From: Christos Tsantilas Date: Tue, 2 Jun 2015 12:04:00 +0000 (+0300) Subject: support custom OIDs in *_cert ACLs X-Git-Tag: merge-candidate-3-v1~96 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2927ae41ff3bc0f21201e951e6c1afa5c06555e2;p=thirdparty%2Fsquid.git support custom OIDs in *_cert ACLs This patch allow user_cert and ca_cert ACLs to match arbitrary stand-alone OIDs (not DN/C/O/CN/L/ST objects or their substrings). For example, should be able to match certificates that have 1.3.6.1.4.1.1814.3.1.14 OID in the certificate Subject or Issuer field. Squid configuration would look like this: acl User_Cert-TrustedCustomerNum user_cert 1.3.6.1.4.1.1814.3.1.14 1001 This is a Measurement Factory project --- diff --git a/src/acl/CertificateData.cc b/src/acl/CertificateData.cc index 8afa166806..fa70f276dd 100644 --- a/src/acl/CertificateData.cc +++ b/src/acl/CertificateData.cc @@ -127,8 +127,29 @@ ACLCertificateData::parse() debugs(28, DBG_CRITICAL, "FATAL: An acl must use consistent attributes in all config lines (" << newAttribute << "!=" << attribute << ")."); self_destruct(); } - } else + } else { + if (strcasecmp(newAttribute, "DN") != 0) { + int nid = OBJ_txt2nid(newAttribute); + if (nid == 0) { + const size_t span = strspn(newAttribute, "0123456789."); + if(newAttribute[span] == '\0') { // looks like a numerical OID + // create a new object based on this attribute + + // NOTE: Not a [bad] leak: If the same attribute + // has been added before, the OBJ_txt2nid call + // would return a valid nid value. + // TODO: call OBJ_cleanup() on reconfigure? + nid = OBJ_create(newAttribute, newAttribute, newAttribute); + debugs(28, 7, "New SSL certificate attribute created with name: " << newAttribute << " and nid: " << nid); + } + } + if (nid == 0) { + debugs(28, DBG_CRITICAL, "FATAL: Not valid SSL certificate attribute name or numerical OID: " << newAttribute); + self_destruct(); + } + } attribute = xstrdup(newAttribute); + } } } diff --git a/src/cf.data.pre b/src/cf.data.pre index c797a1115d..07713be530 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1128,11 +1128,11 @@ DOC_START acl aclname user_cert attribute values... # match against attributes in a user SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ca_cert attribute values... # match against attributes a users issuing CA SSL certificate - # attribute is one of DN/C/O/CN/L/ST [fast] + # attribute is one of DN/C/O/CN/L/ST or a numerical OID [fast] acl aclname ext_user username ... acl aclname ext_user_regex [-i] pattern ...