[rs-commit] r364 - in /mod_ca/trunk: ChangeLog mod_ca_engine.c mod_ca_simple.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Mon May 4 23:48:40 CEST 2020
Author: minfrin at redwax.eu
Date: Mon May 4 23:48:39 2020
New Revision: 364
Log:
Make sure the signer certificate is included as the first
intermediate certificate in the chain for mod_ca_simple and
mod_ca_engine. Clearly log the certificate chain.
Modified:
mod_ca/trunk/ChangeLog
mod_ca/trunk/mod_ca_engine.c
mod_ca/trunk/mod_ca_simple.c
Modified: mod_ca/trunk/ChangeLog
==============================================================================
--- mod_ca/trunk/ChangeLog (original)
+++ mod_ca/trunk/ChangeLog Mon May 4 23:48:39 2020
@@ -1,3 +1,10 @@
+
+Changes with v0.2.3
+
+ *) Make sure the signer certificate is included as the first
+ intermediate certificate in the chain for mod_ca_simple and
+ mod_ca_engine. Clearly log the certificate chain. [Graham
+ Leggett]
Changes with v0.2.2
Modified: mod_ca/trunk/mod_ca_engine.c
==============================================================================
--- mod_ca/trunk/mod_ca_engine.c (original)
+++ mod_ca/trunk/mod_ca_engine.c Mon May 4 23:48:39 2020
@@ -169,6 +169,12 @@
BIO_free(mem);
}
+static apr_status_t ca_BIO_cleanup(void *data)
+{
+ BIO_free((BIO *) data);
+ return APR_SUCCESS;
+}
+
static apr_status_t ca_PKCS7_cleanup(void *data)
{
PKCS7_free((PKCS7 *) data);
@@ -260,6 +266,7 @@
STACK_OF(X509_EXTENSION) *exts;
apr_hash_index_t *iter;
PKCS7 *p7;
+ BIO *audit = NULL;
const unsigned char *tmp;
unsigned char *tmp2;
const unsigned char *end;
@@ -406,8 +413,8 @@
X509V3_set_ctx(&ext_ctx, conf->signer, cert, NULL, NULL, 0);
for (iter = apr_hash_first(r->pool, conf->ext); iter; iter = apr_hash_next(iter)) {
- const void *vname;
- void *vval;
+ const void *vname;
+ void *vval;
const char *name, *val;
apr_hash_this(iter, &vname, NULL, &vval);
@@ -457,6 +464,32 @@
"could not add the signed certificate to the PKCS7 response");
return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ /* print the subject, if necessary */
+ else if (APLOGrdebug(r)) {
+ audit = BIO_new(BIO_s_mem());
+ apr_pool_cleanup_register(r->pool, audit, ca_BIO_cleanup,
+ apr_pool_cleanup_null);
+ BIO_puts(audit, "[");
+ X509_NAME_print_ex(audit, X509_get_subject_name(cert), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
+ }
+
+ /* add the signer certificate */
+ if (X509_NAME_cmp(X509_get_subject_name(conf->signer),
+ X509_get_issuer_name(conf->signer))) {
+ if (!PKCS7_add_certificate(p7, conf->signer)) {
+ log_message(r, APR_SUCCESS,
+ "could not add the signer certificate to the PKCS7 response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else if (APLOGrdebug(r)) {
+ BIO_puts(audit, ", [");
+ X509_NAME_print_ex(audit, X509_get_subject_name(conf->signer), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
+ }
}
/* add the certificate chain */
@@ -492,20 +525,25 @@
sk_X509_push(chain, cert);
}
- xs = cert;
+ xs = conf->signer;
i = chain ? sk_X509_num(chain) : 0;
while (i) {
next = X509_find_by_subject(chain, X509_get_issuer_name(xs));
if (next) {
+ if (!X509_NAME_cmp(X509_get_subject_name(next),
+ X509_get_issuer_name(next))) {
+ break;
+ }
if (!PKCS7_add_certificate(p7, next)) {
log_message(r, APR_SUCCESS,
"could not add a certificate in the chain to the PKCS7 response");
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (!X509_NAME_cmp(X509_get_subject_name(xs),
- X509_get_issuer_name(xs))) {
- break;
+ else if (APLOGrdebug(r)) {
+ BIO_puts(audit, ", [");
