Dr Stephen Henson пишет:
Zhumabekov Yerden wrote:
Let me explain. Imagine some information system, which authorizes users
by examinig
their certificates for existence of some certain OID. If you look
through modssl
configuration, you would see that there is no way for apache to
authorize users like that.
The only thing modssl proposes is to make use of OID() directive, which
is not useful
since, as you said above, the value of this extension can have some
complex structure.
And if this OID does not have corresponding NID, using the OID()
directive in
http-ssl.conf makes no sense at all. Just look through the code and you
will understand.
You mean an extension which contains a specific OID as its value?
No, I just want to check if the user certificate
contains extension _using_ its OID.
OID() function (the one implemented in modssl)
can only extract the values of certificate
extension which is familiar to openssl.
For example, let you have some arbitrary
extension and its OID is "1.2.3.4.5". Since
OpenSSL doesn't have this OID listed in its
header files, it will not be able to read
the value of this extension in certificate.
But, if you supply
SSLRequire "some string in my extension" in OID("1.2.3.4.5")
normally, mod_ssl will say "there is no such
extension in certificate, _because_ I cannot
read it" instead of "there is extension of
this OID in certificate, _but_ I cannot read
it".
I just want to have some directive in
configuration file which is useful to
check _if_ the extension of certain OID
is present in user's supplied certificate.
That's simple, but mod_ssl cannot do
that simple check.
ogically speaking, this kind of check looks much easier to understand
than the existing
syntax proposed by modssl which makes no sense in many cases, just as
you have
stated before. I wonder why it's still not implemented in modssl.
The code looks a little unusual to me. The loop could be simplified by use of
X509_get_ext_by_OBJ() and avoid the direct structure access of ext->obj or just
use of X509_EXTENSION_get_object(). The variable oid needs to be freed otherwise
it will leak memory if the object doesn't have a corresponding NID.
Machine parsing human readable text output has the usual disclaimers. You'd
better be *very* sure string tricks can't trip you up.
Thanks for suggestions.
--
Yerden Zhumabekov
