Please find attached a patch that adds the Capability to recognise the
Client's X.509 Certificate Policy Extension to MOD_SSL
This is usefull for determining the Certificate Type from Certificates issued
by RFC2527 Compliant PKI's.
(i.e. Those that don't contaminate the Certificate DN with Certificate Policy
Information)
It adds the variable SSL_CLIENT_CERTPOL which contains the DER encoded OID of
the Certificate Policy. (If anyone has a way to get this into standard OID
format, please let me know)
Patrick Patterson
PKI Specialist
SITA/Equant
diff -u mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_engine_kernel.c ssl/ssl_engine_kernel.c
--- mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_engine_kernel.c Mon Oct 9 11:00:35 2000
+++ ssl/ssl_engine_kernel.c Wed Dec 27 13:19:31 2000
@@ -1239,6 +1239,7 @@
"SSL_SERVER_A_KEY",
"SSL_SERVER_A_SIG",
"SSL_SESSION_ID",
+ "SSL_CLIENT_CERTPOL",
NULL
};
diff -u mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_engine_vars.c ssl/ssl_engine_vars.c
--- mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_engine_vars.c Mon Oct 9 11:00:35 2000
+++ ssl/ssl_engine_vars.c Wed Dec 27 13:21:50 2000
@@ -321,6 +321,15 @@
if ((xs = SSL_get_certificate(ssl)) != NULL)
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
}
+// Added by Stephen MacDonell
+// 21/12/2000
+// Modified 27/12/200 by Patrick Patterson
+// Changed SSL_get_certificate to SSL_get_peer_certificate
+ else if (strcEQ(var, "SSL_CLIENT_CERTPOL")) {
+ if ((xs = SSL_get_peer_certificate(ssl)) != NULL )
+ result = ssl_var_lookup_ssl_cert(p, xs, var);
+ }
+// End Add/Mod
return result;
}
@@ -385,7 +394,14 @@
else if (strcEQ(var, "CERT")) {
result = ssl_var_lookup_ssl_cert_PEM(p, xs);
}
-
+// Added by Stephen MacDonell
+// 21/12/2000
+// Modified by Patrick Patterson
+// 27/12/2000
+ else if (strcEQ(var, "SSL_CLIENT_CERTPOL")) {
+ result = SSL_X509_certificate_policy(xs);
+ }
+// End Add/Mod
if (result != NULL && resdup)
result = ap_pstrdup(p, result);
return result;
diff -u mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_util_ssl.c ssl/ssl_util_ssl.c
--- mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_util_ssl.c Mon Oct 9 11:00:35 2000
+++ ssl/ssl_util_ssl.c Fri Dec 22 10:54:06 2000
@@ -539,3 +539,57 @@
return str;
}
+// Added by Stephen MacDonell
+// 21/12/2000
+
+char*
+SSL_X509_certificate_policy(X509 *cert)
+{
+ X509_EXTENSION *ext;
+ POLICYINFO *pinfo=NULL;
+ STACK *sk;
+ ASN1_OBJECT *ao;
+ int idx;
+
+ char *temp;
+ unsigned char *data;
+ long length;
+
+ idx = X509_get_ext_by_NID(cert, NID_certificate_policies, 0);
+ temp=(char *)calloc(100,sizeof(char));
+ sprintf(temp, "NOTHING and IDX = %d",idx);
+
+ if (idx >= 0)
+ {
+ sprintf(temp,"IDX FOUND and it is %d",idx);
+ ext = X509_get_ext(cert, idx);
+
+ if (ext != NULL)
+ {
+ strcpy(temp, "FOUND EXT");
+
+ if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL)
+ {
+ pinfo = (POLICYINFO *) malloc(sizeof(POLICYINFO));
+ pinfo = (POLICYINFO *)sk_value(sk, 0);
+ if ( pinfo != NULL)
+ {
+ data = pinfo->policyid->data;
+ length = pinfo->policyid->length;
+ temp = hex_to_string(data, length); //get hex data
+ POLICYINFO_free(pinfo);
+ } else {
+ strncpy(temp,"ERROR Getting Extension Value",29);
+ }
+
+ }
+
+ else
+ strcpy(temp, "NOT FOUND (sk)->data[0]");
+ }
+ else
+ strcpy(temp, "EXT NOT FOUND");
+ }
+ return temp;
+}
+
diff -u mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_util_ssl.h ssl/ssl_util_ssl.h
--- mod_ssl-2.7.1-1.3.14/pkg.sslmod/ssl_util_ssl.h Mon Oct 9 11:00:35 2000
+++ ssl/ssl_util_ssl.h Fri Dec 22 09:19:07 2000
@@ -112,4 +112,7 @@
int SSL_CTX_use_certificate_chain(SSL_CTX *, char *, int, int (*)());
char *SSL_SESSION_id2sz(unsigned char *, int);
+// Added by Stephen MacDonell
+// 21/12/2000
+char *SSL_X509_certificate_policy(X509 *cert);
#endif /* SSL_UTIL_SSL_H */
