Re: How to access client certificate PEM and incoming request headers in a module?

Sun, 17 Jun 2012 20:46:05 -0700 

---- [email protected] wrote: 
> 
> ---- Ben Noordhuis <[email protected]> wrote: 
> > On Sun, Jun 17, 2012 at 9:46 PM,  <[email protected]> wrote:
> > > Hi,
> > >
> > > I am starting to look into implementing an Apache module that can use 
> > > information from an incoming request, including several headers and the 
> > > subject string from a client certificate to do authentication.
> > >
> > > I've been looking at the source for mod_auth_certificate, from 
> > > https://modules.apache.org/, as a starting point.
> > >
> > > However, it looks like the way that mod_auth_certificate works is that it 
> > > requires that there's an SSLUserName directive to put the client 
> > > certificate DN into the Apache REMOTE_USER attribute, whereas I need the 
> > > entire PEM for the client cert to do authentication that I'm trying to do.
> > >
> > > So I was wondering if it's possible for a module to access the 
> > > SSL_CLIENT_S_DN and SSL_CLIENT_CERT environment variables, and if so, how?
> > 
> > They should be set in r->subprocess_env provided `SSLOptions
> > +StdEnvVars +ExportCertData` is set in the server or per-directory
> > config.
> > 
> > > Also, as mentioned my module would need to access several HTTP headers 
> > > that are in the incoming requests.  How can it do that?
> > 
> > Look them up with `apr_table_get(r->headers_in, "X-Header-Name")`.
> 
> 
> Ben,
> 
> Thanks.  I'll give those a try.  We already the SSLOptions set as you 
> mentioned, so assuming that I can figure out the coding (it's been a long 
> time since I've done C/C++), that should work :)...
> 
> Jim


Hi,

I haven't actually tried your suggestion yet, but, re. the SSL variables, I was 
looking at mod_headers.c, and in there, there are two separate functions:

static const char *header_request_env_var(request_rec *r, char *a)
{
    const char *s = apr_table_get(r->subprocess_env,a);

    if (s)
        return unwrap_header(r->pool, s);
    else
        return "(null)";
}

static const char *header_request_ssl_var(request_rec *r, char *name)
{
    if (header_ssl_lookup) {
        const char *val = header_ssl_lookup(r->pool, r->server,
                                            r->connection, r, name);
        if (val && val[0])
            return unwrap_header(r->pool, val);
        else
            return "(null)";
    }
    else {
        return "(null)";
    }
}

So, it seems like the method to get the SSL variables is different than the 
other environment variables?

Or, does setting SSLOptions the way that you suggested cause the SSL variable 
so also exist in apr_table_get(r->subprocess_env, xxxx)?

Jim

Reply via email to