[rs-commit] r436 - in /mod_scep/trunk: README mod_scep.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Thu Oct 19 19:15:09 CEST 2023
Author: dirkx at redwax.eu
Date: Thu Oct 19 19:15:08 2023
New Revision: 436
Log:
Slightlyu richer constraint setup
Modified:
mod_scep/trunk/README
mod_scep/trunk/mod_scep.c
Modified: mod_scep/trunk/README
==============================================================================
--- mod_scep/trunk/README (original)
+++ mod_scep/trunk/README Thu Oct 19 19:15:08 2023
@@ -1,3 +1,11 @@
+<<<<<<< .mine
+# AA basic configuration for SCEP issuing.
+#
+# 0. Set up some directories; The directory cert needs to be server writable.
+#
+# mkdir ca ra cert
+# chown www:www cert
+#
# AA basic configuration for SCEP issuing.
#
# 0. Set up some directories; The directory cert needs to be server writable.
@@ -18,22 +26,12 @@
# -out ra/ra-cert.pem \
# -extfile config.cnf -extensions ra
#
-
# 2. Load the right modules into httpd.conf
#
-# (Mac/Linux style)
-LoadModule ca_module lib/apache2/modules/mod_ca.so
-LoadModule scep_module lib/apache2/modules/mod_scep.so
-LoadModule ca_simple_module lib/apache2/modules/mod_ca_simple.so
-LoadModule ca_disk_module lib/apache2/modules/mod_ca_disk.so
-
-OR use
-
-# (*BSD/Debian style)
-LoadModule ca_module libexec/apache24/mod_ca.so
-LoadModule scep_module libexec/apache24/mod_scep.so
-LoadModule ca_simple_module libexec/apache24/mod_ca_simple.so
-LoadModule ca_disk_module libexec/apache24/mod_ca_disk.so
+LoadModule ca_module libexec/apache24/mod_ca.so
+LoadModule scep_module libexec/apache24/mod_scep.so
+LoadModule ca_simple_module libexec/apache24/mod_ca_simple.so
+LoadModule ca_disk_module libexec/apache24/mod_ca_disk.so
# Configure a URL (in this case - /scep). We're not setting any
# access restricitons - anyone can ask for anything.
@@ -51,7 +49,38 @@
CASimpleKey /opt/local/etc/pki/ca/ca-key.pem
CASimpleSerialRandom on
CASimpleTime on
- CADiskCertificateSignRequestPath /opt/local/etc/pki/issued_certs/
- CADiskCertificateByTransactionPath /opt/local/etc/pki/issued_certs/
+ CADiskCertificateSignRequestPath /opt/local/etc/pki/certs/
+ CADiskCertificateByTransactionPath /opt/local/etc/pki/certs/
</Location>
+Add below to above blocka more elaborate setup that limits/constraints things a bit more:
+
+<Location /scep>
+ LogLevel Debug
+
+ ScepSubjectRequest O
+ ScepSubjectRequest countryName
+ ScepSubjectRequest stateOrProvinceName
+ ScepSubjectRequest commonName
+ ScepSubjectSet OU "Test Certificate"
+ ScepSubjectSet O "My company"
+ ScepSubjectSet L "Town"
+ ScepSubjectSet C "EU"
+ #
+ # Allow up to 20 of any type
+ ScepSubjectAltNameRequest * 20
+ ScepSubjectRequest * 20
+ #
+ CASimpleExtension basicConstraints CA:FALSE
+ CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
+
+ # clientAuth - Indicates that a certificate can be used as a Secure Sockets Layer (SSL) client certificate
+ # emailProtection - Indicates that a certificate can be used for protecting email (signing, encryption, key agreement)
+ # ipsecUser - IPSEC User Certificate
+ # secureShellClient - id-kp-secureShellClient (indicates that the key can be used for a Secure Shell client)
+ #
+ CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.21,OID:1.3.6.1.5.5.7.3.7,OID:1.3.6.1.5.5.7.3.4,OID:1.3.6.1.5.5.7.3.2
+
+ CASimpleExtension subjectKeyIdentifier hash
+ CASimpleExtension authorityKeyIdentifier keyid,issuer
+
Modified: mod_scep/trunk/mod_scep.c
==============================================================================
--- mod_scep/trunk/mod_scep.c (original)
+++ mod_scep/trunk/mod_scep.c Thu Oct 19 19:15:08 2023
@@ -63,6 +63,7 @@
#define DEFAULT_FRESHNESS 2
#define DEFAULT_FRESHNESS_MAX 3600*24
+#define DN_UNLIMITED (-1)
module AP_MODULE_DECLARE_DATA scep_module;
@@ -457,6 +458,18 @@
scep_config_rec *conf = dconf;
name_rec *name = apr_array_push(conf->subject);
+ if (arg2) {
+ char *end;
+ name->limit = (int) apr_strtoi64(arg2, &end, 10);
+ if (*end || name->limit < 1) {
+ return apr_psprintf(cmd->pool,
+ "Argument '%s' must be a positive integer", arg2);
+ }
+ }
+ else {
+ name->limit = 1;
+ }
+
if (strcmp(arg1, "*")) {
name->name = arg1;
