You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Martin Kraemer <ma...@apache.org> on 2005/07/22 09:57:08 UTC

[PATCH] SetenvIf OID("2.16.840.1.113730.1.13") "(.*)" NetscapeComment=$1

Hi everybody,

Based on a discussion with David Reid and Dirk-Willem van Gulik
since yesterday it is possible to allow or deny access
based on the (string) values of arbitrary X509 extension fields in an
SSL certificate, identified by their object oid (OID):

  # Require the user to have a certain NsComment in the cert, or be ASF committer
  SSLRequire "TinyCA Generated Certificate" in Oid("2.16.840.1.113730.1.13") \
        || "committers"                   in Oid("1.3.6.1.4.1.18060.1")

This allows flexible control to extension fields for which there
is no "standard" name (as for the SSL_CLIENT_I_DN_x509 values).

In another discussion with Mads Toftum we talked about how to pass
such an OID information to a backhand program (e.g., a ProxyPass
server) or just to any Apache module that might want to check
access (or do anything else) based on the OID values.

I then came up with the idea of extracting the values of
SSL certificate extensions into environment variables, so that
their value could be used by any module aware of environment
variables, as in:

   SetenvIf Oid("1.3.6.1.4.1.18060.1") "committers" svnaccess=rw
   <Directory /my/repos>
     <LimitExcept GET POST>
       Order deny,allow
       Deny from all
       Allow from env=svnaccess
     </LimitExcept>
   </Directory>

or similar would for instance allow to check the environment
variable $svnaccess for allowing/denying read/write access.

Similarly,
  SetEnvIf OID("2.16.840.1.113730.1.13") "(TinyCA) Generated (Certificate)" Yes_this_certificate_is_from_TinyCA=$1_$2
sets
  Yes_this_certificate_is_from_TinyCA=TinyCA_Certificate

or if you want the var to be set to the oid's value directly, use
  SetenvIf OID("2.16.840.1.113730.1.13") "(.*)" NetscapeComment=$1

Note that it is technically allowed to have multiple instances
of an extension field, all with the same oid. In this case, the
environment variable will be set to the list of all fields, separated
by commas.

Nice things can be done with environment variables, see
  manual/env.html#using
in the docs.

Do you think this is useful?

The [PATCH] uses a cross-module call from mod_setenvif to
mod_ssl (the latter may also be missing: in this case the
variable will never be set). It calls a common function
in the ssl module that returns the list of OID extension
values as an apr array. That same function is also used for
the SSLRequire directive's test.

    Martin