Oliver Graute wrote: > On 04/03/16, Rob Crittenden wrote: >> Oliver Graute wrote: >>> Hello, >>> >>> I'am using the following x509v3 extensions in my client certificate. >>> >>> [ x509v3 ] >>> basicConstraints = critical,CA:FALSE >>> nsCertType = client >>> keyUsage = digitalSignature,nonRepudiation,keyEncipherment >>> extendedKeyUsage = clientAuth, serverAuth, emailProtection >>> keyUsage = critical,digitalSignature >>> subjectKeyIdentifier = hash >>> authorityKeyIdentifier = keyid >>> crlDistributionPoints = crlDistributionPoint0_sect >>> 1.3.6.1.3.1.1.1 = ASN1:UTF8String:POSEUR >>> >>> Is it possible to export these x509v3 extensions with NSSOptions >>> +StdEnvVars or any other NSSOption? >>> >>> especially I need to export the "1.3.6.1.3.1.1.1 = >>> ASN1:UTF8String:POSEUR" in my php environment. >>> >>> Is it possible to configure or patch mod_nss to achive this? where is >>> the right place to adapt the code for this? >> >> It isn't exported today. You have a couple of options: >> >> 1. you should have the full cert available in PHP. You could use that to >> pull out the extensions yourself assuming PHP has the tools need to to >> parse x509 certs. > > yes php has the tools to parse that x509 cert. Openssl_x509_parse() can > do that job. But then I need to link against openssl what I want to avoid. > Is it possible to link mod_php against nss?
I don't know. If PHP has an ASN.1 parser you could parse the cert yourself though this would probably be fairly painful. >> 2. tweak nss_engine_vars.c to be able to pull out generic or specific >> extensions. You'd want to cross-check with mod_ssl to see if there is >> already a "standard" for how the variables would be named. This would be >> much harder than #1. > > I'll look into it. > > Best regards, > > Oliver > > _______________________________________________ > Mod_nss-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/mod_nss-list > _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
