>This is a multi-part message in MIME format.
>------=_NextPart_000_00FD_01BE9B12.DD5367E0
>Content-Type: multipart/alternative;
> boundary="----=_NextPart_001_00FE_01BE9B12.DD5367E0"
>------=_NextPart_001_00FE_01BE9B12.DD5367E0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>Hi,
>=20
>I patched ssl_engine_kernel.c to realize an OCSP responder function
>that check cert status on ldap v2 directory.
>=20
>I send all my patch to ssl_engine_kernel.c, every routine start is =
>marked
>with "Giacob" label. The ldap_hook search the certificate in our ldap =
>directory, by=20
>client e-mail: if the cert is in ldap is good, neither is revoked (first =
>semplification
>assumption because we're still working on ldap)
>=20
>My next step will be to exchange OCSP requests and response between two
>servers Apache, by http protocol session: one will be OCSP client, and =
>the other one=20
>OCSP responder.
>Any idea how to set http-ssl comunication between two Apache ?
>=20
>Thank you in advance=20
>Giacob
>=20
>------=_NextPart_001_00FE_01BE9B12.DD5367E0
>Content-Type: text/html;
> charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
><!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
><HTML>
><HEAD>
><META content=3Dtext/html;charset=3Diso-8859-1 =
>http-equiv=3DContent-Type>
><META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR>
></HEAD>
><BODY bgColor=3D#ffffff>
><DIV>
><DIV>
><DIV><FONT color=3D#000000 size=3D2>Hi,</FONT></DIV>
><DIV><FONT color=3D#000000 size=3D2></FONT> </DIV>
><DIV><FONT color=3D#000000 size=3D2>I patched ssl_engine_kernel.c to =
>realize an OCSP=20
>responder function</FONT></DIV>
><DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>that check =
>cert status on=20
>ldap v2 directory.</FONT></DIV>
><DIV><FONT size=3D2></FONT> </DIV>
><DIV><FONT size=3D2>I send all my patch to ssl_engine_kernel.c, every =
>routine=20
>start is marked</FONT></DIV>
><DIV><FONT size=3D2>with "Giacob" label. The ldap_hook search =
>the=20
>certificate in our ldap directory, by </FONT></DIV>
><DIV><FONT size=3D2>client e-mail: if the cert is in ldap is good, =
>neither is=20
>revoked (first semplification</FONT></DIV>
><DIV><FONT size=3D2>assumption because we're still working on =
>ldap)</FONT></DIV>
><DIV><FONT size=3D2></FONT> </DIV>
><DIV><FONT color=3D#000000 size=3D2>My next step will be to exchange =
>OCSP requests=20
>and response between two</FONT></DIV>
><DIV><FONT color=3D#000000 size=3D2></FONT><FONT size=3D2>servers =
>Apache, by http=20
>protocol session: one will be OCSP client, and the other one =
></FONT></DIV>
><DIV><FONT size=3D2>OCSP responder.</FONT></DIV>
><DIV><FONT size=3D2>Any idea how to set http-ssl comunication between =
>two Apache=20
>?</FONT></DIV>
><DIV><FONT size=3D2></FONT> </DIV>
><DIV><FONT size=3D2>Thank you in advance</FONT> </DIV>
><DIV><FONT size=3D2>Giacob</FONT></DIV>
><DIV><FONT size=3D2></FONT> </DIV></DIV></DIV></BODY></HTML>
>------=_NextPart_001_00FE_01BE9B12.DD5367E0--
>------=_NextPart_000_00FD_01BE9B12.DD5367E0
>Content-Type: application/msword;
> name="OCSP_responder_patch.rtf"
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: attachment;
> filename="OCSP_responder_patch.rtf"
>{\rtf1\ansi\ansicpg1252\uc1 =
>\deff0\deflang1033\deflangfe1040{\fonttbl{\f0\froman\fcharset0\fprq2{\*\p=
>anose 02020603050405020304}Times New =
>Roman;}{\f2\fmodern\fcharset0\fprq1{\*\panose =
>02070309020205020404}Courier New;}}{\colortbl;\red0\green0\blue0;
