Skip to content
Snippets Groups Projects
Commit 28c01480 authored by Andrea Ceccanti's avatar Andrea Ceccanti
Browse files

Merge branch 'issue-23' into 'master' 

Do not return CA certificates as the EEC

See merge request storm2/ngx_http_voms_module!13
parents ef792a9b 013bf67e
No related branches found
No related tags found
1 merge request!13Do not return CA certificates as the EEC
Pipeline #23534 passed
Stage: build
Stage: test
Stage: docker-build
Stage: docker-push
Stage: deploy
Hide whitespace changes
Inline Side-by-side
src/ngx_http_voms_module.cpp
+ 7
2
View file @ 28c01480
...@@ -517,6 +517,11 @@ static uint32_t X509_get_extension_flags(X509* x) ...@@ -517,6 +517,11 @@ static uint32_t X509_get_extension_flags(X509* x)
} }
#endif #endif
static bool is_ca(X509* cert)
{
return X509_get_extension_flags(cert) & EXFLAG_CA;
}
static bool is_proxy(X509* cert) static bool is_proxy(X509* cert)
{ {
return X509_get_extension_flags(cert) & EXFLAG_PROXY; return X509_get_extension_flags(cert) & EXFLAG_PROXY;
...@@ -536,10 +541,10 @@ static X509* get_ee_cert(ngx_http_request_t* r) ...@@ -536,10 +541,10 @@ static X509* get_ee_cert(ngx_http_request_t* r)
if (sk_X509_num(chain) == 0) { if (sk_X509_num(chain) == 0) {
ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection); ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
} else { } else {
// find first non-proxy // find first non-proxy and non-ca cert
for (int i = 0; i != sk_X509_num(chain); ++i) { for (int i = 0; i != sk_X509_num(chain); ++i) {
auto cert = sk_X509_value(chain, i); auto cert = sk_X509_value(chain, i);
if (cert && !is_proxy(cert)) { if (cert && !is_proxy(cert) && !is_ca(cert)) {
ee_cert = cert; ee_cert = cert;
break; break;
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment