[rs-commit] r41 - in /mod_csr/trunk: ChangeLog mod_csr.c

rs-commit at redwax.eu rs-commit at redwax.eu
Fri Apr 19 01:00:36 CEST 2019


Author: minfrin at redwax.eu
Date: Fri Apr 19 01:00:35 2019
New Revision: 41

Log:
Add support for the expression API, and remove the obsolete 
CGI options.

Modified:
    mod_csr/trunk/ChangeLog
    mod_csr/trunk/mod_csr.c

Modified: mod_csr/trunk/ChangeLog
==============================================================================
--- mod_csr/trunk/ChangeLog	(original)
+++ mod_csr/trunk/ChangeLog	Fri Apr 19 01:00:35 2019
@@ -1,5 +1,8 @@
 
 Changes with v0.2.0
 
+ *) Add support for the expression API, and remove the obsolete
+    CGI options. [Graham Leggett]
+
  *) Initial import of mod_csr. [Graham Leggett]
 

Modified: mod_csr/trunk/mod_csr.c
==============================================================================
--- mod_csr/trunk/mod_csr.c	(original)
+++ mod_csr/trunk/mod_csr.c	Fri Apr 19 01:00:35 2019
@@ -38,6 +38,7 @@
 #include "http_protocol.h"
 #include "http_request.h"
 #include "util_script.h"
+#include "ap_expr.h"
 
 #include "mod_ca.h"
 
@@ -51,10 +52,10 @@
 typedef struct
 {
     const char *name; /* raw name of the object, NULL matches all */
+    const ap_expr_info_t *expr; /* if present, expression to be assigned to each name */
     int nid; /* name element from the request */
-    const char *cgi; /* if present, take the value from the subprocess environment */
-    const char *value; /* if present, use the absolute value */
     int limit; /* if present, take up to the limit number of names */
+//    int index; /* the index of a potentially multivalued value, -1 for all */
 } name_rec;
 
 typedef struct
@@ -200,7 +201,7 @@
     return NULL;
 }
 
-static const char *set_subject_cgi(cmd_parms *cmd, void *dconf,
+static const char *set_subject_set(cmd_parms *cmd, void *dconf,
         const char *arg1, const char *arg2)
 {
     csr_config_rec *conf = dconf;
@@ -213,26 +214,16 @@
                 "Argument '%s' must be a valid subject identifier recognised by openssl",
                 arg1);
     }
-    name->cgi = arg2;
-    conf->subject_set = 1;
-
-    return NULL;
-}
-
-static const char *set_subject_set(cmd_parms *cmd, void *dconf,
-        const char *arg1, const char *arg2)
-{
-    csr_config_rec *conf = dconf;
-    name_rec *name = apr_array_push(conf->subject);
-
-    name->name = arg1;
-    name->nid = OBJ_txt2nid(arg1);
-    if (name->nid == NID_undef) {
-        return apr_psprintf(cmd->pool,
-                "Argument '%s' must be a valid subject identifier recognised by openssl",
-                arg1);
-    }
-    name->value = arg2;
+    else {
+		const char *expr_err = NULL;
+		name->expr = ap_expr_parse_cmd(cmd, arg2, AP_EXPR_FLAG_STRING_RESULT,
+				&expr_err, NULL);
+		if (expr_err) {
+			return apr_pstrcat(cmd->temp_pool, "Cannot parse expression '",
+					arg2, "': ", expr_err, NULL);
+		}
+	}
+
     conf->subject_set = 1;
 
     return NULL;
@@ -313,7 +304,7 @@
     return NULL;
 }
 
-static const char *set_subjectaltname_cgi(cmd_parms *cmd, void *dconf,
+static const char *set_subjectaltname_set(cmd_parms *cmd, void *dconf,
         const char *arg1, const char *arg2)
 {
     csr_config_rec *conf = dconf;
@@ -326,26 +317,16 @@
                 "Argument '%s' was not one of otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress or registeredID",
                 arg1);
     }
-    name->cgi = arg2;
-    conf->subjectaltname_set = 1;
-
-    return NULL;
-}
-
-static const char *set_subjectaltname_set(cmd_parms *cmd, void *dconf,
-        const char *arg1, const char *arg2)
-{
-    csr_config_rec *conf = dconf;
-    name_rec *name = apr_array_push(conf->subjectaltname);
-
-    name->name = arg1;
-    name->nid = type_from_subjectaltname(arg1);
-    if (name->nid < 0) {
-        return apr_psprintf(cmd->pool,
-                "Argument '%s' was not one of otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress or registeredID",
-                arg1);
-    }
-    name->value = arg2;
+    else {
+		const char *expr_err = NULL;
+		name->expr = ap_expr_parse_cmd(cmd, arg2, AP_EXPR_FLAG_STRING_RESULT,
+				&expr_err, NULL);
+		if (expr_err) {
+			return apr_pstrcat(cmd->temp_pool, "Cannot parse expression '",
+					arg2, "': ", expr_err, NULL);
+		}
+	}
+
     conf->subjectaltname_set = 1;
 
     return NULL;
@@ -386,18 +367,12 @@
                         AP_INIT_TAKE12("CsrSubjectRequest",
                                 set_subject_request, NULL, RSRC_CONF | ACCESS_CONF,
                                 "Specify fields in the certificate request subject that will be copied over to the certificate, with optional limit to the number of fields that may appear."),
-                        AP_INIT_TAKE2("CsrSubjectCGI",
-                                set_subject_cgi, NULL, RSRC_CONF | ACCESS_CONF,
-                                "Specify CGI variables in the request that will be included in the certificate subject. DN attribute name first, then CGI variable."),
                         AP_INIT_TAKE2("CsrSubjectSet",
                                 set_subject_set, NULL, RSRC_CONF | ACCESS_CONF,
                                 "Specify subject attribute and value that will be included in the certificate."),
                         AP_INIT_TAKE12("CsrSubjectAltNameRequest",
                                 set_subjectaltname_request, NULL, RSRC_CONF | ACCESS_CONF,
                                 "Specify fields in the certificate request subjectAltName that will be copied over to the certificate, with optional limit to the number of fields that may appear."),
-                        AP_INIT_TAKE2("CsrSubjectAltNameCGI",
-                                set_subjectaltname_cgi, NULL, RSRC_CONF | ACCESS_CONF,
-                                "Specify CGI variables in the request that will be included in the certificate subjectAltName. DN attribute name first, then CGI variable."),
                         AP_INIT_TAKE2("CsrSubjectAltNameSet",
                                 set_subjectaltname_set, NULL, RSRC_CONF | ACCESS_CONF,
                                 "Specify subjectAltName attribute and value that will be included in the certificate."),
@@ -556,40 +531,25 @@
     for (i = 0; i < conf->subject->nelts; i++) {
         name_rec *name = ((name_rec *) conf->subject->elts) + i;
 
-        if (name->cgi) {
-            const char *val = (const char *) apr_table_get(r->subprocess_env,
-                    name->cgi);
-            if (!val) {
+        if (name->expr) {
+            const char *err = NULL;
+            const char *arg = ap_expr_str_exec(r, name->expr, &err);
+            if (err || !arg) {
                 log_message(r, APR_SUCCESS,
                         apr_psprintf(r->pool,
-                                "CGI name '%s' was not found, and could not be added to the certificate subject as '%s'.",
-                                name->cgi, name->name));
+                                "Expression for '%s' could not be executed, and could not be added to the certificate subject: %s",
+                                name->name, err));
 
                 return HTTP_INTERNAL_SERVER_ERROR;
             }
-            if (val) {
-                if (!X509_NAME_add_entry_by_NID(subject, name->nid,
-                        MBSTRING_UTF8, (unsigned char *) val, -1, -1, 0)) {
-                    log_message(r, APR_SUCCESS,
-                            apr_psprintf(r->pool,
-                                    "CGI name '%s' with value '%s' could not be added to the certificate subject as '%s'.",
-                                    name->cgi, val, name->name));
-
-                    return HTTP_INTERNAL_SERVER_ERROR;
-                }
-            }
-
-        }
-
-        else if (name->value) {
-            if (!X509_NAME_add_entry_by_NID(subject, name->nid, MBSTRING_UTF8,
-                    (unsigned char *) name->value, -1, -1, 0)) {
-                log_message(r, APR_SUCCESS,
-                        apr_psprintf(r->pool,
-                                "The value '%s' could not be added to the certificate subject as '%s'.",
-                                name->value, name->name));
-
-                return HTTP_INTERNAL_SERVER_ERROR;
+            if (!X509_NAME_add_entry_by_NID(subject, name->nid,
+                        MBSTRING_UTF8, (unsigned char *) arg, -1, -1, 0)) {
+            	log_message(r, APR_SUCCESS,
+            			apr_psprintf(r->pool,
+            					"Expression with value '%s' could not be added to the certificate subject as '%s'.",
+								arg, name->name));
+
+            	return HTTP_INTERNAL_SERVER_ERROR;
             }
         }
 
@@ -668,43 +628,24 @@
     for (i = 0; i < conf->subjectaltname->nelts; i++) {
         name_rec *name = ((name_rec *) conf->subjectaltname->elts) + i;
 
-        if (name->cgi) {
-            char *val = (char *) apr_table_get(r->subprocess_env, name->cgi);
-            if (!val) {
+        if (name->expr) {
+            const char *err = NULL;
+            const char *arg = ap_expr_str_exec(r, name->expr, &err);
+            if (err || !arg) {
                 log_message(r, APR_SUCCESS,
                         apr_psprintf(r->pool,
-                                "CGI name '%s' was not found, and could not be added to the certificate subjectAltName as '%s'.",
-                                name->cgi, name->name));
+                                "Expression for '%s' could not be executed, and could not be added to the certificate subjectAltName: %s",
+                                name->name, err));
 
                 return HTTP_INTERNAL_SERVER_ERROR;
             }
-            if (val) {
-                GENERAL_NAME *gen = a2i_GENERAL_NAME(NULL, NULL, NULL,
-                        name->nid, val, 0);
-                if (!gen) {
-                    log_message(r, APR_SUCCESS,
-                            apr_psprintf(r->pool,
-                                    "CGI name '%s' with value '%s' could not be added to the certificate subjectAltName as '%s'.",
-                                    name->cgi, val, name->name));
-
-                    return HTTP_INTERNAL_SERVER_ERROR;
-                }
-                if (!sans) {
-                    sans = GENERAL_NAMES_new();
-                }
-                sk_GENERAL_NAME_push(sans, gen);
-            }
-
-        }
-
-        else if (name->value) {
             GENERAL_NAME *gen = a2i_GENERAL_NAME(NULL, NULL, NULL, name->nid,
-                    (char *) name->value, 0);
+                    (char *) arg, 0);
             if (!gen) {
-                log_message(r, APR_SUCCESS,
-                        apr_psprintf(r->pool,
-                                "Value '%s' could not be added to the certificate subjectAltName as '%s'.",
-                                name->value, name->name));
+            	log_message(r, APR_SUCCESS,
+            			apr_psprintf(r->pool,
+            					"Expression with value '%s' could not be added to the certificate subjectAltName as '%s'.",
+								arg, name->name));
 
                 return HTTP_INTERNAL_SERVER_ERROR;
             }



More information about the rs-commit mailing list