+ X509_NAME_print_ex(audit, X509_get_subject_name(next), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
}
xs = next;
}
@@ -532,6 +570,14 @@
"could not DER encode the signed PKCS7");
return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (audit) {
+ unsigned char *buf;
+ int n = BIO_get_mem_data(audit, &buf);
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, APR_SUCCESS, r,
+ "mod_ca_engine: Successfully signed certificate and chain: %.*s",
+ n, buf);
}
return OK;
Modified: mod_ca/trunk/mod_ca_simple.c
==============================================================================
--- mod_ca/trunk/mod_ca_simple.c (original)
+++ mod_ca/trunk/mod_ca_simple.c Mon May 4 23:48:39 2020
@@ -155,6 +155,12 @@
}
}
+static apr_status_t ca_BIO_cleanup(void *data)
+{
+ BIO_free((BIO *) data);
+ return APR_SUCCESS;
+}
+
static apr_status_t ca_EVP_PKEY_cleanup(void *data)
{
EVP_PKEY_free((EVP_PKEY *) data);
@@ -264,6 +270,7 @@
STACK_OF(X509_EXTENSION) *exts;
apr_hash_index_t *iter;
PKCS7 *p7;
+ BIO *audit = NULL;
const unsigned char *tmp;
unsigned char *tmp2;
const unsigned char *end;
@@ -402,8 +409,8 @@
X509V3_set_ctx(&ext_ctx, conf->signer, cert, NULL, NULL, 0);
for (iter = apr_hash_first(r->pool, conf->ext); iter;
iter = apr_hash_next(iter)) {
- const void *vname;
- void *vval;
+ const void *vname;
+ void *vval;
const char *name, *val;
apr_hash_this(iter, &vname, NULL, &vval);
@@ -456,6 +463,31 @@
return HTTP_INTERNAL_SERVER_ERROR;
}
+ /* print the subject, if necessary */
+ else if (APLOGrdebug(r)) {
+ audit = BIO_new(BIO_s_mem());
+ apr_pool_cleanup_register(r->pool, audit, ca_BIO_cleanup,
+ apr_pool_cleanup_null);
+ BIO_puts(audit, "[");
+ X509_NAME_print_ex(audit, X509_get_subject_name(cert), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
+ }
+
+ /* add the signer certificate */
+ if (X509_NAME_cmp(X509_get_subject_name(conf->signer), X509_get_issuer_name(conf->signer))) {
+ if (!PKCS7_add_certificate(p7, conf->signer)) {
+ log_message(r, APR_SUCCESS,
+ "could not add the signer certificate to the PKCS7 response");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ else if (APLOGrdebug(r)) {
+ BIO_puts(audit, ", [");
+ X509_NAME_print_ex(audit, X509_get_subject_name(conf->signer), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
+ }
+ }
+
/* add the certificate chain */
tmp = NULL;
size = 0;
@@ -489,20 +521,25 @@
sk_X509_push(chain, cert);
}
- xs = cert;
+ xs = conf->signer;
i = chain ? sk_X509_num(chain) : 0;
while (i) {
next = X509_find_by_subject(chain, X509_get_issuer_name(xs));
if (next) {
+ if (!X509_NAME_cmp(X509_get_subject_name(next),
+ X509_get_issuer_name(next))) {
+ break;
+ }
if (!PKCS7_add_certificate(p7, next)) {
log_message(r, APR_SUCCESS,
"could not add a certificate in the chain to the PKCS7 response");
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (!X509_NAME_cmp(X509_get_subject_name(xs),
- X509_get_issuer_name(xs))) {
- break;
+ else if (APLOGrdebug(r)) {
+ BIO_puts(audit, ", [");
+ X509_NAME_print_ex(audit, X509_get_subject_name(next), 0, XN_FLAG_RFC2253);
+ BIO_puts(audit, "]");
}
xs = next;
}
@@ -529,6 +566,14 @@
"could not DER encode the signed PKCS7");
return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (audit) {
+ unsigned char *buf;
+ int n = BIO_get_mem_data(audit, &buf);
+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, APR_SUCCESS, r,
+ "mod_ca_simple: Successfully signed certificate and chain: %.*s",
+ n, buf);
}
return OK;
More information about the rs-commit
mailing list