>\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\=
>green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green2=
>55\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blu=
>e0;\red128\green0\blue128;
>\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red=
>192\green192\blue192;}{\stylesheet{\nowidctlpar\widctlpar\adjustright =
>\fs20\lang1040\cgrid \snext0 Normal;}{\*\cs10 \additive Default =
>Paragraph Font;}{
>\s15\nowidctlpar\widctlpar\adjustright \f2\fs20\lang1040\cgrid =
>\sbasedon0 \snext15 Plain Text;}}{\info{\title #include =
>"mod_ssl}{\author Andrea e Luca Giacobazzi}{\operator Andrea e Luca =
>Giacobazzi}{\creatim\yr1999\mo5\dy10\hr17\min58}
>{\revtim\yr1999\mo5\dy10\hr18\min4}{\version3}{\edmins2}{\nofpages10}{\no=
>fwords3031}{\nofchars17279}{\*\company La =
>Villa}{\nofcharsws21219}{\vern73}}\paperw11906\paperh16838\margl1134\marg=
>r1134\margt1417\margb1134=20
>\deftab708\widowctrl\ftnbj\aenddoc\hyphhotz283\formshade\viewkind4\viewsc=
>ale124\viewzk2\pgbrdrhead\pgbrdrfoot \fet0\sectd =
>\linex0\headery709\footery709\colsx709\endnhere\sectdefaultcl =
>{\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang{\pntxta .}}
>{\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang{\pntxta =
>.}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang{\pntxta =
>.}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang{\pntxta =
>)}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta =
>)}}
>{\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta =
>)}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta =
>)}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta =
>)}}{\*\pnseclvl9
>\pnlcrm\pnstart1\pnindent720\pnhang{\pntxtb (}{\pntxta )}}\pard\plain =
>\s15\nowidctlpar\widctlpar\adjustright \f2\fs20\lang1040\cgrid =
>{\lang1024 #include "mod_ssl.h"
>\par =20
>\par /* Giacob: static declaration data and function for ocsp */
>\par=20
>\par #include <lber.h>
>\par #include <ldap.h>
>\par #include "ocsp.h"
>\par=20
>\par typedef struct cert_file_st=20
>\par \{=20
>\par char *name;
>\par int status;
>\par int reason;
>\par char *time;
>\par char *this;
>\par char *next;=20
>\par \} CERT_FILE;
>\par =20
>\par typedef struct response_st
>\par \{
>\par CERT_FILE *cert_file;
>\par int rsp_status;
>\par \} RESPONSE_FILE;
>\par =20
>\par typedef struct strtbl_st \{ int t; char *m; \} STRTBL;
>\par=20
>\par static OCSP_RESPONSE *ocsp_response_hook (int id, int rsp_status, =
>X509* xcert, OCSP_CERTID *certid, OCSP_CERTSTATUS *ocsp_status, char =
>*this, char *next);
>\par static OCSP_REQUEST *ocsp_request_hook (X509* xcert, OCSP_CERTID =
>*certid);
>\par static RESPONSE_FILE *ocsp_ldap_hook(X509 *xs, char *mail);
>\par static void get_entry(LDAP *ld, LDAPMessage *entry, RESPONSE_FILE =
>**response);
>\par static void *ocsp_responder (X509 *xs);
>\par=20
>\par static STRTBL crlReasons[8]=3D \{
>\par \{ OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" \},
>\par \{ OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" \},
>\par \{ OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" \},
>\par \{ OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, =
>"affiliationChanged" \},
>\par \{ OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" \},
>\par \{ OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, =
>"cessationOfOperation" \},
>\par \{ OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" =
>\},
>\par \{ OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" \} =
>\};
>\par=20
