Blob Blame History Raw
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 926e05e..bbe1d20 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -333,6 +333,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
     OpenSSL_add_all_algorithms();
     OPENSSL_load_builtin_modules();
 
+    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
+        (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
+                         "SRVName otherName form");
+    }
+
     /*
      * Let us cleanup the ssl library when the module is unloaded
      */
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index eb11a38..27eaa5a 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1156,6 +1156,7 @@ int ssl_hook_Fixup(request_rec *r)
     /* standard SSL environment variables */
     if (dc->nOptions & SSL_OPT_STDENVVARS) {
         modssl_var_extract_dns(env, sslconn->ssl, r->pool);
+        modssl_var_extract_san_entries(env, sslconn->ssl, r->pool);
 
         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
             var = (char *)ssl_hook_Fixup_vars[i];
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index c508fff..2b7c9ba 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -42,6 +42,7 @@
 static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);
 static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
 static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
@@ -509,6 +510,10 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
         result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
         resdup = FALSE;
     }
+    else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) {
+        result = ssl_var_lookup_ssl_cert_san(p, xs, var+4);
+        resdup = FALSE;
+    }
     else if (strcEQ(var, "A_SIG")) {
         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));
         result = apr_pstrdup(p,
@@ -597,6 +602,49 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *
     return result;
 }
 
+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
+{
+    int type, numlen;
+    const char *onf = NULL;
+    apr_array_header_t *entries;
+
+    if (strcEQn(var, "Email_", 6)) {
+        type = GEN_EMAIL;
+        var += 6;
+    }
+    else if (strcEQn(var, "DNS_", 4)) {
+        type = GEN_DNS;
+        var += 4;
+    }
+    else if (strcEQn(var, "OTHER_", 6)) {
+        type = GEN_OTHERNAME;
+        var += 6;
+        if (strEQn(var, "msUPN_", 6)) {
+            var += 6;
+            onf = "msUPN";
+        }
+        else if (strEQn(var, "dnsSRV_", 7)) {
+            var += 7;
+            onf = "id-on-dnsSRV";
+        }
+        else
+           return NULL;
+    }
+    else
+        return NULL;
+
+    /* sanity check: number must be between 1 and 4 digits */
+    numlen = strspn(var, "0123456789");
+    if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))
+        return NULL;
+
+    if (SSL_X509_getSAN(p, xs, type, onf, atoi(var), &entries))
+        /* return the first entry from this 1-element array */
+        return APR_ARRAY_IDX(entries, 0, char *);
+    else
+        return NULL;
+}
+
 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
 {
     char *result;
@@ -890,6 +938,54 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)
     }
 }
 
+static void extract_san_array(apr_table_t *t, const char *pfx,
+                              apr_array_header_t *entries, apr_pool_t *p)
+{
+    int i;
+
+    for (i = 0; i < entries->nelts; i++) {
+        const char *key = apr_psprintf(p, "%s_%d", pfx, i);
+        apr_table_setn(t, key, APR_ARRAY_IDX(entries, i, const char *));
+    }
+}
+
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)
+{
+    X509 *xs;
+    apr_array_header_t *entries;
+
+    /* subjectAltName entries of the server certificate */
+    xs = SSL_get_certificate(ssl);
+    if (xs) {
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
+            extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);
+        }
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
+            extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);
+        }
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "id-on-dnsSRV", -1,
+                               &entries)) {
+            extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);
+        }
+        /* no need to free xs (refcount does not increase) */
+    }
+
+    /* subjectAltName entries of the client certificate */
+    xs = SSL_get_peer_certificate(ssl);
+    if (xs) {
+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {
+            extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);
+        }
+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {
+            extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);
+        }
+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "msUPN", -1, &entries)) {
+            extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);
+        }
+        X509_free(xs);
+    }
+}
+
 /* For an extension type which OpenSSL does not recognize, attempt to
  * parse the extension type as a primitive string.  This will fail for
  * any structured extension type per the docs.  Returns non-zero on
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index a5ede6e..80e1e8e 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -974,6 +974,10 @@ void         ssl_var_log_config_register(apr_pool_t *p);
  * allocating from 'p': */
 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);
 
+/* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'
+ * from SSL object 'ssl', allocating from 'p'. */
+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);
+
 #ifndef OPENSSL_NO_OCSP
 /* Perform OCSP validation of the current cert in the given context.
  * Returns non-zero on success or zero on failure.  On failure, the
diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c
index 588ceba..09a9877 100644
--- a/modules/ssl/ssl_util_ssl.c
+++ b/modules/ssl/ssl_util_ssl.c
@@ -236,22 +236,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)
     return TRUE;
 }
 
-/* convert a NAME_ENTRY to UTF8 string */
-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+/* convert an ASN.1 string to a UTF-8 string (escaping control characters) */
+char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)
 {
     char *result = NULL;
-    BIO* bio;
+    BIO *bio;
     int len;
 
     if ((bio = BIO_new(BIO_s_mem())) == NULL)
         return NULL;
-    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
-                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
+
+    ASN1_STRING_print_ex(bio, asn1str, ASN1_STRFLGS_ESC_CTRL|
+                                       ASN1_STRFLGS_UTF8_CONVERT);
     len = BIO_pending(bio);
-    result = apr_palloc(p, len+1);
-    len = BIO_read(bio, result, len);
-    result[len] = NUL;
+    if (len > 0) {
+        result = apr_palloc(p, len+1);
+        len = BIO_read(bio, result, len);
+        result[len] = NUL;
+    }
     BIO_free(bio);
+    return result;
+}
+
+/* convert a NAME_ENTRY to UTF8 string */
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+{
+    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));
     ap_xlate_proto_from_ascii(result, len);
     return result;
 }
@@ -288,51 +298,123 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)
     return result;
 }
 
