Zhumabekov Yerden wrote: > > Let me explain. Imagine some information system, which authorizes users > by examinig > their certificates for existence of some certain OID. If you look > through modssl > configuration, you would see that there is no way for apache to > authorize users like that. > > The only thing modssl proposes is to make use of OID() directive, which > is not useful > since, as you said above, the value of this extension can have some > complex structure. > And if this OID does not have corresponding NID, using the OID() > directive in > http-ssl.conf makes no sense at all. Just look through the code and you > will understand. >
You mean an extension which contains a specific OID as its value? > Logically speaking, this kind of check looks much easier to understand > than the existing > syntax proposed by modssl which makes no sense in many cases, just as > you have > stated before. I wonder why it's still not implemented in modssl. > The code looks a little unusual to me. The loop could be simplified by use of X509_get_ext_by_OBJ() and avoid the direct structure access of ext->obj or just use of X509_EXTENSION_get_object(). The variable oid needs to be freed otherwise it will leak memory if the object doesn't have a corresponding NID. Machine parsing human readable text output has the usual disclaimers. You'd better be *very* sure string tricks can't trip you up. Steve. -- Dr Stephen N. Henson. Senior Technical/Cryptography Advisor, Open Source Software Institute: www.oss-institute.org OpenSSL Core team: www.openssl.org
