On 04/03/16, Rob Crittenden wrote: > Oliver Graute wrote: > > Hello, > > > > I'am using the following x509v3 extensions in my client certificate. > > > > [ x509v3 ] > > basicConstraints = critical,CA:FALSE > > nsCertType = client > > keyUsage = digitalSignature,nonRepudiation,keyEncipherment > > extendedKeyUsage = clientAuth, serverAuth, emailProtection > > keyUsage = critical,digitalSignature > > subjectKeyIdentifier = hash > > authorityKeyIdentifier = keyid > > crlDistributionPoints = crlDistributionPoint0_sect > > 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR > > > > Is it possible to export these x509v3 extensions with NSSOptions > > +StdEnvVars or any other NSSOption? > > > > especially I need to export the "1.3.6.1.3.1.1.1 = > > ASN1:UTF8String:POSEUR" in my php environment. > > > > Is it possible to configure or patch mod_nss to achive this? where is > > the right place to adapt the code for this? > > It isn't exported today. You have a couple of options: > > 1. you should have the full cert available in PHP. You could use that to > pull out the extensions yourself assuming PHP has the tools need to to > parse x509 certs.
yes php has the tools to parse that x509 cert. Openssl_x509_parse() can do that job. But then I need to link against openssl what I want to avoid. Is it possible to link mod_php against nss? > 2. tweak nss_engine_vars.c to be able to pull out generic or specific > extensions. You'd want to cross-check with mod_ssl to see if there is > already a "standard" for how the variables would be named. This would be > much harder than #1. I'll look into it. Best regards, Oliver _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
