to
handle arbitrary string extraction from the extension fields.
Dw.
PS: plus right now it seems that ssl_expr_parse.* and ssl_expr_scan.*
which are generated from the lex/yax files - are under svn control.
Index: ssl_expr_eval.c
===================================================================
--- ssl_expr_eval.c (revision 226665)
+++ ssl_expr_eval.c (working copy)
@@ -229,7 +229,25 @@
/* Loop over all extensions, extract the desired oids */
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
+#if 1
+ {
+ char buff[16*1024];
+ BUF_MEM *buf;
+ BIO *bio = BIO_new(BIO_s_mem());
+ OBJ_obj2txt(buff, sizeof(buff), ext->object, 0);
+ if (X509V3_EXT_print(bio, ext, /* X509V3_EXT_ERROR_UNKNOWN
*/ X509V3_EXT_PARSE_UNKNOWN /* X509V3_EXT_DUMP_UNKNOWN */, 0) == 1) {
+ BIO_get_mem_ptr(bio, &buf);
+
+ /* XXX for some reason the PARSE_UNK do not have a
trailing \0 */
+ buf->data[ buf->length -1 ] = 0;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0,
r->server, "Extension '%s': %s", buff,buf->data);
+ };
+ BIO_vfree(bio);
+
+ };
+#endif
if (OBJ_cmp(ext->object, oid) == 0) {
BIO *bio = BIO_new(BIO_s_mem());
