From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 1 Feb 2013 04:47:04 +0000 (-0700)
Subject: Mimic Key Usage and Basic Constraints
X-Git-Tag: SQUID_3_3_1~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be3eb059de0682026358604114292bcebbc92ed6;p=thirdparty%2Fsquid.git

Mimic Key Usage and Basic Constraints

There are cases where the generated certificates do not mimic enough
properties
and secure connection with the client fails. For example, Squid does not
mimic
Key Usage extensions. Clients using GnuTLS (or similar libraries that
validate
server certificate using those extensions) fail to secure the connection
with
Squid.

This patch add mimicking for the following extensions, which are
considered
as safe to mimic:
    * X509v3 Key Usage
    * X509v3 Extended Key Usage,
    * X509v3 Basic Constraints CA.

We would be happy to add more "safe to mimic" extensions if users
request (and
vouch for) them.

This is a Measurement Factory project
---

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index ac94bc165c..9a89187100 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -249,6 +249,31 @@ std::string & Ssl::CertificateProperties::dbKey() const
     return certKey;
 }
 
+// Copy certificate extensions from cert to mimicCert.
+// Currently only extensions which are reported by the users that required are
+// mimicked. More safe to mimic extensions would be added here if users request
+// them.
+static void
+mimicExtensions(Ssl::X509_Pointer & cert, Ssl::X509_Pointer const & mimicCert)
+{
+    static int extensions[]= {
+        NID_key_usage,
+        NID_ext_key_usage,
+        NID_basic_constraints,
+        0
+    };
+
+    int nid;
+    for (int i = 0; (nid = extensions[i]) != 0; ++i) {
+        const int pos = X509_get_ext_by_NID(mimicCert.get(), nid, -1);
+        if (X509_EXTENSION *ext = X509_get_ext(mimicCert.get(), pos))
+            X509_add_ext(cert.get(), ext, -1);
+    }
+
+    // We could also restrict mimicking of the CA extension to CA:FALSE
+    // because Squid does not generate valid fake CA certificates.
+}
+
 static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificateProperties const &properties)
 {
     // not an Ssl::X509_NAME_Pointer because X509_REQ_get_subject_name()
@@ -320,6 +345,8 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
                 X509_set_version(cert.get(), 2);
             }
         }
+
+        mimicExtensions(cert, properties.mimicCert);
     }
 
     return true;