#
-# $Id: cf.data.pre,v 1.384 2005/03/18 17:12:34 hno Exp $
+# $Id: cf.data.pre,v 1.385 2005/03/18 17:17:51 hno Exp $
#
#
# SQUID Web Proxy Cache http://www.squid-cache.org/
%MYADDR Squid interface address
%MYPORT Squid http_port number
%USER_CERT SSL User certificate in PEM format
+ %USER_CERTCHAIN SSL User certificate chain in PEM format
%USER_CERT_xx SSL User certificate subject attribute xx
%USER_CA_xx SSL User certificate issuer attribute xx
%{Header} HTTP request header
/*
- * $Id: external_acl.cc,v 1.59 2005/03/18 16:51:22 hno Exp $
+ * $Id: external_acl.cc,v 1.60 2005/03/18 17:17:51 hno Exp $
*
* DEBUG: section 82 External ACL
* AUTHOR: Henrik Nordstrom, MARA Systems AB
EXT_ACL_USER_CERT,
EXT_ACL_CA_CERT,
EXT_ACL_USER_CERT_RAW,
+ EXT_ACL_USER_CERTCHAIN_RAW,
#endif
EXT_ACL_EXT_USER,
EXT_ACL_END
else if (strcmp(token, "%USER_CERT") == 0)
format->type = EXT_ACL_USER_CERT_RAW;
+ else if (strcmp(token, "%USER_CERTCHAIN") == 0)
+ format->type = EXT_ACL_USER_CERTCHAIN_RAW;
else if (strncmp(token, "%USER_CERT_", 11)) {
format->type = _external_acl_format::EXT_ACL_USER_CERT;
format->header = xstrdup(token + 11);
storeAppendPrintf(sentry, " %%USER_CERT");
break;
+ case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
+ storeAppendPrintf(sentry, " %%USER_CERTCHAIN");
+ break;
+
case _external_acl_format::EXT_ACL_USER_CERT:
storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
break;
break;
+ case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
+
+ if (ch->conn().getRaw()) {
+ SSL *ssl = fd_table[ch->conn()->fd].ssl;
+
+ if (ssl)
+ str = sslGetUserCertificateChainPEM(ssl);
+ }
+
+ break;
+
case _external_acl_format::EXT_ACL_USER_CERT:
if (ch->conn().getRaw()) {
/*
- * $Id: ssl_support.cc,v 1.29 2005/03/18 17:12:34 hno Exp $
+ * $Id: ssl_support.cc,v 1.30 2005/03/18 17:17:51 hno Exp $
*
* AUTHOR: Benno Rice
* DEBUG: section 83 SSL accelerator support
return str;
}
+
+const char *
+sslGetUserCertificateChainPEM(SSL *ssl)
+{
+ STACK_OF(X509) *chain;
+ BIO *mem;
+ static char *str = NULL;
+ char *ptr;
+ long len;
+ int i;
+
+ safe_free(str);
+
+ if (!ssl)
+ return NULL;
+
+ chain = SSL_get_peer_cert_chain(ssl);
+
+ if (!chain)
+ return sslGetUserCertificatePEM(ssl);
+
+ mem = BIO_new(BIO_s_mem());
+
+ for (i = 0; i < sk_X509_num(chain); i++) {
+ X509 *cert = sk_X509_value(chain, i);
+ PEM_write_bio_X509(mem, cert);
+ }
+
+ len = BIO_get_mem_data(mem, &ptr);
+
+ str = (char *)xmalloc(len + 1);
+ memcpy(str, ptr, len);
+ str[len] = '\0';
+
+ BIO_free(mem);
+
+ return str;
+}
/*
- * $Id: ssl_support.h,v 1.11 2005/03/18 17:12:34 hno Exp $
+ * $Id: ssl_support.h,v 1.12 2005/03/18 17:17:51 hno Exp $
*
* AUTHOR: Benno Rice
*
SSLGETATTRIBUTE sslGetUserAttribute;
SSLGETATTRIBUTE sslGetCAAttribute;
const char *sslGetUserCertificatePEM(SSL *ssl);
+const char *sslGetUserCertificateChainPEM(SSL *ssl);
#endif /* SQUID_SSL_SUPPORT_H */
projects / thirdparty / squid.git / commitdiff