>\par static STRTBL respStatus[6] =3D \{
>\par \{ OCSP_RESPONSE_STATUS_SUCCESSFULL, "successfull" \},
>\par \{ OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, =
>"malformedRequest" \},
>\par \{ OCSP_RESPONSE_STATUS_INTERNALERROR, "internalError" \},
>\par \{ OCSP_RESPONSE_STATUS_TRYLATER, "tryLater" \},
>\par \{ OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigRequired" \},
>\par \{ OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" \} \};
>\par=20
>\par static STRTBL certStatus[3] =3D \{
>\par \{ V_OCSP_CERTSTATUS_GOOD, "good" \},
>\par \{ V_OCSP_CERTSTATUS_REVOKED, "revoked" \},
>\par \{ V_OCSP_CERTSTATUS_UNKNOWN, "unknown" \} \};
>\par=20
>\par static STRTBL respIds[2] =3D \{
>\par \{ V_OCSP_RESPID_NAME, "name" \},
>\par \{ V_OCSP_RESPID_KEY, "key" \} \};
>\par=20
>\par static BIO *bio_err =3D NULL;=20
>\par static int count; /* certificate file lenght */
>\par static char certificate[1000]; /* certificate to verify in DER =
>*/
>\par static char ocsp_response[50];
>\par static char *attrs[] =3D \{"mail", "cn", "usercertificate;binary", =
>NULL\}; /* attributes to be retrieved */
>\par=20
>\par FILE *fperr; /* ocsp debug file pointer */
>\par=20
>\par static const char *ssl_hook_Fixup_vars[] =3D \{
>\par "SSL_VERSION_INTERFACE",
>\par "SSL_VERSION_LIBRARY",
>\par "SSL_PROTOCOL",
>\par "SSL_CIPHER",
>\par "SSL_CIPHER_EXPORT",
>\par "SSL_CIPHER_USEKEYSIZE",
>\par "SSL_CIPHER_ALGKEYSIZE",
>\par "SSL_CLIENT_M_VERSION",
>\par "SSL_CLIENT_M_SERIAL",
>\par "SSL_CLIENT_V_START",
>\par "SSL_CLIENT_V_END",
>\par "SSL_CLIENT_S_DN",
>\par "SSL_CLIENT_S_DN_C",
>\par "SSL_CLIENT_S_DN_SP",
>\par "SSL_CLIENT_S_DN_L",
>\par "SSL_CLIENT_S_DN_O",
>\par "SSL_CLIENT_S_DN_OU",
>\par "SSL_CLIENT_S_DN_CN",
>\par "SSL_CLIENT_S_DN_Email",
>\par "SSL_CLIENT_I_DN",
>\par "SSL_CLIENT_I_DN_C",
>\par "SSL_CLIENT_I_DN_SP",
>\par "SSL_CLIENT_I_DN_L",
>\par "SSL_CLIENT_I_DN_O",
>\par "SSL_CLIENT_I_DN_OU",
>\par "SSL_CLIENT_I_DN_CN",
>\par "SSL_CLIENT_I_DN_Email",
>\par "SSL_CLIENT_A_KEY",
>\par "SSL_CLIENT_A_SIG",
>\par "SSL_OCSP_LDAP_RESPONSE", /* Giacob: environment var for ocsp =
>*/
>\par "SSL_SERVER_M_VERSION",
>\par "SSL_SERVER_M_SERIAL",
>\par "SSL_SERVER_V_START",
>\par "SSL_SERVER_V_END",
>\par "SSL_SERVER_S_DN",
>\par "SSL_SERVER_S_DN_C",
>\par "SSL_SERVER_S_DN_SP",
>\par "SSL_SERVER_S_DN_L",
>\par "SSL_SERVER_S_DN_O",
>\par "SSL_SERVER_S_DN_OU",
>\par "SSL_SERVER_S_DN_CN",
>\par "SSL_SERVER_S_DN_Email",
>\par "SSL_SERVER_I_DN",
>\par "SSL_SERVER_I_DN_C",
>\par "SSL_SERVER_I_DN_SP",
>\par "SSL_SERVER_I_DN_L",
>\par "SSL_SERVER_I_DN_O",
>\par "SSL_SERVER_I_DN_OU",
>\par "SSL_SERVER_I_DN_CN",
>\par "SSL_SERVER_I_DN_Email",
>\par "SSL_SERVER_A_KEY",
>\par "SSL_SERVER_A_SIG",
>\par NULL
>\par \};
>\par=20
>\par /* Giacob: retrieve cert status from ldap */
>\par =20
>\par static RESPONSE_FILE *ocsp_ldap_hook(X509 *xs, char *mail)
>\par /* static char* ocsp_ldap_hook(request_rec *r) */
>\par \{=20
>\par RESPONSE_FILE *response;=20
>\par STRTBL *table;
>\par LDAP *ld;
>\par LDAPMessage *res,*e;
>\par BIO *bp_cert;
>\par =20
>\par char filtpattern[1024], time[15];
>\par char *ldapservers =3D "/*ldap-idd.comune.modena.it:389*/ =
>callisto.comune.modena.it:3389";
>\par int done, rc;
>\par =20
>\par FILE *fpcert; /* certificate file pointer */
>\par =20
>\par /* default response: certificate status REVOKED */
>\par response->rsp_status =3D OCSP_RESPONSE_STATUS_SUCCESSFULL;
>\par response->cert_file->status =3D V_OCSP_CERTSTATUS_REVOKED;
