[rs-commit] r58 - in /mod_ca/trunk: ChangeLog mod_ca_simple.c

rs-commit at redwax.eu rs-commit at redwax.eu
Wed Aug 28 23:39:22 CEST 2019 

Author: minfrin at redwax.eu
Date: Wed Aug 28 23:39:16 2019
New Revision: 58

Log:
Make sure that extensions are added with X509V3_CTX.

Modified:
    mod_ca/trunk/ChangeLog
    mod_ca/trunk/mod_ca_simple.c

Modified: mod_ca/trunk/ChangeLog
==============================================================================
--- mod_ca/trunk/ChangeLog	(original)
+++ mod_ca/trunk/ChangeLog	Wed Aug 28 23:39:16 2019
@@ -1,5 +1,8 @@
 
 Changes with v0.2.0
+
+ *) Make sure that extensions are added with X509V3_CTX.
+    [Graham Leggett]
 
  *) Updates to compile with openssl v1.1.0. [Graham Leggett]
 

Modified: mod_ca/trunk/mod_ca_simple.c
==============================================================================
--- mod_ca/trunk/mod_ca_simple.c	(original)
+++ mod_ca/trunk/mod_ca_simple.c	Wed Aug 28 23:39:16 2019
@@ -63,7 +63,7 @@
     X509_NAME *signer_name;
     EVP_PKEY *key;
     EVP_PKEY_CTX *pkey_ctx;
-    apr_array_header_t *ext;
+    apr_hash_t *ext;
     unsigned char *signer_der;
     unsigned char *signer_chain_der;
     unsigned char *signer_ca_der;
@@ -254,6 +254,7 @@
 int ca_simple_sign(request_rec *r, apr_hash_t *params,
         const unsigned char **buffer, apr_size_t *len)
 {
+	X509V3_CTX ext_ctx;
     X509 *cert = NULL;
     X509_REQ *creq = NULL;
     EVP_PKEY *pktmp = NULL;
@@ -261,8 +262,7 @@
     ASN1_INTEGER *sno = NULL;
     ASN1_GENERALIZEDTIME *t = NULL;
     STACK_OF(X509_EXTENSION) *exts;
-    int rv, i;
-    apr_time_t time;
+    apr_hash_index_t *iter;
     PKCS7 *p7;
     const unsigned char *tmp;
     unsigned char *tmp2;
@@ -270,6 +270,8 @@
     X509 *xs, *next;
     STACK_OF(X509) *chain;
     apr_size_t size;
+    apr_time_t time;
+    int rv, i;
 
     ca_config_rec *conf = ap_get_module_config(r->per_dir_config,
             &ca_simple_module);
@@ -326,12 +328,6 @@
 
     }
 
-    for (i = 0; i < conf->ext->nelts; i++) {
-        X509_add_ext(cert,
-                X509_EXTENSION_dup(((X509_EXTENSION **) conf->ext->elts)[i]),
-                -1);
-    }
-
     pktmp = X509_REQ_get_pubkey(creq);
     if (!pktmp) {
         log_message(r, APR_SUCCESS, "request had no public key");
@@ -402,6 +398,30 @@
 
         return HTTP_INTERNAL_SERVER_ERROR;
     }
+
+	X509V3_set_ctx(&ext_ctx, conf->signer, cert, NULL, NULL, 0);
+	for (iter = apr_hash_first(r->pool, conf->ext); iter;
+			iter = apr_hash_next(iter)) {
+		const char *name, *val;
+
+		name = apr_hash_this_key(iter);
+		val = apr_hash_this_val(iter);
+
+		X509_EXTENSION *extension = X509V3_EXT_conf(NULL, &ext_ctx,
+				(char *) name, (char *) val);
+		if (!extension) {
+			log_message(r, APR_SUCCESS,
+					apr_psprintf(r->pool,
+							"extension '%s' could not be set to '%s'", name,
+							val));
+
+			return HTTP_INTERNAL_SERVER_ERROR;
+		}
+		apr_pool_cleanup_register(r->pool, extension, ca_X509_EXTENSION_cleanup,
+				apr_pool_cleanup_null);
+
+		X509_add_ext(cert, extension, -1);
+	}
 
     if (!X509_sign(cert, conf->key, EVP_sha256())) {
         log_message(r, APR_SUCCESS, "could not sign the request");
@@ -786,7 +806,7 @@
     ca_config_rec *conf = apr_pcalloc(p, sizeof(ca_config_rec));
 
     conf->days = DEFAULT_CA_DAYS;
-    conf->ext = apr_array_make(p, 5, sizeof(X509_EXTENSION *));
+    conf->ext = apr_hash_make(p);
 
     return conf;
 }
@@ -847,8 +867,10 @@
             || base->serial_subject_set;
     new->time = (add->time_set == 0) ? base->time : add->time;
     new->time_set = add->time_set || base->time_set;
-    new->ext = (add->ext_set == 0) ? base->ext : add->ext;
-    new->ext_set = add->ext_set || base->ext_set;
+    new->ext =
+            (add->ext_set == 0) ?
+                    base->ext : apr_hash_overlay(p, add->ext, base->ext);
+	new->ext_set = add->ext_set || base->ext_set;
     new->pkey_ctx = (add->pkey_ctx_set == 0) ? base->pkey_ctx : add->pkey_ctx;
     new->pkey_ctx_set = add->pkey_ctx_set || base->pkey_ctx_set;
 
@@ -1075,18 +1097,7 @@
 {
     ca_config_rec *conf = dconf;
 
-    X509_EXTENSION **extension;
-
-    extension = apr_array_push(conf->ext);
-    *extension = X509V3_EXT_conf(NULL, NULL, (char *)name, (char *)val);
-    if (!*extension) {
-        return log_config(cmd,
-                apr_psprintf(cmd->pool,
-                        "CASimpleExtension '%s' could not be set to '%s'", name, val));
-    }
-    apr_pool_cleanup_register(cmd->pool, *extension, ca_X509_EXTENSION_cleanup,
-            apr_pool_cleanup_null);
-
+    apr_hash_set(conf->ext, name, APR_HASH_KEY_STRING, val);
     conf->ext_set = 1;
 
     return NULL;

More information about the rs-commit mailing list