name->nid = OBJ_txt2nid(arg1);
@@ -465,19 +478,10 @@
"Argument '%s' must be a valid subject identifier recognised by openssl",
arg1);
}
- }
-
- if (arg2) {
- char *end;
- name->limit = (int) apr_strtoi64(arg2, &end, 10);
- if (*end || name->limit < 1) {
- return apr_psprintf(cmd->pool,
- "Argument '%s' must be a positive integer", arg2);
- }
- }
- else {
- name->limit = 1;
- }
+ } else {
+ name->nid = DN_UNLIMITED;
+ if (!name->limit) name->limit = DN_UNLIMITED;
+ };
conf->subject_set = 1;
@@ -557,6 +561,18 @@
scep_config_rec *conf = dconf;
name_rec *name = apr_array_push(conf->subjectaltname);
+ if (arg2) {
+ char *end;
+ name->limit = (int) apr_strtoi64(arg2, &end, 10);
+ if (*end || name->limit < 1) {
+ return apr_psprintf(cmd->pool,
+ "Argument '%s' must be a positive integer", arg2);
+ }
+ }
+ else {
+ name->limit = 1;
+ }
+
if (strcmp(arg1, "*")) {
name->name = arg1;
name->nid = type_from_subjectaltname(arg1);
@@ -567,19 +583,8 @@
}
}
else {
- name->nid = -1;
- }
-
- if (arg2) {
- char *end;
- name->limit = (int) apr_strtoi64(arg2, &end, 10);
- if (*end || name->limit < 1) {
- return apr_psprintf(cmd->pool,
- "Argument '%s' must be a positive integer", arg2);
- }
- }
- else {
- name->limit = 1;
+ name->nid = DN_UNLIMITED; /* wildcard */
+ if (!name->limit) name->limit = DN_UNLIMITED;
}
conf->subjectaltname_set = 1;
@@ -762,6 +767,25 @@
}
}
+static void log_request(request_rec *r, X509_REQ *req, const char * msg)
+{
+ BIO * debug = BIO_new(BIO_s_mem());
+ char buf[HUGE_STRING_LEN];
+ int len;
+
+ apr_pool_cleanup_register(r->pool, debug, scep_BIO_cleanup,
+ apr_pool_cleanup_null);
+
+ X509_REQ_print_ex(debug, req, 0, XN_FLAG_ONELINE);
+ while ((len = BIO_gets(debug, buf, sizeof(buf))) > 0) {
+ /* Remove any LF/CR - as the logging subsystem will do this */
+ while(len && (buf[len-1] == '\n' || buf[len-1] == '\r'))
+ len --;
+ ap_log_rerror(
+ APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, "%s: %.*s", msg, len, buf);
+ }
+}
+
static void make_sender_nonce(request_rec *r, scep_t *rscep)
{
rscep->senderNonceLength = 16;
@@ -1758,8 +1782,8 @@
X509_NAME_ENTRY *tne = X509_NAME_get_entry(reqsubject, j);
int nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(tne));
- if (!name->nid || name->nid == nid) {
- if (count <= 0) {
+ if (name->nid == DN_UNLIMITED || name->nid == nid) {
+ if (name->limit != DN_UNLIMITED && count <= 0) {
log_message(r, APR_SUCCESS,
apr_psprintf(r->pool,
"Subject name '%s' cannot be inserted into certificate more than %d times.",
@@ -1797,6 +1821,8 @@
&scep_module);
exts = X509_REQ_get_extensions(req);
+ // test XXX X509_REQ_add_extensions(creq, exts);
+
if (exts) {
int idx = -1;
gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, &idx);
@@ -1837,8 +1863,8 @@
for (j = 0; gens && j < sk_GENERAL_NAME_num(gens); j++) {
GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, j);
- if (!name->nid || name->nid == gen->type) {
- if (count <= 0) {
+ if (name->nid == DN_UNLIMITED || name->nid == gen->type) {
+ if (name->limit != DN_UNLIMITED && count <= 0) {
log_message(r, APR_SUCCESS,
apr_psprintf(r->pool,
"SubjectAltName element '%s' cannot be inserted into certificate more than %d times.",
@@ -1889,17 +1915,8 @@
apr_hash_t *params = apr_hash_make(r->pool);
/* print the request, if necessary */
- if (APLOGrdebug(r)) {
- int len;
- debug = BIO_new(BIO_s_mem());
- apr_pool_cleanup_register(r->pool, debug, scep_BIO_cleanup,
- apr_pool_cleanup_null);
- X509_REQ_print_ex(debug, req, 0, XN_FLAG_ONELINE);
- while ((len = BIO_gets(debug, buf, sizeof(buf))) > 0) {
- ap_log_rerror(
- APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, r, "Certificate Request: %.*s", len, buf);
- }
- }
+ if (APLOGrdebug(r))
+ log_request(r, req, "Certificate Request");
/**
* Create a CSR for signing.
@@ -2026,6 +2043,9 @@
return rv;
}
+ if (APLOGrdebug(r))
+ log_request(r, creq, "Request to Sign");
+
/* do the signing */
rv = ap_run_ca_sign(r, params, &buffer, &len);
if (rv == DECLINED) {
@@ -2053,6 +2073,7 @@
return HTTP_BAD_REQUEST;
}
+
apr_pool_cleanup_register(r->pool, certs, scep_PKCS7_cleanup,
apr_pool_cleanup_null);
More information about the rs-commit
mailing list