On 22.06.2015 10:37, Jan Pazdziora wrote:
> Please find a new patch attached which I hope covers all the
> parts you've outlined, for SSL_CLIENT_SAN_OTHER_msUPN_*.
Thanks. Your implementation assumes that only a single otherName form
(msUPN) needs to be supported, but I would prefer to code it in a
somewhat more extensible way.
Does the attached patch work for you? As a practical way of
demonstrating generic support of otherName forms, I have
added the case of the SRVName otherName form (RFC 4985, for things like
_carddavs._tcp.example.com, exposed via SSL_SERVER_SAN_OTHER_dnsSRV_n).
Kaspar
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1687983)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -352,6 +352,11 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_po
init_dh_params();
+ if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
+ (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
+ "SRVName otherName form");
+ }
+
return OK;
}
@@ -1902,5 +1907,7 @@ apr_status_t ssl_init_ModuleKill(void *data)
free_dh_params();
+ OBJ_cleanup();
+
return APR_SUCCESS;
}
Index: modules/ssl/ssl_util_ssl.c
===================================================================
--- modules/ssl/ssl_util_ssl.c (revision 1687983)
+++ modules/ssl/ssl_util_ssl.c (working copy)
@@ -252,19 +252,46 @@ char *modssl_X509_NAME_to_string(apr_pool_t *p, X5
return result;
}
+static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,
+ ASN1_OBJECT *oid,
+ apr_array_header_t **entries)
+{
+ const char *str;
+
+ if (!value || !oid || !*entries)
+ return;
+
+ /*
+ * Currently supported otherName forms:
+ * - "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name
+ * - "dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985
+ */
+ if ((OBJ_obj2nid(oid) == NID_ms_upn) &&
+ (value->type == V_ASN1_UTF8STRING) &&
+ (str = asn1_string_to_utf8(p, value->value.utf8string))) {
+ APR_ARRAY_PUSH(*entries, const char *) = str;
+ } else if ((OBJ_obj2nid(oid) == OBJ_txt2nid("id-on-dnsSRV")) &&
+ (value->type == V_ASN1_IA5STRING) &&
+ (str = asn1_string_to_utf8(p, value->value.ia5string))) {
+ APR_ARRAY_PUSH(*entries, const char *) = str;
+ }
+}
+
/*
* Return an array of subjectAltName entries of type "type". If idx is -1,
* return all entries of the given type, otherwise return an array consisting
* of the n-th occurrence of that type only. Currently supported types:
* GEN_EMAIL (rfc822Name)
* GEN_DNS (dNSName)
+ * GEN_OTHERNAME (see parse_otherName_value for currently supported forms)
*/
-BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, int idx,
- apr_array_header_t **entries)
+BOOL modssl_X509_getSAN(apr_pool_t *p, X509 *x509, int type, ASN1_OBJECT *oid,
+ int idx, apr_array_header_t **entries)
{
STACK_OF(GENERAL_NAME) *names;
- if (!x509 || (type < GEN_OTHERNAME) || (type > GEN_RID) || (idx < -1) ||
+ if (!x509 || (type < GEN_OTHERNAME) || (type == GEN_OTHERNAME && !oid) ||
+ (type > GEN_RID) || (idx < -1) ||
!(*entries = apr_array_make(p, 0, sizeof(char *)))) {
*entries = NULL;
return FALSE;
@@ -277,33 +304,43 @@ char *modssl_X509_NAME_to_string(apr_pool_t *p, X5
for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
name = sk_GENERAL_NAME_value(names, i);
- if (name->type == type) {
- if ((idx == -1) || (n == idx)) {
- switch (type) {
- case GEN_EMAIL:
- case GEN_DNS:
- utf8str = asn1_string_to_utf8(p, name->d.ia5);
- if (utf8str) {
- APR_ARRAY_PUSH(*entries, const char *) = utf8str;
- }
- break;
- default:
- /*
- * Not implemented right now:
- * GEN_OTHERNAME (otherName)
- * GEN_X400 (x400Address)
- * GEN_DIRNAME (directoryName)
- * GEN_EDIPARTY (ediPartyName)
- * GEN_URI (uniformResourceIdentifier)
- * GEN_IPADD (iPAddress)
- * GEN_RID (registeredID)
- */
- break;
+
+ if (name->type != type)
+ continue;
+
+ switch (type) {
+ case GEN_EMAIL:
+ case GEN_DNS:
+ if (((idx == -1) || (n == idx)) &&
+ (utf8str = asn1_string_to_utf8(p, name->d.ia5))) {
+ APR_ARRAY_PUSH(*entries, const char *) = utf8str;
+ }
+ n++;
+ break;
+ case GEN_OTHERNAME:
+ if (!OBJ_cmp(name->d.otherName->type_id, oid)) {
+ if (((idx == -1) || (n == idx))) {
