[rs-commit] r563 - in /mod_csr/trunk: ChangeLog mod_csr.c
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Mar 15 10:56:25 CET 2026
Author: minfrin at redwax.eu
Date: Sun Mar 15 10:56:24 2026
New Revision: 563
Log:
Use CA_POP_CSR and CA_POP_CHALLENGE to pass the proof of
possession.
Modified:
mod_csr/trunk/ChangeLog
mod_csr/trunk/mod_csr.c
Modified: mod_csr/trunk/ChangeLog
==============================================================================
--- mod_csr/trunk/ChangeLog (original)
+++ mod_csr/trunk/ChangeLog Sun Mar 15 10:56:24 2026
@@ -1,6 +1,8 @@
Changes with v1.0.0
+ *) Use CA_POP_CSR and CA_POP_CHALLENGE to pass the proof of
+ possession. [Graham Leggett]
Changes with v0.2.5
Modified: mod_csr/trunk/mod_csr.c
==============================================================================
--- mod_csr/trunk/mod_csr.c (original)
+++ mod_csr/trunk/mod_csr.c Sun Mar 15 10:56:24 2026
@@ -501,10 +501,28 @@
return APR_SUCCESS;
}
+static apr_status_t csr_X509_ATTRIBUTE_cleanup(void *data)
+{
+ X509_ATTRIBUTE_free((X509_ATTRIBUTE *) data);
+ return APR_SUCCESS;
+}
+
static apr_status_t csr_X509_REQ_cleanup(void *data)
{
X509_REQ_free((X509_REQ *) data);
return APR_SUCCESS;
+}
+
+static ca_asn1_t *make_X509_ATTRIBUTE(apr_pool_t *pool, X509_ATTRIBUTE *attr)
+{
+ ca_asn1_t *buf = apr_palloc(pool, sizeof(ca_asn1_t));
+ unsigned char *tmp;
+
+ buf->len = i2d_X509_ATTRIBUTE(attr, NULL);
+ buf->val = tmp = apr_palloc(pool, buf->len);
+ i2d_X509_ATTRIBUTE(attr, &tmp);
+
+ return buf;
}
static ca_asn1_t *make_X509_NAME(apr_pool_t *pool, X509_NAME *name)
@@ -907,10 +925,6 @@
return HTTP_BAD_REQUEST;
}
- X509_REQ_set_pubkey(creq, pktmp);
-
- /* sign the X509_REQ with a dummy signature to work around serialisation bugs in openssl */
- X509_REQ_sign(creq, pknull, mdnull);
/* extract the param_challenge, if present */
idx = X509_REQ_get_attr_by_NID(req, OBJ_sn2nid("challengePassword"), -1);
@@ -934,10 +948,34 @@
make_X509_NAME(r->pool, subject));
}
+ X509_REQ_set_pubkey(creq, pktmp);
+
+ /* sign the X509_REQ with a dummy signature to work around serialisation bugs in openssl */
+ X509_REQ_sign(creq, pknull, mdnull);
+
/* handle the proof of possession */
if (req) {
- apr_hash_set(params, "popCertificateSignRequest", APR_HASH_KEY_STRING,
+ apr_hash_set(params, CA_POP_CSR, APR_HASH_KEY_STRING,
make_X509_REQ(r->pool, req));
+ }
+ if (challenge) {
+
+ X509_ATTRIBUTE *popchallenge =
+ X509_ATTRIBUTE_create_by_txt(NULL, "challengePassword",
+ MBSTRING_UTF8, challenge, challenge_size);
+
+ if (!popchallenge) {
+ log_message(r, APR_SUCCESS,
+ "could not create the challenge");
+
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ apr_pool_cleanup_register(r->pool, popchallenge, csr_X509_ATTRIBUTE_cleanup,
+ apr_pool_cleanup_null);
+
+ apr_hash_set(params, CA_POP_CHALLENGE, APR_HASH_KEY_STRING,
+ make_X509_ATTRIBUTE(r->pool, popchallenge));
}
/* write out the certificate */
@@ -1090,7 +1128,7 @@
EVP_PKEY_free(pknull);
pknull = NULL;
- ERR_free_strings();
+ ERR_free_strings();
EVP_cleanup();
return APR_SUCCESS;
}
@@ -1143,7 +1181,7 @@
#ifdef HAS_OPENSSL_PR10563_WORK_AROUND
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
- "Workaround for OpenSSL/#10563 active; which manipulates openssl-private internals.");
+ "Workaround for OpenSSL/#10563 active; which manipulates openssl-private internals.");
#endif
}
More information about the rs-commit
mailing list