>\par response->cert_file->reason =3D =
>OCSP_REVOKED_STATUS_KEYCOMPROMISE;
>\par strcpy(time, "19990506120000");
>\par response->cert_file->time =3D time;
>\par table =3D &certStatus[V_OCSP_CERTSTATUS_REVOKED];
>\par strcpy(ocsp_response, table->m);
>\par=20
>\par /* bp_cert =3D BIO_new(BIO_s_mem());
>\par i2d_X509_bio(bp_cert, xs);
>\par BIO_gets(bp_cert, certificate, bp_cert->num_read);
>\par fprintf(fperr, "Certificate der in var %s.\\n", certificate);
>\par fflush(fperr); */
>\par=20
>\par fpcert =3D fopen("/tmp/certificato.der", "w");
>\par i2d_X509_fp(fpcert, xs);
>\par fclose(fpcert);
>\par=20
>\par fpcert =3D fopen("/tmp/certificato.der", "r");
>\par count =3D fread(certificate, 1, 999, fpcert);
>\par fclose(fpcert);=20
>\par =20
>\par fprintf(fperr, "Certificate to verify lenght in bytes: %d. \\n", =
>count);
>\par fflush(fperr);
>\par =20
>\par if ((ld =3D ldap_init(ldapservers, 0)) =3D=3D NULL )
>\par \{
>\par fprintf(fperr,"can't initialize ldap support \\n");
>\par fflush(fperr);
>\par response->rsp_status =3D OCSP_RESPONSE_STATUS_TRYLATER;
>\par response->cert_file->status =3D V_OCSP_CERTSTATUS_UNKNOWN;
>\par table =3D &respStatus[OCSP_RESPONSE_STATUS_TRYLATER];
>\par strcpy(ocsp_response, table->m);
>\par return response;
>\par \}
>\par ld -> ld_options =3D LDAP_OPT_REFERRALS;
>\par ld -> ld_sizelimit =3D 0;
>\par ld -> ld_timelimit =3D 0;
>\par ld -> ld_deref =3D LDAP_DEREF_ALWAYS;
>\par =20
>\par if ((rc =3D ldap_bind_s (ld, NULL, NULL, LDAP_AUTH_SIMPLE)) !=3D =
>LDAP_SUCCESS)
>\par \{
>\par fprintf(fperr,"can't bind to LDAP server =
>%s\\n",ldap_err2string (rc));
>\par fflush(fperr);
>\par response->rsp_status =3D OCSP_RESPONSE_STATUS_INTERNALERROR;
>\par response->cert_file->status =3D V_OCSP_CERTSTATUS_UNKNOWN;
>\par table =3D &respStatus[OCSP_RESPONSE_STATUS_INTERNALERROR];
>\par strcpy(ocsp_response, table->m);
>\par return response;
>\par \} else \{
>\par fprintf(fperr,"binded to LDAP server!!!\\n");
>\par fflush(fperr);
>\par \}
>\par =20
>\par /* build filter for ldap search by e-mail */
>\par ldap_build_filter (filtpattern, 1024, "(%a=3D%v)", NULL, NULL, =
>"mail", mail, NULL);
>\par =20
>\par if (ldap_search(ld, "o=3Dgiacob ,c=3Dit", LDAP_SCOPE_SUBTREE, =
>filtpattern, attrs, 0 ) =3D=3D -1 )
>\par \{
>\par fprintf(fperr,"User %s NOT found in LDAP\\n", mail);
>\par fflush(fperr);
>\par response->rsp_status =3D OCSP_RESPONSE_STATUS_UNAUTHORIZED;
>\par response->cert_file->status =3D V_OCSP_CERTSTATUS_UNKNOWN;
>\par table =3D &respStatus[OCSP_RESPONSE_STATUS_UNAUTHORIZED];
>\par strcpy(ocsp_response, table->m);
>\par return response;
>\par \} else \{
>\par fprintf(fperr,"user %s found in LDAP\\n", mail);
>\par fflush(fperr);
>\par \}
>\par =20
>\par done =3D 0;
>\par =20
>\par /* retrieve results of ldap search: must be just one entry */
>\par while ((rc =3D ldap_result(ld, LDAP_RES_ANY, 0, NULL, &res)) =
>=3D=3D LDAP_RES_SEARCH_ENTRY)
>\par \{
>\par e =3D ldap_first_entry(ld, res);
>\par get_entry(ld, e, &response);
>\par fprintf(fperr,"loop:\\n");
>\par fflush(fperr);
>\par ldap_msgfree(res);
>\par done =3D 1;
>\par \}
>\par =20
>\par if (!done) \{
>\par fprintf(fperr,"Ldap search result not retrieved: =
>%s.\\n", ldap_err2string (rc));
>\par fflush(fperr);
>\par response->rsp_status =3D =
>OCSP_RESPONSE_STATUS_INTERNALERROR;
>\par response->cert_file->status =3D =
>V_OCSP_CERTSTATUS_UNKNOWN;
>\par table =3D =
>&respStatus[OCSP_RESPONSE_STATUS_INTERNALERROR];
>\par strcpy(ocsp_response, table->m);
