Support custom OIDs in *_cert ACLs

This patch allow user_cert and ca_cert ACLs to match arbitrary
stand-alone OIDs (not DN/C/O/CN/L/ST objects or their substrings).
For example, should be able to match certificates that have
1.3.6.1.4.1.1814.3.1.14 OID in the certificate Subject or Issuer field.

Squid configuration would look like this:
 acl User_Cert-TrustedCustomerNum user_cert 1.3.6.1.4.1.1814.3.1.14 1001

This is a Measurement Factory project

diff --git a/src/acl/CertificateData.cc b/src/acl/CertificateData.cc
index f85fe64c97494e93eb3f7cd63fd0e3ddef3cc5f1..b460f07b10a2ae70aa7ddf898bcbf090a7e7f66c 100644 (file)
--- a/src/acl/CertificateData.cc
+++ b/src/acl/CertificateData.cc
@@ -126,8 +126,29 @@ ACLCertificateData::parse()
                     debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ").");
                     self_destruct();
                 }
-            } else
+            } else {
+                if (strcasecmp(newAttribute, "DN") != 0) {
+                    int nid = OBJ_txt2nid(newAttribute);
+                    if (nid == 0) {
+                        const size_t span = strspn(newAttribute, "0123456789.");
+                        if(newAttribute[span] == '\0') { // looks like a numerical OID
+                            // create a new object based on this attribute
+
+                            // NOTE: Not a [bad] leak: If the same attribute
+                            // has been added before, the OBJ_txt2nid call
+                            // would return a valid nid value.
+                            // TODO: call OBJ_cleanup() on reconfigure?
+                            nid = OBJ_create(newAttribute, newAttribute,  newAttribute);
+                            debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid);
+                        }
+                    }
+                    if (nid == 0) {
+                        debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute);
+                        self_destruct();
+                    }
+                }
                 attribute = xstrdup(newAttribute);
+            }
         }
     }
 

diff --git a/src/cf.data.pre b/src/cf.data.pre
index b9a9323d093310e64072dc205084076881a61b4c..5308ee5d97f770fe4a3bf1411680ed8df28aa2e6 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -1063,11 +1063,11 @@ DOC_START
 
        acl aclname user_cert attribute values...
          # match against attributes in a user SSL certificate
-         # attribute is one of DN/C/O/CN/L/ST [fast]
+         # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast]
 
        acl aclname ca_cert attribute values...
          # match against attributes a users issuing CA SSL certificate
-         # attribute is one of DN/C/O/CN/L/ST [fast]
+         # attribute is one of DN/C/O/CN/L/ST or a numerical OID  [fast]
 
        acl aclname ext_user username ...
        acl aclname ext_user_regex [-i] pattern ...