From: Jim Jagielski <jim@apache.org>
Date: Thu, 5 Mar 2015 14:51:37 +0000 (+0000)
Subject: Merge r1661258 from trunk:
X-Git-Tag: 2.4.13~365
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1972f05a6681751473fa4e42cf1f0d206a54a9c;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1661258 from trunk:

mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
a combination of certificate serialNumber and issuer as defined by
CertificateExactMatch in RFC4523.

Submitted by: minfrin
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1664363 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index d51dd939874..223e36f1677 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,10 @@ Changes with Apache 2.4.13
      responding to a websockets PING but instead invoking the specified 
      script. PR57524. [Edward Lu <Chaosed0 gmail.com>]
 
+  *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+     a combination of certificate serialNumber and issuer as defined by
+     CertificateExactMatch in RFC4523. [Graham Leggett]
+
   *) ab: Add missing longest request (100%) to CSV export.
      [Marcin Fabrykowski <bugzilla fabrykowski.pl>] 
 
diff --git a/STATUS b/STATUS
index fc416beb9b0..94450a74480 100644
--- a/STATUS
+++ b/STATUS
@@ -106,13 +106,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
-     a combination of certificate serialNumber and issuer as defined by
-     CertificateExactMatch in RFC4523.
-     trunk patch: http://svn.apache.org/r1661258
-     2.4.x patch: trunk works
-     +1: minfrin, ylavic, jim
-
   *) mpm_event: Clear and restore sbh in notify_suspend() and notify_resume()
      respectively.  This merges a missing fix from r1545736 (sbh = NULL before
      notify_suspend() for write completion, near line 1068 in 2.4.12) which was
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index b8cb63fc039..e697645b931 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -84,6 +84,7 @@ compatibility variables.</p>
 <tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
+<tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td>   <td>string</td>    <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr>
 <tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
 <tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
 <tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 7911b2629ba..0c22984c289 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1123,6 +1123,7 @@ static const char *ssl_hook_Fixup_vars[] = {
     "SSL_CLIENT_I_DN",
     "SSL_CLIENT_A_KEY",
     "SSL_CLIENT_A_SIG",
+    "SSL_CLIENT_CERT_RFC4523_CEA",
     "SSL_SERVER_M_VERSION",
     "SSL_SERVER_M_SERIAL",
     "SSL_SERVER_V_START",
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 695bc14b148..31359af79b8 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -46,6 +46,7 @@ static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
 static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
@@ -364,6 +365,9 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
         sk = SSL_get_peer_cert_chain(ssl);
         result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
     }
+    else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
+        result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
+    }
     else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
         result = ssl_var_lookup_ssl_cert_verify(p, c);
     }
@@ -679,6 +683,37 @@ static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, ch
     return result;
 }
 
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
+{
+    char *result;
+    X509 *xs;
+
+    ASN1_INTEGER *serialNumber;
+
+    if (!(xs = SSL_get_peer_certificate(ssl))) {
+        return NULL;
+    }
+
+    result = NULL;
+
+    serialNumber = X509_get_serialNumber(xs);
+    if (serialNumber) {
+        X509_NAME *issuer = X509_get_issuer_name(xs);
+        if (issuer) {
+            BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
+            char *decimal = BN_bn2dec(bn);
+            result = apr_pstrcat(p, "{ serialNumber ", decimal,
+                    ", issuer rdnSequence:\"",
+                    SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+            OPENSSL_free(decimal);
+            BN_free(bn);
+        }
+    }
+
+    X509_free(xs);
+    return result;
+}
+
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
 {
     char *result;