>\par return response;
>\par \}
>\par =20
>\par ldap_msgfree(res);
>\par ldap_unbind(ld);
>\par =20
>\par fprintf(fperr,"Risposta ocsp: %s.\\n", ocsp_response);
>\par fflush(fperr);
>\par =20
>\par return response;
>\par \} =20
>\par=20
>\par static void get_entry (LDAP *ld, LDAPMessage *entry, RESPONSE_FILE =
>**response)
>\par \{
>\par char *attribute;
>\par char *value;
>\par BerElement *ber;
>\par struct berval **bvals;
>\par int k;
>\par STRTBL *table;
>\par =20
>\par /* retrieve attributes of the entry found by ldap search */
>\par for (attribute =3D ldap_first_attribute(ld, entry, &ber); =
>attribute !=3D NULL; attribute =3D ldap_next_attribute(ld, entry, ber))
>\par \{
>\par if ((bvals =3D ldap_get_values_len(ld, entry, attribute)) =
>!=3D NULL)
>\par \{
>\par /* get each attribute value of current entry */
>\par for (k =3D 0; bvals[k] !=3D NULL; k++)
>\par \{
>\par value =3D bvals[k]->bv_val;
>\par if (!strcmp(attribute, =
>"usercertificate;binary"))
>\par \{
>\par int cert_len =3D bvals[k]->bv_len;
>\par fprintf(fperr,"Certificato trovato in LDAP =
>lungo %d caratteri:\\n", cert_len);
>\par fflush(fperr);
>\par =20
>\par /* value, cert_len =3D certificato corrente =
>LDAP in DER e lunghezza in byte */
>\par /* certificate, count =3D certificato da =
>testare */
>\par if (cert_len =3D=3D count)
>\par \{
>\par /* verify certificate found in LDAP */
>\par char *lc;
>\par char *sc;
>\par sc =3D certificate;
>\par lc =3D value;
>\par while (lc < value + cert_len && *lc++ =
>=3D=3D *sc++); /* NULL INSTRUCTION */
>\par =20
>\par if (lc =3D=3D value + cert_len) /* =
>certificate found ! */
>\par \{
>\par (*response)->rsp_status =3D =
>OCSP_RESPONSE_STATUS_SUCCESSFULL;
>\par (*response)->cert_file->status =3D =
>V_OCSP_CERTSTATUS_GOOD;
>\par table =3D =
>&certStatus[V_OCSP_CERTSTATUS_GOOD];
>\par strcpy(ocsp_response, table->m);
>\par \}
>\par \}
>\par \}
>\par else \{
>\par ; /* NULL INSTRUCTION. Nothing on other =
>attributes retrieved:
>\par mail, cn
>\par was: if (!strcmp(attribute, "cn")) =
>strcpy(nome,value);
>\par printf("%s=3D%s\\n", attribute, =
>value);
>\par */
>\par \}
>\par \}
>\par =20
>\par \}
>\par ber_bvecfree(bvals); /* frees array of berval returned =
>from search */
>\par \}
>\par return;
>\par \}
>\par=20
>\par /* Giacob: creating ocsp request on certificate */
>\par=20
>\par static OCSP_REQUEST *ocsp_request_hook (X509 *xcert, OCSP_CERTID =
>*certid)
>\par \{
>\par OCSP_REQUEST *req =3D NULL;
>\par X509_NAME *xn =3D NULL;
>\par BIO *bio =3D NULL;
>\par STACK *extns =3D NULL;
>\par FILE *fpocsp;
>\par=20
>\par xn =3D X509_get_subject_name(xcert);
>\par=20
>\par if (!(req =3D OCSP_request_new(xn, extns)))=20
>\par \{
>\par fprintf(fperr,"Can't create OCSP request.\\n");
>\par fflush(fperr);
>\par return NULL;
>\par \}=20
>\par else \{
>\par fprintf(fperr,"OCSP request created.\\n");
>\par fflush(fperr);
>\par \} =20
>\par=20
>\par if (OCSP_request_add(req, certid, NULL) =3D=3D 0)
>\par \{
>\par fprintf(fperr,"Can't put data in OCSP request.\\n"); =
> =20
>\par fflush(fperr);
>\par if (req) OCSP_REQUEST_free(req);
>\par return NULL;=20
>\par \}
>\par else \{
>\par fprintf(fperr,"OCSP request filled with data.\\n");
>\par fflush(fperr);
>\par \}
>\par=20
>\par fpocsp =3D fopen ("/tmp/ocsp-patch.log", "w");
>\par if ((bio =3D BIO_new(BIO_s_file())) !=3D NULL) BIO_set_fp(bio, =
>fpocsp, BIO_NOCLOSE);
>\par OCSP_REQUEST_print(bio, req);
>\par fflush(fpocsp);
>\par fclose(fpocsp);
>\par=20
>\par return req;
