From 013bf67e7a99aae26bdbcf4f4ee63b2ca7fcaf3c Mon Sep 17 00:00:00 2001
From: Andrea Ceccanti <andrea.ceccanti@gmail.com>
Date: Fri, 2 Aug 2019 12:11:27 +0200
Subject: [PATCH] do not return a ca certificate as the client eec

When the client certificate chain contains a CA certificate, the
ngx_http_voms_module returns that one as the EEC.

This fix should resolve that issue.

Issue: https://baltig.infn.it/storm2/ngx_http_voms_module/issues/23
---
 src/ngx_http_voms_module.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/ngx_http_voms_module.cpp b/src/ngx_http_voms_module.cpp
index 465fa96..a22e374 100644
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -517,6 +517,11 @@ static uint32_t X509_get_extension_flags(X509* x)
 }
 #endif
 
+static bool is_ca(X509* cert)
+{
+  return X509_get_extension_flags(cert) & EXFLAG_CA;
+}
+
 static bool is_proxy(X509* cert)
 {
   return X509_get_extension_flags(cert) & EXFLAG_PROXY;
@@ -536,10 +541,10 @@ static X509* get_ee_cert(ngx_http_request_t* r)
   if (sk_X509_num(chain) == 0) {
     ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
   } else {
-    // find first non-proxy
+    // find first non-proxy and non-ca cert
     for (int i = 0; i != sk_X509_num(chain); ++i) {
       auto cert = sk_X509_value(chain, i);
-      if (cert && !is_proxy(cert)) {
+      if (cert && !is_proxy(cert) && !is_ca(cert)) {
         ee_cert = cert;
         break;
       }
-- 
GitLab