[rs-commit] r44 - in /mod_spkac/trunk: ChangeLog mod_spkac.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Fri Apr 19 20:10:47 CEST 2019
Author: minfrin at redwax.eu
Date: Fri Apr 19 20:10:46 2019
New Revision: 44
Log:
Add support for the expression API, and remove the obsolete
CGI options.
Modified:
mod_spkac/trunk/ChangeLog
mod_spkac/trunk/mod_spkac.c
Modified: mod_spkac/trunk/ChangeLog
==============================================================================
--- mod_spkac/trunk/ChangeLog (original)
+++ mod_spkac/trunk/ChangeLog Fri Apr 19 20:10:46 2019
@@ -1,5 +1,8 @@
Changes with v0.2.0
+
+ *) Add support for the expression API, and remove the obsolete
+ CGI options. [Graham Leggett]
*) Work around OpenSSL regression https://github.com/openssl/openssl/issues/8553
[Graham Leggett]
Modified: mod_spkac/trunk/mod_spkac.c
==============================================================================
--- mod_spkac/trunk/mod_spkac.c (original)
+++ mod_spkac/trunk/mod_spkac.c Fri Apr 19 20:10:46 2019
@@ -40,6 +40,7 @@
#include "http_protocol.h"
#include "http_request.h"
#include "util_script.h"
+#include "ap_expr.h"
#include "mod_ca.h"
@@ -61,9 +62,8 @@
typedef struct
{
const char *name; /* raw name of the object, NULL matches all */
+ const ap_expr_info_t *expr; /* if present, expression to be assigned to each name */
int nid; /* name element from the request */
- const char *cgi; /* if present, take the value from the subprocess environment */
- const char *value; /* if present, use the absolute value */
int limit; /* if present, take up to the limit number of names */
} name_rec;
@@ -185,7 +185,7 @@
return NULL;
}
-static const char *set_subject_cgi(cmd_parms *cmd, void *dconf,
+static const char *set_subject_set(cmd_parms *cmd, void *dconf,
const char *arg1, const char *arg2)
{
spkac_config_rec *conf = dconf;
@@ -198,26 +198,16 @@
"Argument '%s' must be a valid subject identifier recognised by openssl",
arg1);
}
- name->cgi = arg2;
- conf->subject_set = 1;
-
- return NULL;
-}
-
-static const char *set_subject_set(cmd_parms *cmd, void *dconf,
- const char *arg1, const char *arg2)
-{
- spkac_config_rec *conf = dconf;
- name_rec *name = apr_array_push(conf->subject);
-
- name->name = arg1;
- name->nid = OBJ_txt2nid(arg1);
- if (name->nid == NID_undef) {
- return apr_psprintf(cmd->pool,
- "Argument '%s' must be a valid subject identifier recognised by openssl",
- arg1);
- }
- name->value = arg2;
+ else {
+ const char *expr_err = NULL;
+ name->expr = ap_expr_parse_cmd(cmd, arg2, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool, "Cannot parse expression '",
+ arg2, "': ", expr_err, NULL);
+ }
+ }
+
conf->subject_set = 1;
return NULL;
@@ -293,7 +283,7 @@
return NULL;
}
-static const char *set_subjectaltname_cgi(cmd_parms *cmd, void *dconf,
+static const char *set_subjectaltname_set(cmd_parms *cmd, void *dconf,
const char *arg1, const char *arg2)
{
spkac_config_rec *conf = dconf;
@@ -306,26 +296,16 @@
"Argument '%s' was not one of otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress or registeredID",
arg1);
}
- name->cgi = arg2;
- conf->subjectaltname_set = 1;
-
- return NULL;
-}
-
-static const char *set_subjectaltname_set(cmd_parms *cmd, void *dconf,
- const char *arg1, const char *arg2)
-{
- spkac_config_rec *conf = dconf;
- name_rec *name = apr_array_push(conf->subjectaltname);
-
- name->name = arg1;
- name->nid = type_from_subjectaltname(arg1);
- if (name->nid < 0) {
- return apr_psprintf(cmd->pool,
- "Argument '%s' was not one of otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress or registeredID",
- arg1);
- }
- name->value = arg2;
+ else {
+ const char *expr_err = NULL;
+ name->expr = ap_expr_parse_cmd(cmd, arg2, AP_EXPR_FLAG_STRING_RESULT,
+ &expr_err, NULL);
+ if (expr_err) {
+ return apr_pstrcat(cmd->temp_pool, "Cannot parse expression '",
+ arg2, "': ", expr_err, NULL);
+ }
+ }
+
conf->subjectaltname_set = 1;
return NULL;
@@ -345,18 +325,12 @@
AP_INIT_TAKE12("SpkacSubjectRequest",
set_subject_request, NULL, RSRC_CONF | ACCESS_CONF,
"Specify fields in the request that will be included in the certificate. DN attribute name first, then optionally request variable if not the same."),
- AP_INIT_TAKE2("SpkacSubjectCGI",
- set_subject_cgi, NULL, RSRC_CONF | ACCESS_CONF,
- "Specify CGI variables in the request that will be included in the certificate. DN attribute name first, then CGI variable."),
AP_INIT_TAKE2("SpkacSubjectSet",
set_subject_set, NULL, RSRC_CONF | ACCESS_CONF,
"Specify DN attribute and value that will be included in the certificate."),
AP_INIT_TAKE12("SpkacSubjectAltNameRequest",
set_subjectaltname_request, NULL, RSRC_CONF | ACCESS_CONF,
"Specify fields in the certificate request subjectAltName that will be copied over to the certificate, with optional limit to the number of fields that may appear."),
- AP_INIT_TAKE2("SpkacSubjectAltNameCGI",
- set_subjectaltname_cgi, NULL, RSRC_CONF | ACCESS_CONF,
- "Specify CGI variables in the request that will be included in the certificate subjectAltName. DN attribute name first, then CGI variable."),
AP_INIT_TAKE2("SpkacSubjectAltNameSet",
set_subjectaltname_set, NULL, RSRC_CONF | ACCESS_CONF,
"Specify subjectAltName attribute and value that will be included in the certificate."),
@@ -486,40 +460,25 @@
for (i = 0; i < conf->subject->nelts; i++) {
name_rec *name = ((name_rec *) conf->subject->elts) + i;
- if (name->cgi) {
- const char *val = (const char *) apr_table_get(r->subprocess_env,
- name->cgi);
- if (!val) {
+ if (name->expr) {
+ const char *err = NULL;
+ const char *arg = ap_expr_str_exec(r, name->expr, &err);
+ if (err || !arg) {
log_message(r, APR_SUCCESS,
apr_psprintf(r->pool,
- "CGI name '%s' was not found, and could not be added to the certificate subject as '%s'.",
- name->cgi, name->name));
+ "Expression for '%s' could not be executed, and could not be added to the certificate subject: %s",
+ name->name, err));
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (val) {
- if (!X509_NAME_add_entry_by_NID(subject, name->nid,
- MBSTRING_UTF8, (unsigned char *) val, -1, -1, 0)) {
- log_message(r, APR_SUCCESS,
- apr_psprintf(r->pool,
- "CGI name '%s' with value '%s' could not be added to the certificate subject as '%s'.",
- name->cgi, val, name->name));
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- }
-
- }
-
- else if (name->value) {
- if (!X509_NAME_add_entry_by_NID(subject, name->nid, MBSTRING_UTF8,
- (unsigned char *) name->value, -1, -1, 0)) {
- log_message(r, APR_SUCCESS,
- apr_psprintf(r->pool,
- "The value '%s' could not be added to the certificate subject as '%s'.",
- name->value, name->name));
-
- return HTTP_INTERNAL_SERVER_ERROR;
+ if (!X509_NAME_add_entry_by_NID(subject, name->nid,
+ MBSTRING_UTF8, (unsigned char *) arg, -1, -1, 0)) {
+ log_message(r, APR_SUCCESS,
+ apr_psprintf(r->pool,
+ "Expression with value '%s' could not be added to the certificate subject as '%s'.",
+ arg, name->name));
+
+ return HTTP_INTERNAL_SERVER_ERROR;
}
}
@@ -598,43 +557,24 @@
for (i = 0; i < conf->subjectaltname->nelts; i++) {
name_rec *name = ((name_rec *) conf->subjectaltname->elts) + i;
- if (name->cgi) {
- char *val = (char *) apr_table_get(r->subprocess_env, name->cgi);
- if (!val) {
+ if (name->expr) {
+ const char *err = NULL;
+ const char *arg = ap_expr_str_exec(r, name->expr, &err);
+ if (err || !arg) {
log_message(r, APR_SUCCESS,
apr_psprintf(r->pool,
- "CGI name '%s' was not found, and could not be added to the certificate subjectAltName as '%s'.",
- name->cgi, name->name));
+ "Expression for '%s' could not be executed, and could not be added to the certificate subjectAltName: %s",
+ name->name, err));
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (val) {
- GENERAL_NAME *gen = a2i_GENERAL_NAME(NULL, NULL, NULL,
- name->nid, val, 0);
- if (!gen) {
- log_message(r, APR_SUCCESS,
- apr_psprintf(r->pool,
- "CGI name '%s' with value '%s' could not be added to the certificate subjectAltName as '%s'.",
- name->cgi, val, name->name));
-
- return HTTP_INTERNAL_SERVER_ERROR;
- }
- if (!sans) {
- sans = GENERAL_NAMES_new();
- }
- sk_GENERAL_NAME_push(sans, gen);
- }
-
- }
-
- else if (name->value) {
GENERAL_NAME *gen = a2i_GENERAL_NAME(NULL, NULL, NULL, name->nid,
- (char *) name->value, 0);
+ (char *) arg, 0);
if (!gen) {
- log_message(r, APR_SUCCESS,
- apr_psprintf(r->pool,
- "Value '%s' could not be added to the certificate subjectAltName as '%s'.",
- name->value, name->name));
+ log_message(r, APR_SUCCESS,
+ apr_psprintf(r->pool,
+ "Expression with value '%s' could not be added to the certificate subjectAltName as '%s'.",
+ arg, name->name));
return HTTP_INTERNAL_SERVER_ERROR;
}
More information about the rs-commit
mailing list