>\par \}
>\par=20
>\par /* Giacob: creating ocsp response on certificate */
>\par =20
>\par static OCSP_RESPONSE *ocsp_response_hook (int id, int rsp_status, =
>X509 *xcert, OCSP_CERTID *certid, OCSP_CERTSTATUS *ocsp_status, char =
>*this, char *next)
>\par \{ =20
>\par OCSP_BASICRESP *brsp =3D NULL;
>\par OCSP_RESPONSE *rsp =3D NULL;
>\par X509_NAME* xn;
>\par BIO *bio;
>\par FILE *fpocsp;
>\par =20
>\par xn =3D X509_get_subject_name(xcert);
>\par=20
>\par if (!(brsp =3D OCSP_basic_response_new(id, xcert, NULL)))
>\par \{=20
>\par fprintf(fperr,"Cant't create OCSP basic response.\\n");
>\par fflush(fperr);
>\par return NULL;
>\par \}
>\par else \{
>\par fprintf(fperr,"OCSP basic response created.\\n");
>\par fflush(fperr);
>\par \}
>\par=20
>\par if (!(OCSP_basic_response_add(brsp, certid, ocsp_status, this, =
>next, NULL)))
>\par \{
>\par fprintf(fperr,"Can't put data in OCSP basic response.\\n");
>\par fflush(fperr);
>\par if (brsp) OCSP_BASICRESP_free(brsp);
>\par return NULL;
>\par \}
>\par else \{
>\par fprintf(fperr,"OCSP basic response filled with =
>data.\\n"); =20
>\par fflush(fperr);
>\par \}
>\par =20
>\par /* OCSP_basic_response_sign(brsp, EVP_PKEY *key, EVP_MD *dgst, =
>STACK *certs); */
>\par=20
>\par if (!(rsp =3D OCSP_response_new(rsp_status, =
>NID_id_pkix_ocsp_basic, i2d_OCSP_BASICRESP, (char*)brsp)))
>\par \{
>\par fprintf(fperr,"Can't create OCSP response.\\n");
>\par fflush(fperr);
>\par if (brsp) OCSP_BASICRESP_free(brsp);
>\par return NULL;
>\par \}
>\par else \{
>\par fprintf(fperr,"OCSP response created.\\n");
>\par fflush(fperr);
>\par \}
>\par=20
>\par fpocsp =3D fopen ("/tmp/ocsp-patch.log", "a");
>\par if ((bio =3D BIO_new(BIO_s_file())) !=3D NULL) BIO_set_fp(bio, =
>fpocsp, BIO_NOCLOSE);
>\par OCSP_RESPONSE_print(bio, rsp);
>\par fflush(fpocsp);
>\par fclose(fpocsp);
>\par=20
>\par if (brsp) OCSP_BASICRESP_free(brsp);
>\par=20
>\par return rsp;
>\par \}=20
>\par=20
>\par /* Giacob: OCSP responder */
>\par=20
>\par static void *ocsp_responder (X509 *xs) =20
>\par \{
>\par OCSP_CERTID *new_cid;
>\par OCSP_REQUEST *new_req;
>\par OCSP_RESPONSE *new_rsp;
>\par OCSP_CERTSTATUS *cert_status =3D NULL;
>\par X509_NAME *xn_subject, *xn_issuer;
>\par RESPONSE_FILE *new_response;
>\par=20
>\par char name[30], mail[30], time[15], this[15], next[15];
>\par=20
>\par=20
>\par xn_issuer =3D X509_get_issuer_name(xs);
>\par xn_subject =3D X509_get_subject_name(xs);
>\par=20
>\par fperr =3D fopen("/tmp/ocsp-err.log", "w");
>\par=20
>\par if ((X509_NAME_cmp (xn_issuer, xn_subject)) < 0 ) =20
>\par \{
>\par fprintf(fperr,"Subject certificate.\\n");
>\par X509_print_fp(fperr, xs);
>\par fflush(fperr);
>\par =20
>\par if ((bio_err=3DBIO_new(BIO_s_file())) !=3D NULL) =
>BIO_set_fp(bio_err, stderr, BIO_NOCLOSE);
>\par=20
>\par if (!(new_cid =3D OCSP_cert_id_new(EVP_md5(), =
>X509_get_issuer_name(xs), xs->cert_info->key->public_key, =
>X509_get_serialNumber(xs))))
>\par \{
>\par fprintf(fperr,"Can't create certificate id.\\n");
>\par fflush(fperr);
>\par return;
>\par \}
>\par else \{
>\par fprintf(fperr,"New certificate id created.\\n");
>\par fflush(fperr);
>\par \}
>\par=20
>\par if (!(new_req =3D ocsp_request_hook (xs, new_cid))) return;
>\par=20
>\par X509_NAME_get_text_by_NID(xn_subject, NID_commonName, name, =
>30);
>\par X509_NAME_get_text_by_NID(xn_subject, NID_pkcs9_emailAddress, =
>mail, 30);
>\par=20
>\par strcpy(time, "19990501224320");
>\par strcpy(this, "19990401224320");
>\par strcpy(next, "19990601224320");
