[rs-commit] r24 - in /mod_scep/trunk: ChangeLog mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Mar 31 00:01:16 CET 2019
Author: minfrin at redwax.eu
Date: Sun Mar 31 00:01:15 2019
New Revision: 24
Log:
PKIOperation request bodies are no longer application/x-pki-message,
be specific about application/x-www-form-urlencoded when we parse
the form. Clarify the error messages returned by PKIOperation to
indicate the operation being performed.
Modified:
mod_scep/trunk/ChangeLog
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/ChangeLog
==============================================================================
--- mod_scep/trunk/ChangeLog (original)
+++ mod_scep/trunk/ChangeLog Sun Mar 31 00:01:15 2019
@@ -1,5 +1,10 @@
Changes with v0.2.0
+
+ *) PKIOperation request bodies are no longer application/x-pki-message,
+ be specific about application/x-www-form-urlencoded when we parse
+ the form. Clarify the error messages returned by PKIOperation to
+ indicate the operation being performed. [Graham Leggett]
*) Honour CFLAGS during build. [Graham Leggett]
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Sun Mar 31 00:01:15 2019
@@ -2444,8 +2444,8 @@
* PKIOperation
*
* Two options:
- * - Incoming MIME type is application/x-pki-message, body is a PKCS7 binary message
* - "message" was specified, un-base64 encode it, and contents is a PKCS7 binary message
+ * - Incoming MIME type is not application/x-www-form-urlencoded, body is a PKCS7 binary message
*/
static int get_pki_operation(request_rec *r, scep_config_rec *conf,
const char *message, const char *ct)
@@ -2459,58 +2459,7 @@
scep_t *scep;
BIO *outbio;
- if (ct && !strcmp(ct, "application/x-pki-message")) {
- int seen_eos = 0;
- BIO *b = BIO_new(BIO_s_mem());
- apr_pool_cleanup_register(r->pool, b, scep_BIO_cleanup,
- apr_pool_cleanup_null);
- apr_bucket_brigade *bb = apr_brigade_create(r->pool,
- r->connection->bucket_alloc);
-
- do {
- apr_bucket *bucket = NULL, *last = NULL;
-
- int rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
- APR_BLOCK_READ, HUGE_STRING_LEN);
- if (rv != APR_SUCCESS) {
- apr_brigade_destroy(bb);
- return (rv == AP_FILTER_ERROR) ? rv : HTTP_BAD_REQUEST;
- }
-
- for (bucket = APR_BRIGADE_FIRST(bb);
- bucket != APR_BRIGADE_SENTINEL(bb); last = bucket, bucket =
- APR_BUCKET_NEXT(bucket)) {
- const char *data;
- apr_size_t len;
-
- if (last) {
- apr_bucket_delete(last);
- }
- if (APR_BUCKET_IS_EOS(bucket)) {
- seen_eos = 1;
- break;
- }
- if (bucket->length == 0) {
- continue;
- }
-
- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
- if (rv != APR_SUCCESS) {
- apr_brigade_destroy(bb);
- return HTTP_BAD_REQUEST;
- }
- BIO_write(b, data, len);
-
- }
-
- apr_brigade_cleanup(bb);
- } while (!seen_eos);
-
- p7 = d2i_PKCS7_bio(b, NULL);
- apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
- apr_pool_cleanup_null);
- }
- else if (message) {
+ if (message) {
unsigned char *buffer;
char *str;
int len;
@@ -2528,21 +2477,72 @@
memset(buffer, 0, len);
BIO_free(b);
}
+ else if (ct && strcmp(ct, "application/x-www-form-urlencoded")) {
+ int seen_eos = 0;
+ BIO *b = BIO_new(BIO_s_mem());
+ apr_pool_cleanup_register(r->pool, b, scep_BIO_cleanup,
+ apr_pool_cleanup_null);
+ apr_bucket_brigade *bb = apr_brigade_create(r->pool,
+ r->connection->bucket_alloc);
+
+ do {
+ apr_bucket *bucket = NULL, *last = NULL;
+
+ int rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
+ APR_BLOCK_READ, HUGE_STRING_LEN);
+ if (rv != APR_SUCCESS) {
+ apr_brigade_destroy(bb);
+ return (rv == AP_FILTER_ERROR) ? rv : HTTP_BAD_REQUEST;
+ }
+
+ for (bucket = APR_BRIGADE_FIRST(bb);
+ bucket != APR_BRIGADE_SENTINEL(bb); last = bucket, bucket =
+ APR_BUCKET_NEXT(bucket)) {
+ const char *data;
+ apr_size_t len;
+
+ if (last) {
+ apr_bucket_delete(last);
+ }
+ if (APR_BUCKET_IS_EOS(bucket)) {
+ seen_eos = 1;
+ break;
+ }
+ if (bucket->length == 0) {
+ continue;
+ }
+
+ rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
+ if (rv != APR_SUCCESS) {
+ apr_brigade_destroy(bb);
+ return HTTP_BAD_REQUEST;
+ }
+ BIO_write(b, data, len);
+
+ }
+
+ apr_brigade_cleanup(bb);
+ } while (!seen_eos);
+
+ p7 = d2i_PKCS7_bio(b, NULL);
+ apr_pool_cleanup_register(r->pool, p7, scep_PKCS7_cleanup,
+ apr_pool_cleanup_null);
+ }
else {
log_message(r, APR_SUCCESS,
- "No content-type of 'application/x-pki-message' specified, or no 'message' parameter");
+ "PKIOperation failed: No content body, and no 'message' parameter");
goto err_bad_request;
