How to access client certificate PEM and incoming request headers in a module?
Hi, I am starting to look into implementing an Apache module that can use information from an incoming request, including several headers and the subject string from a client certificate to do authentication. I've been looking at the source for mod_auth_certificate, from https://modules.apache.org/, as a starting point. However, it looks like the way that mod_auth_certificate works is that it requires that there's an SSLUserName directive to put the client certificate DN into the Apache REMOTE_USER attribute, whereas I need the entire PEM for the client cert to do authentication that I'm trying to do. So I was wondering if it's possible for a module to access the SSL_CLIENT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how? Also, as mentioned my module would need to access several HTTP headers that are in the incoming requests. How can it do that? Thanks, Jim
Re: How to access client certificate PEM and incoming request headers in a module?
On Sun, Jun 17, 2012 at 9:46 PM, oh...@cox.net wrote: Hi, I am starting to look into implementing an Apache module that can use information from an incoming request, including several headers and the subject string from a client certificate to do authentication. I've been looking at the source for mod_auth_certificate, from https://modules.apache.org/, as a starting point. However, it looks like the way that mod_auth_certificate works is that it requires that there's an SSLUserName directive to put the client certificate DN into the Apache REMOTE_USER attribute, whereas I need the entire PEM for the client cert to do authentication that I'm trying to do. So I was wondering if it's possible for a module to access the SSL_CLIENT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how? They should be set in r-subprocess_env provided `SSLOptions +StdEnvVars +ExportCertData` is set in the server or per-directory config. Also, as mentioned my module would need to access several HTTP headers that are in the incoming requests. How can it do that? Look them up with `apr_table_get(r-headers_in, X-Header-Name)`.
Re: How to access client certificate PEM and incoming request headers in a module?
Ben Noordhuis i...@bnoordhuis.nl wrote: On Sun, Jun 17, 2012 at 9:46 PM, oh...@cox.net wrote: Hi, I am starting to look into implementing an Apache module that can use information from an incoming request, including several headers and the subject string from a client certificate to do authentication. I've been looking at the source for mod_auth_certificate, from https://modules.apache.org/, as a starting point. However, it looks like the way that mod_auth_certificate works is that it requires that there's an SSLUserName directive to put the client certificate DN into the Apache REMOTE_USER attribute, whereas I need the entire PEM for the client cert to do authentication that I'm trying to do. So I was wondering if it's possible for a module to access the SSL_CLIENT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how? They should be set in r-subprocess_env provided `SSLOptions +StdEnvVars +ExportCertData` is set in the server or per-directory config. Also, as mentioned my module would need to access several HTTP headers that are in the incoming requests. How can it do that? Look them up with `apr_table_get(r-headers_in, X-Header-Name)`. Ben, Thanks. I'll give those a try. We already the SSLOptions set as you mentioned, so assuming that I can figure out the coding (it's been a long time since I've done C/C++), that should work :)... Jim
Re: How to access client certificate PEM and incoming request headers in a module?
oh...@cox.net wrote: Ben Noordhuis i...@bnoordhuis.nl wrote: On Sun, Jun 17, 2012 at 9:46 PM, oh...@cox.net wrote: Hi, I am starting to look into implementing an Apache module that can use information from an incoming request, including several headers and the subject string from a client certificate to do authentication. I've been looking at the source for mod_auth_certificate, from https://modules.apache.org/, as a starting point. However, it looks like the way that mod_auth_certificate works is that it requires that there's an SSLUserName directive to put the client certificate DN into the Apache REMOTE_USER attribute, whereas I need the entire PEM for the client cert to do authentication that I'm trying to do. So I was wondering if it's possible for a module to access the SSL_CLIENT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how? They should be set in r-subprocess_env provided `SSLOptions +StdEnvVars +ExportCertData` is set in the server or per-directory config. Also, as mentioned my module would need to access several HTTP headers that are in the incoming requests. How can it do that? Look them up with `apr_table_get(r-headers_in, X-Header-Name)`. Ben, Thanks. I'll give those a try. We already the SSLOptions set as you mentioned, so assuming that I can figure out the coding (it's been a long time since I've done C/C++), that should work :)... Jim Hi, I haven't actually tried your suggestion yet, but, re. the SSL variables, I was looking at mod_headers.c, and in there, there are two separate functions: static const char *header_request_env_var(request_rec *r, char *a) { const char *s = apr_table_get(r-subprocess_env,a); if (s) return unwrap_header(r-pool, s); else return (null); } static const char *header_request_ssl_var(request_rec *r, char *name) { if (header_ssl_lookup) { const char *val = header_ssl_lookup(r-pool, r-server, r-connection, r, name); if (val val[0]) return unwrap_header(r-pool, val); else return (null); } else { return (null); } } So, it seems like the method to get the SSL variables is different than the other environment variables? Or, does setting SSLOptions the way that you suggested cause the SSL variable so also exist in apr_table_get(r-subprocess_env, )? Jim
Re: How to access client certificate PEM and incoming request headers in a module?
On Mon, Jun 18, 2012 at 5:45 AM, oh...@cox.net wrote: I haven't actually tried your suggestion yet, but, re. the SSL variables, I was looking at mod_headers.c, and in there, there are two separate functions: static const char *header_request_env_var(request_rec *r, char *a) { const char *s = apr_table_get(r-subprocess_env,a); if (s) return unwrap_header(r-pool, s); else return (null); } static const char *header_request_ssl_var(request_rec *r, char *name) { if (header_ssl_lookup) { const char *val = header_ssl_lookup(r-pool, r-server, r-connection, r, name); if (val val[0]) return unwrap_header(r-pool, val); else return (null); } else { return (null); } } So, it seems like the method to get the SSL variables is different than the other environment variables? Or, does setting SSLOptions the way that you suggested cause the SSL variable so also exist in apr_table_get(r-subprocess_env, )? Oh, I forgot about that. It's the ssl_var_lookup optional function, that might even work without having to tweak SSLOptions.