>\par fprintf(fperr,"Values inside vars: subject name=3D%s, subject =
>e-mail=3D%s.\\n", name, mail);
>\par fflush(fperr);
>\par=20
>\par if (!(new_response =3D ocsp_ldap_hook(xs, mail)))
>\par \{
>\par fprintf(fperr,"Can't get status from LDAP directory.\\n");
>\par fflush(fperr);
>\par return;
>\par \}
>\par else \{
>\par fprintf(fperr,"Ldap get status done.\\n");
>\par fflush(fperr);
>\par \}
>\par=20
>\par new_response->cert_file->name =3D name;
>\par new_response->cert_file->time =3D time;
>\par new_response->cert_file->this =3D this;
>\par new_response->cert_file->next =3D next;
>\par =20
>\par if (!(cert_status =3D =
>OCSP_cert_status_new(new_response->cert_file->status, =
>new_response->cert_file->reason, time)))
>\par \{
>\par fprintf(fperr,"Can't create new certificate status.\\n");
>\par fflush(fperr);
>\par return;
>\par \}
>\par else \{
>\par fprintf(fperr,"New certificate status created.\\n"); =
> =20
>\par fflush(fperr);
>\par \}
>\par=20
>\par /* if status =3D revoked ssl_log(s, SSL_LOG_ERROR, =
>"Certificate Status Verification: Revoked Certificate");
>\par ap_ctx_set(conn->client->ctx, "ssl::verify::error",
>\par =
>X509_verify_cert_error_string(X509_V_ERR_CERT_REVOKED));
>\par ok =3D FALSE; */
>\par =20
>\par if (!(new_rsp =3D ocsp_response_hook (V_OCSP_RESPID_NAME, =
>new_response->rsp_status, xs, new_cid, cert_status, this, next))) =
>return;
>\par=20
>\par if (cert_status) OCSP_CERTSTATUS_free(cert_status);
>\par=20
>\par ERR_print_errors(bio_err);
>\par ERR_print_errors_fp(stderr);
>\par \}
>\par=20
>\par fflush(fperr);
>\par fclose(fperr);
>\par=20
>\par return;
>\par \}
>\par int ssl_hook_Fixup(request_rec *r)
>\par \{
>\par SSLSrvConfigRec *sc =3D mySrvConfig(r->server);
>\par SSLDirConfigRec *dc =3D myDirConfig(r);
>\par table *e =3D r->subprocess_env;
>\par char *var;
>\par char *val;
>\par int i;
>\par=20
>\par /*
>\par * Check to see if SSL is on
>\par */
>\par if (!sc->bEnabled)
>\par return DECLINED;
>\par if (ap_ctx_get(r->connection->client->ctx, "ssl") =3D=3D NULL)
>\par return DECLINED;
>\par=20
>\par /*
>\par * Annotate the SSI/CGI environment with standard SSL =
>information
>\par */
>\par ap_table_set(e, "HTTPS", "on"); /* the HTTPS (=3DHTTP over SSL) =
>flag! */
>\par for (i =3D 0; ssl_hook_Fixup_vars[i] !=3D NULL; i++) \{
>\par var =3D (char *)ssl_hook_Fixup_vars[i];
>\par val =3D ssl_var_lookup(r->pool, r->server, r->connection, =
>r, var);
>\par if (!strIsEmpty(val))
>\par ap_table_set(e, var, val);
>\par \}
>\par=20
>\par /* Giacob: set environment ocsp var */
>\par ap_table_set(e, "SSL_OCSP_LDAP_RESPONSE", ocsp_response);
>\par=20
>\par /*
>\par * On-demand bloat up the SSI/CGI environment with certificate =
>data
>\par */
>\par if (dc->nOptions & SSL_OPT_EXPORTCERTDATA) \{
>\par val =3D ssl_var_lookup(r->pool, r->server, r->connection, =
>r, "SSL_CLIENT_CERT");
>\par ap_table_set(e, "SSL_CLIENT_CERT", val);
>\par val =3D ssl_var_lookup(r->pool, r->server, r->connection, =
>r, "SSL_SERVER_CERT");
>\par ap_table_set(e, "SSL_SERVER_CERT", val);
>\par \}
>\par=20
>\par /*
>\par * On-demand bloat up the SSI/CGI environment with compat =
>variables
>\par */
>\par #ifdef SSL_COMPAT
>\par if (dc->nOptions & SSL_OPT_COMPATENVVARS)
>\par ssl_compat_variables(r);
>\par #endif
>\par=20
>\par return DECLINED;
>\par \}
>\par int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx)
>\par \{
>\par SSL *ssl;
>\par conn_rec *conn;
>\par server_rec *s;
>\par request_rec *r;
