support custom OIDs in *_cert ACLs

This patch allow user_cert and ca_cert ACLs to match arbitrary stand-alone OIDs
(not DN/C/O/CN/L/ST objects or their substrings). For example, should be able to
match certificates that have 1.3.6.1.4.1.1814.3.1.14 OID in the certificate
Subject or Issuer field. Squid configuration would look like this:

 acl User_Cert-TrustedCustomerNum user_cert 1.3.6.1.4.1.1814.3.1.14 1001

This is a Measurement Factory project

diff --git a/src/acl/CertificateData.cc b/src/acl/CertificateData.cc
index 8afa1668067d9810bfcef06defa3fbbe00f15593..fa70f276dd6acb5e942c867057b2f38a26c2e28a 100644 (file)
--- a/src/acl/CertificateData.cc
+++ b/src/acl/CertificateData.cc
@@ -127,8 +127,29 @@ ACLCertificateData::parse()
                     debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ").");
                     self_destruct();
                 }
-            } else
+            } else {
+                if (strcasecmp(newAttribute, "DN") != 0) {
+                    int nid = OBJ_txt2nid(newAttribute);
+                    if (nid == 0) {
+                         const size_t span = strspn(newAttribute, "0123456789.");
+                         if(newAttribute[span] == '\0') { // looks like a numerical OID
+                             // create a new object based on this attribute
+
+                             // NOTE: Not a [bad] leak: If the same attribute
+                             // has been added before, the OBJ_txt2nid call
+                             // would return a valid nid value.
+                             // TODO: call OBJ_cleanup() on reconfigure?
+                             nid = OBJ_create(newAttribute, newAttribute,  newAttribute);
+                             debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid);
+                         }
+                    }
+                    if (nid == 0) {
+                        debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute);
+                        self_destruct();
+                    }
+                }
                 attribute = xstrdup(newAttribute);
+            }
         }
     }
 

diff --git a/src/cf.data.pre b/src/cf.data.pre
index c797a1115dc376b01d1bb4264e0728278a3721d0..07713be530655811e19477c021fe20fd494b0d70 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1128,11 +1128,11 @@ DOC_START
 
        acl aclname user_cert attribute values...
          # match against attributes in a user SSL certificate
-         # attribute is one of DN/C/O/CN/L/ST [fast]
+         # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
 
        acl aclname ca_cert attribute values...
          # match against attributes a users issuing CA SSL certificate
-         # attribute is one of DN/C/O/CN/L/ST [fast]
+         # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
 
        acl aclname ext_user username ...
        acl aclname ext_user_regex [-i] pattern ...