svn commit: r1772999 - in /serf/branches/ocsp-verification: BRANCH-README buckets/ssl_buckets.c serf_bucket_types.h

Tue, 06 Dec 2016 16:27:07 -0800 

Author: brane
Date: Wed Dec  7 00:26:39 2016
New Revision: 1772999

URL: http://svn.apache.org/viewvc?rev=1772999&view=rev
Log:
On the ocsp-verification branch:
Retrieve the list of OCSP responder URIs from a certificate.

* BRANCH-README
  (serf_ssl_cert_certificate): Adjust doc to match actual semantics.

* serf_bucket_types.h
  (serf_ssl_cert_certificate): Update docstring.
* buckets/ssl_buckets.c
  (get_ocsp_responders): New helper function.
  (serf_ssl_cert_certificate): Also return an array OCSP responder URIs.

Modified:
    serf/branches/ocsp-verification/BRANCH-README
    serf/branches/ocsp-verification/buckets/ssl_buckets.c
    serf/branches/ocsp-verification/serf_bucket_types.h

Modified: serf/branches/ocsp-verification/BRANCH-README
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1772999&r1=1772998&r2=1772999&view=diff
==============================================================================
--- serf/branches/ocsp-verification/BRANCH-README (original)
+++ serf/branches/ocsp-verification/BRANCH-README Wed Dec  7 00:26:39 2016
@@ -14,10 +14,9 @@ These are the proposed changes:
 
 1. serf_ssl_cert_certificate()
 
-   Extract the OCSP responder URL from the certificate's x509v3
-   extension field authorityInfoAccess:OCSP;URI and, if it is
-   present, insert it into the returned hash table with key
-   "ocsp.uri".
+   Extract the OCSP responder locations from the certificate's x509v3
+   extension field authorityInfoAccess:OCSP;URI and, if it is present,
+   insert the array into the returned hash table with key "OCSP".
 
 2. serf_ssl_cert_import()
 

Modified: serf/branches/ocsp-verification/buckets/ssl_buckets.c
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/buckets/ssl_buckets.c?rev=1772999&r1=1772998&r2=1772999&view=diff
==============================================================================
--- serf/branches/ocsp-verification/buckets/ssl_buckets.c (original)
+++ serf/branches/ocsp-verification/buckets/ssl_buckets.c Wed Dec  7 00:26:39 
2016
@@ -733,6 +733,42 @@ get_subject_alt_names(apr_array_header_t
     return APR_SUCCESS;
 }
 
+
+static apr_status_t
+get_ocsp_responders(apr_array_header_t **ocsp_arr, X509 *ssl_cert,
+                    apr_pool_t *pool)
+{
+    /* assert: (ocsp_arr && pool) */
+
+    if (ocsp_arr) {
+        STACK_OF(OPENSSL_STRING) *uris;
+
+        *ocsp_arr = NULL;
+        uris = X509_get1_ocsp(ssl_cert);
+        if (uris) {
+            int uris_count = sk_OPENSSL_STRING_num(uris);
+            int uri_idx;
+
+            *ocsp_arr = apr_array_make(pool, uris_count, sizeof(char*));
+
+            for (uri_idx = 0; uri_idx < uris_count; ++uri_idx) {
+                OPENSSL_STRING uri = sk_OPENSSL_STRING_value(uris, uri_idx);
+                if (uri) {
+                    char *p = apr_pstrdup(pool, uri);
+
+                    if (p) {
+                        APR_ARRAY_PUSH(*ocsp_arr, char*) = p;
+                    }
+                }
+            }
+        }
+        X509_email_free(uris);
+    }
+
+    return APR_SUCCESS;
+}
+
+
 static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool)
 {
     char buf[1024];
@@ -2268,6 +2304,7 @@ apr_hash_t *serf_ssl_cert_certificate(
     unsigned char md[EVP_MAX_MD_SIZE];
     BIO *bio;
     apr_array_header_t *san_arr;
+    apr_array_header_t *ocsp_arr;
 
     /* sha1 fingerprint */
     if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) {
@@ -2316,6 +2353,10 @@ apr_hash_t *serf_ssl_cert_certificate(
     if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, 
pool))
       apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr);
 
+    /* Get authorityAccessInfo.OCSP */
+    if (!get_ocsp_responders(&ocsp_arr, cert->ssl_cert, pool))
+      apr_hash_set(tgt, "OCSP", APR_HASH_KEY_STRING, ocsp_arr);
+
     return tgt;
 }
 

Modified: serf/branches/ocsp-verification/serf_bucket_types.h
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf_bucket_types.h?rev=1772999&r1=1772998&r2=1772999&view=diff
==============================================================================
--- serf/branches/ocsp-verification/serf_bucket_types.h (original)
+++ serf/branches/ocsp-verification/serf_bucket_types.h Wed Dec  7 00:26:39 2016
@@ -701,8 +701,9 @@ apr_hash_t *serf_ssl_cert_subject(
     apr_pool_t *pool);
 
 /**
- * Extract the fields of the certificate in a table with keys (sha1, notBefore,
- * notAfter, subjectAltName). The returned table will be allocated in @a pool.
+ * Extract the fields of the certificate in a table with keys
+ *   (sha1, notBefore, notAfter, subjectAltName, OCSP).
+ * The returned table will be allocated in @a pool.
  */
 apr_hash_t *serf_ssl_cert_certificate(
     const serf_ssl_certificate_t *cert,

Reply via email to