>\par SSLSrvConfigRec *sc;
>\par SSLDirConfigRec *dc;
>\par X509 *xs;
>\par int errnum;
>\par int errdepth;
>\par char *cp;
>\par char *cp2;
>\par int depth;
>\par=20
>\par /*
>\par * Get Apache context back through OpenSSL context
>\par */
>\par ssl =3D (SSL *)X509_STORE_CTX_get_app_data(ctx);
>\par conn =3D (conn_rec *)SSL_get_app_data(ssl);
>\par r =3D (request_rec *)SSL_get_app_data2(ssl);
>\par s =3D conn->server;
>\par sc =3D mySrvConfig(s);
>\par dc =3D (r !=3D NULL ? myDirConfig(r) : NULL);
>\par=20
>\par /*
>\par * Get verify ingredients
>\par */
>\par xs =3D X509_STORE_CTX_get_current_cert(ctx);
>\par errnum =3D X509_STORE_CTX_get_error(ctx);
>\par errdepth =3D X509_STORE_CTX_get_error_depth(ctx);
>\par=20
>\par /*
>\par * Log verification information
>\par */
>\par cp =3D X509_NAME_oneline(X509_get_subject_name(xs), NULL, 0);
>\par cp2 =3D X509_NAME_oneline(X509_get_issuer_name(xs), NULL, 0);
>\par ssl_log(s, SSL_LOG_TRACE,
>\par "Certificate Verification: depth: %d, subject: %s, =
>issuer: %s",
>\par errdepth, cp !=3D NULL ? cp : "-unknown-",
>\par cp2 !=3D NULL ? cp2 : "-unknown");
>\par if (cp)
>\par free(cp);
>\par if (cp2)
>\par free(cp2);
>\par=20
>\par /*
>\par * Check for optionally acceptable non-verifiable issuer =
>situation
>\par */
>\par if ( ( errnum =3D=3D X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
>\par || errnum =3D=3D X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
>\par || errnum =3D=3D =
>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>\par || errnum =3D=3D =
>X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE )
>\par && sc->nVerifyClient =3D=3D SSL_CVERIFY_OPTIONAL_NO_CA =
> ) \{
>\par ssl_log(s, SSL_LOG_TRACE,
>\par "Certificate Verification: Verifiable Issuer is =
>configured as "
>\par "optional, therefore we're accepting the =
>certificate");
>\par ok =3D TRUE;
>\par \}
>\par=20
>\par /*
>\par * If we already know it's not ok, log the real reason
>\par */
>\par if (!ok) \{
>\par ssl_log(s, SSL_LOG_ERROR, "Certificate Verification: Error =
>(%d): %s",
>\par errnum, X509_verify_cert_error_string(errnum));
>\par ap_ctx_set(conn->client->ctx, "ssl::client::dn", NULL);
>\par ap_ctx_set(conn->client->ctx, "ssl::verify::error",
>\par X509_verify_cert_error_string(errnum));
>\par \}
>\par=20
>\par /*
>\par * Finally check the depth of the certificate verification
>\par */
>\par if (dc !=3D NULL && dc->nVerifyDepth !=3D UNSET)
>\par depth =3D dc->nVerifyDepth;
>\par else=20
>\par depth =3D sc->nVerifyDepth;
>\par if (errdepth > depth) \{
>\par ssl_log(s, SSL_LOG_ERROR,
>\par "Certificate Verification: Certificate Chain too =
>long "
>\par "(chain has %d certificates, but maximum allowed =
>are only %d)",=20
>\par errdepth, depth);
>\par ap_ctx_set(conn->client->ctx, "ssl::verify::error",
>\par =
>X509_verify_cert_error_string(X509_V_ERR_CERT_CHAIN_TOO_LONG));
>\par ok =3D FALSE;
>\par \}
>\par=20
>\par /* Giacob: take certificate for ldap_hook */
>\par ocsp_responder (xs);
>\par=20
>\par /*
>\par * And finally signal OpenSSL the (perhaps changed) state
>\par */
>\par return (ok);
>\par \}
>\par=20
>\par=20
>\par }\pard\plain \nowidctlpar\widctlpar\adjustright =
>\fs20\lang1040\cgrid {\lang1024=20
>\par }}
>------=_NextPart_000_00FD_01BE9B12.DD5367E0--
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
YOUR MAIL WAS NOT SENT
There was no subject in your message.
PLEASE ENTER A SUBJECT IN YOUR MESSAGE
Thank-you.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