}
if (!p7) {
- log_message(r, APR_SUCCESS, "PKCS7 message could not be read");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: PKCS7 message could not be read");
goto err_bad_request;
}
if (!PKCS7_type_is_signed(p7)) {
- log_message(r, APR_SUCCESS, "PKCS7 message was not signed");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: PKCS7 message was not signed");
goto err_bad_request;
}
@@ -2552,12 +2552,12 @@
*/
sinfo = PKCS7_get_signer_info(p7);
if (!sinfo) {
- log_message(r, APR_SUCCESS, "no signer info was found");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: no signer info was found");
goto err_bad_request;
}
if (sk_PKCS7_SIGNER_INFO_num(sinfo) != 1) {
- log_message(r, APR_SUCCESS, "more than one signer was found");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: more than one signer was found");
goto err_bad_request;
}
@@ -2573,7 +2573,7 @@
BIO *b = PKCS7_dataInit(p7, NULL);
if (!b) {
log_message(r, APR_SUCCESS,
- "enveloped PKCS7 could not be extracted (bio could not be created)");
+ "PKIOperation failed: enveloped PKCS7 could not be extracted (bio could not be created)");
BIO_free(b);
goto err_bad_request;
@@ -2581,7 +2581,7 @@
p7e = d2i_PKCS7_bio(b, NULL);
if (!p7e) {
log_message(r, APR_SUCCESS,
- "enveloped PKCS7 could not be extracted (bio could not be read)");
+ "PKIOperation failed: enveloped PKCS7 could not be extracted (bio could not be read)");
BIO_free(b);
goto err_bad_request;
@@ -2591,7 +2591,7 @@
apr_pool_cleanup_null);
}
if (PKCS7_signatureVerify(b, p7, si, x509) <= 0) {
- log_message(r, APR_SUCCESS, "signature verification failed");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: signature verification failed");
BIO_free(b);
goto err_bad_request;
@@ -2605,7 +2605,7 @@
*/
sattrs = PKCS7_get_signed_attributes(si);
if ((sattrs == NULL) || (sk_X509_ATTRIBUTE_num(sattrs) == 0)) {
- log_message(r, APR_SUCCESS, "unable to get signed attributes");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: unable to get signed attributes");
goto err_bad_request;
}
scep = parse_scep_attributes(r, sattrs);
@@ -2616,7 +2616,7 @@
*/
outbio = BIO_new(BIO_s_mem());
if (!PKCS7_decrypt(p7e, conf->key, conf->signer, outbio, 0)) {
- log_message(r, APR_SUCCESS, "unable to decrypt PKCS7 envelope");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: unable to decrypt PKCS7 envelope");
goto err_bad_request;
}
@@ -2627,7 +2627,7 @@
case SCEP_MESSAGETYPE_PKCSREQ: {
X509_REQ *req = d2i_X509_REQ_bio(outbio, NULL);
if (!req) {
- log_message(r, APR_SUCCESS, "unable to parse certificate request");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: unable to parse certificate request");
goto err_bad_request;
}
else {
@@ -2637,7 +2637,7 @@
return scep_messagetype_pkcsreq(r, req, scep);
}
case SCEP_MESSAGETYPE_CERTREP: {
- log_message(r, APR_SUCCESS, "message type CertRep unexpected");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: message type CertRep unexpected");
goto err_bad_request;
break;
}
@@ -2645,7 +2645,7 @@
PKCS7_ISSUER_AND_SUBJECT *ias = d2i_PKCS7_ISSUER_AND_SUBJECT_bio(outbio,
NULL);
if (!ias) {
- log_message(r, APR_SUCCESS, "unable to parse issuer and subject");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: unable to parse issuer and subject");
goto err_bad_request;
}
else {
@@ -2659,7 +2659,7 @@
PKCS7_ISSUER_AND_SERIAL *ias = d2i_PKCS7_ISSUER_AND_SERIAL_bio(outbio,
NULL);
if (!ias) {
- log_message(r, APR_SUCCESS, "unable to parse issuer and serial");
+ log_message(r, APR_SUCCESS, "PKIOperation failed: unable to parse issuer and serial");
goto err_bad_request;
}
else {
@@ -2673,7 +2673,10 @@
return scep_messagetype_getcrl(r, scep);
}
default: {
- log_message(r, APR_SUCCESS, "message type was not recognised");
+ log_message(r, APR_SUCCESS,
+ apr_psprintf(r->pool,
+ "PKIOperation failed: message type %d was not recognised",
+ scep->messageType));
goto err_bad_request;
}
}
@@ -2849,9 +2852,9 @@
operation = apr_table_get(args, "operation");
message = apr_table_get(args, "message");
- /* if anything other than application/x-pki-message, try parse the form */
+ /* if application/x-www-form-urlencoded, try parse the form */
ct = apr_table_get(r->headers_in, "Content-Type");
- if (!ct || strcmp("application/x-pki-message", ct)) {
+ if (ct && !strcmp("application/x-www-form-urlencoded", ct)) {
rv = ap_parse_form_data(r, NULL, &pairs, -1, conf->size);
if (rv != OK) {
return rv;
More information about the rs-commit
mailing list