+ parse_otherName_value(p, name->d.otherName->value,
+ oid, entries);
}
+ n++;
}
- if ((idx != -1) && (n++ > idx))
- break;
+ break;
+ default:
+ /*
+ * Not implemented right now:
+ * GEN_X400 (x400Address)
+ * GEN_DIRNAME (directoryName)
+ * GEN_EDIPARTY (ediPartyName)
+ * GEN_URI (uniformResourceIdentifier)
+ * GEN_IPADD (iPAddress)
+ * GEN_RID (registeredID)
+ */
+ break;
}
+
+ if ((idx != -1) && (n > idx))
+ break;
}
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
@@ -320,7 +357,7 @@ static BOOL getIDs(apr_pool_t *p, X509 *x509, apr_
/* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
if (!x509 ||
- (modssl_X509_getSAN(p, x509, GEN_DNS, -1, ids) == FALSE && !*ids)) {
+ (modssl_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE &&
!*ids)) {
*ids = NULL;
return FALSE;
}
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c (revision 1687983)
+++ modules/ssl/ssl_engine_vars.c (working copy)
@@ -664,7 +664,9 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
{
int type, numlen;
+ ASN1_OBJECT *oid = NULL;
apr_array_header_t *entries;
+ BOOL found;
if (strcEQn(var, "Email_", 6)) {
type = GEN_EMAIL;
@@ -674,6 +676,20 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_
type = GEN_DNS;
var += 4;
}
+ else if (strcEQn(var, "OTHER_", 6)) {
+ type = GEN_OTHERNAME;
+ var += 6;
+ if (strEQn(var, "msUPN_", 6)) {
+ var += 6;
+ oid = OBJ_txt2obj("msUPN", 0);
+ }
+ else if (strEQn(var, "dnsSRV_", 7)) {
+ var += 7;
+ oid = OBJ_txt2obj("id-on-dnsSRV", 0);
+ }
+ else
+ return NULL;
+ }
else
return NULL;
@@ -682,11 +698,11 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_
if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
return NULL;
- if (modssl_X509_getSAN(p, xs, type, atoi(var), &entries))
- /* return the first entry from this 1-element array */
- return APR_ARRAY_IDX(entries, 0, char *);
- else
- return NULL;
+ found = modssl_X509_getSAN(p, xs, type, oid, atoi(var), &entries);
+ if (oid)
+ ASN1_OBJECT_free(oid);
+ /* return the first entry from this 1-element array */
+ return found ? APR_ARRAY_IDX(entries, 0, char *) : NULL;
}
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
@@ -1027,29 +1043,40 @@ static void extract_san_array(apr_table_t *t, cons
void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
{
X509 *xs;
+ ASN1_OBJECT *oid = NULL;
apr_array_header_t *entries;
/* subjectAltName entries of the server certificate */
xs = SSL_get_certificate(ssl);
if (xs) {
- if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
}
- if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
}
+ if ((oid = OBJ_txt2obj("id-on-dnsSRV", 0)) &&
+ modssl_X509_getSAN(p, xs, GEN_OTHERNAME, oid, -1, &entries)) {
+ extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);
+ ASN1_OBJECT_free(oid);
+ }
/* no need to free xs (refcount does not increase) */
}
/* subjectAltName entries of the client certificate */
xs = SSL_get_peer_certificate(ssl);
if (xs) {
- if (modssl_X509_getSAN(p, xs, GEN_EMAIL, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
}
- if (modssl_X509_getSAN(p, xs, GEN_DNS, -1, &entries)) {
+ if (modssl_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
}
+ if ((oid = OBJ_txt2obj("msUPN", 0)) &&
+ modssl_X509_getSAN(p, xs, GEN_OTHERNAME, oid, -1, &entries)) {
+ extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);
+ ASN1_OBJECT_free(oid);
+ }
X509_free(xs);
}
}
Index: modules/ssl/ssl_util_ssl.h
===================================================================
--- modules/ssl/ssl_util_ssl.h (revision 1687983)
+++ modules/ssl/ssl_util_ssl.h (working copy)
@@ -65,7 +65,7 @@ int modssl_smart_shutdown(SSL *ssl);
BOOL modssl_X509_getBC(X509 *, int *, int *);
char *modssl_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY
*xsne);
char *modssl_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
-BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, int,
apr_array_header_t **);
+BOOL modssl_X509_getSAN(apr_pool_t *, X509 *, int, ASN1_OBJECT *, int,
apr_array_header_t **);
BOOL modssl_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL,
server_rec *);
char *modssl_SSL_SESSION_id2sz(unsigned char *, int, char *, int);
