David, Martin,
The code below may be of help while thesting the CA code.
It simply extracts any OID listed in the config - and when not
recognized/in the hardcoded set of OpenSSL it will still convert it
provided that it is one of the 4 simple string type s(not 7). Apart from
those 4 we may want t allow a sequence of strings.
I am intentionally -not- setting any of the flags on X509V3_EXT_print() as
otherwise a bogus ASN1 string in a client cert may trigger that segfault.
Ultimately I guess this needs to be farmed out to openssl.
Dw.
Index: ssl_expr_eval.c
===================================================================
--- ssl_expr_eval.c (revision 226665)
+++ ssl_expr_eval.c (working copy)
@@ -199,7 +199,6 @@
}
#define NUM_OID_ELTS 8 /* start with 8 oid slots, resize when needed */
-
apr_array_header_t *ssl_extlist_by_oid(request_rec *r, const char *oidstr)
{
int count = 0, j;
@@ -229,7 +228,28 @@
/* Loop over all extensions, extract the desired oids */
for (j = 0; j < count; j++) {
X509_EXTENSION *ext = X509_get_ext(xs, j);
+#if 0
+ {
+ char buff[16*1024];
+ BUF_MEM *buf;
+ BIO *bio = BIO_new(BIO_s_mem());
+ OBJ_obj2txt(buff, sizeof(buff), ext->object, 0);
+ if (X509V3_EXT_print(bio, ext, /* X509V3_EXT_ERROR_UNKNOWN */
X509V3_EXT_PARSE_UNKNOWN /* X509V3_EXT_DUMP_UNKNOWN */, 0) == 1) {
+ BIO_get_mem_ptr(bio, &buf);
+
+ /* XXX for some reason the PARSE_UNK do not have a
trailing \0 */
+ buf->data[ buf->length -1 ] = 0;
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Extension '%s': %s", buff,buf->data);
+ };
+ BIO_vfree(bio);
+
+ };
+#endif
+/* XXX not the most efficient way of doing this - we propably want to cache
+ * the strings extracted for repeated lookups on new oidstr's.
+ */
if (OBJ_cmp(ext->object, oid) == 0) {
BIO *bio = BIO_new(BIO_s_mem());
@@ -238,9 +258,24 @@
char **new = apr_array_push(val_array);
BIO_get_mem_ptr(bio, &buf);
-
*new = apr_pstrdup(r->pool, buf->data);
- }
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "X509v3 extension %s == '%s' found.", oidstr, *new);
+ } else
+ /* The above X509V3_EXT_print() only captures OID's which are a)
hardcoded in openssl its objects.txt
+ * file, b) referenced in the asn1 parsing and c) listed as valid
in the 509v3 extension code. Below
+ * we simply also accept any fields which have a normalish string
in them.
+ */
+ if (ext->value->data[0] == V_ASN1_IA5STRING ||
+ ext->value->data[0] == V_ASN1_T61STRING ||
+ ext->value->data[0] == V_ASN1_PRINTABLESTRING ||
+ ext->value->data[0] == V_ASN1_UTF8STRING)
+ {
+ char **new = apr_array_push(val_array);
+ *new = apr_pstrmemdup(r->pool, &(ext->value->data[2]),
ext->value->data[1]);
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+ "Raw X509v3 extension %s == <%s> found in client
certificate", oidstr, *new);
+ }
BIO_vfree(bio);
}