-/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
+static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,
+                                  const char *onf, apr_array_header_t **entries)
+{
+    const char *str;
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
+
+    if (!value || (nid == NID_undef) || !*entries)
+       return;
+
+    /* 
+     * Currently supported otherName forms (values for "onf"):
+     * "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name
+     * "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985
+     */
+    if ((nid == NID_ms_upn) && (value->type == V_ASN1_UTF8STRING) &&
+        (str = SSL_ASN1_STRING_to_utf8(p, value->value.utf8string))) {
+        APR_ARRAY_PUSH(*entries, const char *) = str;
+    } else if (strEQ(onf, "id-on-dnsSRV") &&
+               (value->type == V_ASN1_IA5STRING) &&
+               (str = SSL_ASN1_STRING_to_utf8(p, value->value.ia5string))) {
+        APR_ARRAY_PUSH(*entries, const char *) = str;
+    }
+}
+
+/* 
+ * Return an array of subjectAltName entries of type "type". If idx is -1,
+ * return all entries of the given type, otherwise return an array consisting
+ * of the n-th occurrence of that type only. Currently supported types:
+ * GEN_EMAIL (rfc822Name)
+ * GEN_DNS (dNSName)
+ * GEN_OTHERNAME (requires the otherName form ["onf"] argument to be supplied,
+ *                see parse_otherName_value for the currently supported forms)
+ */
+BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,
+                     int idx, apr_array_header_t **entries)
 {
     STACK_OF(GENERAL_NAME) *names;
-    BIO *bio;
-    X509_NAME *subj;
-    char **cpp;
-    int i, n;
+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;
 
-    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {
-        *ids = NULL;
+    if (!x509 || (type < GEN_OTHERNAME) ||
+        ((type == GEN_OTHERNAME) && (nid == NID_undef)) ||
+        (type > GEN_RID) || (idx < -1) ||
+        !(*entries = apr_array_make(p, 0, sizeof(char *)))) {
+        *entries = NULL;
         return FALSE;
     }
 
-    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
-    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&
-        (bio = BIO_new(BIO_s_mem()))) {
+    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL))) {
+        int i, n = 0;
         GENERAL_NAME *name;
+        const char *utf8str;
 
         for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {
             name = sk_GENERAL_NAME_value(names, i);
-            if (name->type == GEN_DNS) {
-                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|
-                                     ASN1_STRFLGS_UTF8_CONVERT);
-                n = BIO_pending(bio);
-                if (n > 0) {
-                    cpp = (char **)apr_array_push(*ids);
-                    *cpp = apr_palloc(p, n+1);
-                    n = BIO_read(bio, *cpp, n);
-                    (*cpp)[n] = NUL;
+
+            if (name->type != type)
+                continue;
+
+            switch (type) {
+            case GEN_EMAIL:
+            case GEN_DNS:
+                if (((idx == -1) || (n == idx)) &&
+                    (utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5))) {
+                    APR_ARRAY_PUSH(*entries, const char *) = utf8str;
+                }
+                n++;
+                break;
+            case GEN_OTHERNAME:
+                if (OBJ_obj2nid(name->d.otherName->type_id) == nid) {
+                    if (((idx == -1) || (n == idx))) {
+                        parse_otherName_value(p, name->d.otherName->value,
+                                              onf, entries);
+                    }
+                    n++;
                 }
+                break;
+            default:
+                /*
+                 * Not implemented right now:
+                 * GEN_X400 (x400Address)
+                 * GEN_DIRNAME (directoryName)
+                 * GEN_EDIPARTY (ediPartyName)
+                 * GEN_URI (uniformResourceIdentifier)
+                 * GEN_IPADD (iPAddress)
+                 * GEN_RID (registeredID)
+                 */
+                break;
             }
+
+            if ((idx != -1) && (n > idx))
+               break;
         }
-        BIO_free(bio);
-    }
 
-    if (names)
         sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+    }
+
+    return apr_is_empty_array(*entries) ? FALSE : TRUE;
+}
+
+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */
+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)
+{
+    X509_NAME *subj;
+    int i = -1;
+
+    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */
+    if (!x509 ||
+        (SSL_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE && !*ids)) {
+        *ids = NULL;
+        return FALSE;
+    }
 
     /* Second, the CN-IDs (commonName attributes in the subject DN) */
     subj = X509_get_subject_name(x509);
-    i = -1;
     while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {
-        cpp = (char **)apr_array_push(*ids);
-        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
+        APR_ARRAY_PUSH(*ids, const char *) = 
+            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));
     }
 
     return apr_is_empty_array(*ids) ? FALSE : TRUE;
diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h
index 4b882db..be07ab7 100644
--- a/modules/ssl/ssl_util_ssl.h
+++ b/modules/ssl/ssl_util_ssl.h
@@ -65,8 +65,10 @@ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);
 int         SSL_smart_shutdown(SSL *ssl);
 BOOL        SSL_X509_isSGC(X509 *);
 BOOL        SSL_X509_getBC(X509 *, int *, int *);
+char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);
 char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
 char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);
+BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);
 BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);
 BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);
 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);