Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 1634639)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -46,6 +46,7 @@
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_subjects(apr_pool_t *p, SSL *ssl);
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
@@ -434,6 +435,9 @@
sk = SSL_get_peer_cert_chain(ssl);
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
}
+ else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_SUBJECTS")) {
+ result = ssl_var_lookup_ssl_cert_subjects(p, ssl);
+ }
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
result = ssl_var_lookup_ssl_cert_verify(p, c);
}
@@ -749,6 +753,95 @@
return result;
}
+static int add_subject(apr_pool_t *p, BIO *bio, X509_NAME *subjects,
+ X509_NAME *subject, unsigned long flags)
+{
+ int len;
+ unsigned char *buffer;
+
+ X509_NAME_print_ex(bio, subject, 0, flags);
+
+ len = BIO_pending(bio);
+ buffer = apr_palloc(p, len + 1);
+ len = BIO_read(bio, buffer, len);
+ buffer[len] = 0;
+
+ X509_NAME_add_entry_by_txt(subjects, "name", MBSTRING_UTF8, buffer, len,
+ -1, 1);
+
+ return OK;
+}
+
+static char *ssl_var_lookup_ssl_cert_subjects(apr_pool_t *p, SSL *ssl)
+{
+ char *result;
+ X509 *xs, *next;
+ int n, found = 0;
+ BIO* bio;
+ unsigned long flags = XN_FLAG_RFC2253;
+
+ X509_NAME *subjects;
+ X509_STORE_CTX cert_store_ctx;
+
+ if (!(bio = BIO_new(BIO_s_mem()))) {
+ return NULL;
+ }
+
+ if (!(subjects = X509_NAME_new())) {
+ BIO_free(bio);
+ return NULL;
+ }
+
+ if (!(xs = SSL_get_peer_certificate(ssl))) {
+ BIO_free(bio);
+ X509_NAME_free(subjects);
+ return NULL;
+ }
+ X509_STORE_CTX_init(&cert_store_ctx,
+ SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)), xs,
+ SSL_get_peer_cert_chain(ssl));
+
+ add_subject(p, bio, subjects, X509_get_subject_name(xs), flags);
+
+ while(1) {
+ X509_STORE_CTX_get1_issuer(&next, &cert_store_ctx, xs);
+ if (next) {
+ add_subject(p, bio, subjects, X509_get_subject_name(next),
+ flags);
+ if (!X509_NAME_cmp(X509_get_subject_name(next),
+ X509_get_issuer_name(next))) {
+ found = 1;
+ break;
+ }
+ xs = next;
+ }
+ else {
+ break;
+ }
+ }
+
+ X509_NAME_print_ex(bio, subjects, 0, flags);
+
+ result = NULL;
+
+ n = BIO_pending(bio);
+ if (n > 0) {
+ result = apr_palloc(p, n+1);
+ n = BIO_read(bio, result, n);
+ result[n] = NUL;
+ }
+ BIO_free(bio);
+ X509_NAME_free(subjects);
+ X509_free(xs);
+ X509_STORE_CTX_cleanup(&cert_store_ctx);
+
+ if (!found) {
+ return NULL;
+ }
+
+ return result;
+}
+
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
char *result;
Index: docs/manual/mod/mod_ssl.xml
===================================================================
--- docs/manual/mod/mod_ssl.xml (revision 1634639)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -84,6 +84,7 @@
SSL_CLIENT_A_KEY | string | Algorithm used for the public key of client's certificate |
SSL_CLIENT_CERT | string | PEM-encoded client certificate |
SSL_CLIENT_CERT_CHAIN_n | string | PEM-encoded certificates in client certificate chain |
+SSL_CLIENT_CERT_SUBJECTS | string | Subject DNs of the client certificate chain as a multivalued list of names (name=subject1,name=subject2,...) |
SSL_CLIENT_VERIFY | string | NONE, SUCCESS, GENEROUS or FAILED:reason |
SSL_SERVER_M_VERSION | string | The version of the server certificate |
SSL_SERVER_M_SERIAL | string | The serial of the server certificate |