Actual fix for issue-23

And related test.

Actual fix for issue-23
4fb22be2 · Andrea Ceccanti · 013bf67e · 4fb22be2 · 4fb22be2 · 4fb22be2
Commit 4fb22be2 authored 5 years ago by Andrea Ceccanti
--- a/src/ngx_http_voms_module.cpp
+++ b/src/ngx_http_voms_module.cpp
@@ -519,7 +519,7 @@ static uint32_t X509_get_extension_flags(X509* x)
 static bool is_ca(X509* cert)
 {
-  return X509_get_extension_flags(cert) & EXFLAG_CA;
+  return X509_check_ca(cert) != 0;
 }
 static bool is_proxy(X509* cert)
@@ -544,11 +544,18 @@ static X509* get_ee_cert(ngx_http_request_t* r)
    // find first non-proxy and non-ca cert
    for (int i = 0; i != sk_X509_num(chain); ++i) {
      auto cert = sk_X509_value(chain, i);
-      if (cert && !is_proxy(cert) && !is_ca(cert)) {
+      if (is_ca(cert)) {
+        break;
+      }
+      if (cert && !is_proxy(cert)) {
        ee_cert = cert;
        break;
      }
    }
+    if (!ee_cert) {
+      ee_cert = SSL_get_peer_certificate(r->connection->ssl->connection);
+    }
  }
  return ee_cert;

--- a/t/certs/9.key.pem
+++ b/t/certs/9.key.pem
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAysba8IaGdu0scSEo5UalpgVgelPjf8VtpEtblH60EWr+mrlb
+ZrRFuOSeOFU4t1lumNdd0QcJkuqFvt5c8gQWVT6p4Vff1ZE8S6fN4BlVbxwE4BoJ
+I3k8SLDhPk5DygKGSf0BXAnz4d1nWdwDSNeFmJADPVV7Em4dqJArFhmuKOqc7dz7
+dcypMjuD1tHAZJXrQyJiStr7n7g1TZuyM/8t//KWPKdzKIsGxfz3Um2u10AMQVlC
+TKGpXofMcvB0kTp+7RdmpcaAyx+EFoaelA59q7zlrHgalDD1xY7FItf65MNaBwIz
+K6E5OZS9eRiNCxneXU1aKZClxW002MUpD89TCwIDAQABAoIBAQCEcGTG+9YPDtEc
+AoBnX0EJsjFVND0+UoBN8joaPrb1OWCZRb8A0XVIUWlVebPVbL/ja6aGw4XpQuuf
+wjQKjcjYXFkwKOi04Gr1LuA0Ide+/hnhFKArXx+UipJS02NLKWL0KB8fMhDr0GOU
+OTKb/Mfw4P58rLv5SZptYdwCTzuE1KwL++ty6+v7qZC9WLjPnQ6zalBW/0rTn87o
+cA866a3qHlw9MJz7C7qqMrXCu9UrWQCeSuTz5mtxt8+mwoGfl8xTKQW+7yR2qOmG
+wLGoyLemgIUxL8xJn9YVTcDVSfVehRUsnPYYsHy7f0RqtJ3NPDcwoxN1BGnO1lY8
+hZHodX3BAoGBAPwicjNq51XBHEQ12h9dD3eC7cIRGjj+0WL5NrmOK/IoJLR6VP1D
+S4e54zMEtP34mxDmzf1E7AqelVnGI5AzfjgVJFpPfAFOsilO3CPx+TnEeWx9HU3q
+fyFf4vrjJ8RVolTthX3rksBP37zM28QjZQTaZ7Db+n4kBw/gy2YfYZpDAoGBAM3i
+scOr7N5E/7EUARbxn95TLrHG+P4JKo5vSkBTw4kLMG42s9BsEuTBnsFH2c0IL4tH
+VjaEHOAtqZH/rj6RNZEbVRpncECIquIphYoaO+wWMxBkXLRZPalOFX40C4kE0MKV
+Xx97fV7uwTpQv+146C+UxyixRkJPIH+GJrLBTcuZAoGAcfFbLLNmIhHoJUc08LGM
+mNTZf7dc41783z6Cpa6DW6cal1klaWLtEkRGUbsR1ChyY1v6wTdReKccFXr+fV9X
+7h5X1FxRTQH0b8iMoc3rdFi/CvEruhd8Jmf/2qOnSAnvF3RTvIkmQ7SVBuyJcIUS
+VPQiogF3nWPIsTtEkD0kTaMCgYAz+sHqpuNckosDiAtmYYZ9OP8W/ycp6+KEp3BV
+oVBCr0KA8Oqg+kgi3QdZwOwqKaDnRxFrHhu0NZMUOzsgrMSbaA0qZ2cdw+Nwyg7e
+RSb3Fb0EoKdPdKlhgNDI5yt8TtLhS7I4gKbDyhVssFiER59tNA7Y9ZbM2L/Dz2B
+7+/WMQKBgQDQVr4avU3VW1vo2P9UOUI+HAKw/nBVrRafOHqGDSzi+K7X0Rhy5lW6
+5GEwvW8sl3J6GtHAe3nKjztiTM9FzLkvUsMYASeczVJNOLQzsgLVHoSmWttpDUwA
+6PoOMroAOGR1r9WDBi4RwAk4c/2m5Z+l9CCp4wS6zBch140p5FH2tg==
+-----END RSA PRIVATE KEY-----
--- a/t/certs/9.pem
+++ b/t/certs/9.pem
+-----BEGIN CERTIFICATE-----
+MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+vDxcPMc/wmnMa+smNal0sJ6m
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIJAMzDwAv7o5VUMA0GCSqGSIb3DQEBBQUAMC0xCzAJBgNV
+BAYTAklUMQwwCgYDVQQKDANJR0kxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMTIwOTI2
+MTUwMDU0WhcNMjIwOTI0MTUwMDU0WjAtMQswCQYDVQQGEwJJVDEMMAoGA1UECgwD
+SUdJMRAwDgYDVQQDDAdUZXN0IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9u4Fgtj7YpMRql3NAasEUmP6Byv/CH+dPZNzSxfNCMOPqARLBWS/2Ora
+m5cRpoBByT0LpjDCFBJhLrBKvCvmWOTfS1jYsQwSpC/5scButthlcNOhLKQSZblS
+8Pa7HoFS4zQFwCwWOYbOLF+FblYRgSY30WMi361giydeV8iei8KNH2FIoDyo9kjV
+gYQKp76LFv7urGhc5sHA+HWq7+AfyivtZC+a55Rw6EHXOQ+vih5TPXa1t5RL7IkY
+4U7Ld5ExptBIDx0UkSihYexAY4RGXVUaq535dGtJQ8/NYMrJ5NMGt2X0bRszArnE
+EKc/qdAcgcalgoiaZtVkq45eXADXzwIDAQABo4GiMIGfMB0GA1UdDgQWBBSRdzZ7
+LrRp8yfqt/YIi0ojohFJxjBdBgNVHSMEVjBUgBSRdzZ7LrRp8yfqt/YIi0ojohFJ
+xqExpC8wLTELMAkGA1UEBhMCSVQxDDAKBgNVBAoMA0lHSTEQMA4GA1UEAwwHVGVz
+dCBDQYIJAMzDwAv7o5VUMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
+MA0GCSqGSIb3DQEBBQUAA4IBAQB379cvZmfCLvGdoGbW+6ppDNy3pT9hqYmZAlfV
+FGZSEaTKjGCbPuErUNC6+7zhij5CmMtMRhccI3JswjPHPQGm12jiEC492J6Avj/x
+PL8vcBRofe4whXefDVgUw8G1nkQYr2BF0jzeiN72ToISGMbt/q94QV70lYCo/Tog
+UQQ6F+XhztffxQyRgsUXhR4qq1D4h7UifqfQGBzknS23RMLQUdKXG4MhTLMVmxJC
+uY9Oi0It3hk9Qtn0nlZ7rvo5weJGxuRBbZ85Nvw2tIhH7G2osc6zqmHTmUAR4FXb
+l8/ElwGVrURMMuJLDbISVXjBNFuVOS2BdlyEe4x5kfQAWITZ
+-----END CERTIFICATE-----
--- a/t/certs/README.md
+++ b/t/certs/README.md
@@ -13,6 +13,7 @@ Proxy certificates are generated using [VOMS client 3.3.1](http://italiangrid.gi
 * 7.pem: long-lived proxy (3 delegations), without VOMS attributes;
 * 8.pem: long-lived proxy (3 delegations), without VOMS attributes, plus CA
   certificate included in the chain;
+ * 9.pem: EEC plus CA certificate included in the chain.
 To obtain such certificates the following command is used:

--- a/t/eec_cert.t
+++ b/t/eec_cert.t
@@ -55,3 +55,110 @@ GET /
 	vDxcPMc/wmnMa+smNal0sJ6m
 	-----END CERTIFICATE-----
 --- error_code: 200
+=== TEST 2: EEC
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	location = / {
+            default_type text/plain;
+            echo $ssl_client_ee_cert;
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/test0.cert.pem;
+        proxy_ssl_certificate_key ../../certs/9.key.pem;
+    }
+--- request
+GET / 
+--- response_body
+-----BEGIN CERTIFICATE-----
+	MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+	MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+	DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+	A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+	hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+	BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+	CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+	2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+	xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+	kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+	fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+	CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+	BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+	gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+	AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+	d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+	SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+	49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+	C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+	vDxcPMc/wmnMa+smNal0sJ6m
+	-----END CERTIFICATE-----
+--- error_code: 200
+=== TEST 2: chain containing CA certificates
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	location = / {
+            default_type text/plain;
+            echo $ssl_client_ee_cert;
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/9.pem;
+        proxy_ssl_certificate_key ../../certs/9.key.pem;
+    }
+--- request
+GET / 
+--- response_body
+-----BEGIN CERTIFICATE-----
+	MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+	MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+	DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+	A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+	hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+	BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+	CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+	2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+	xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+	kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+	fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+	CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+	BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+	gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+	AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+	d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+	SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+	49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+	C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+	vDxcPMc/wmnMa+smNal0sJ6m
+	-----END CERTIFICATE-----
+--- error_code: 200
--- a/t/eec_chain.t
+++ b/t/eec_chain.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: EEC chain containing CA certificate
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+--- http_config
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	location = / {
+            default_type text/plain;
+            echo $ssl_client_ee_cert;
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/9.pem;
+        proxy_ssl_certificate_key ../../certs/9.key.pem;
+    }
+--- request
+GET / 
+--- response_body
+-----BEGIN CERTIFICATE-----
+	MIIDnjCCAoagAwIBAgIBCTANBgkqhkiG9w0BAQUFADAtMQswCQYDVQQGEwJJVDEM
+	MAoGA1UECgwDSUdJMRAwDgYDVQQDDAdUZXN0IENBMB4XDTEyMDkyNjE1MzkzNFoX
+	DTIyMDkyNDE1MzkzNFowKzELMAkGA1UEBhMCSVQxDDAKBgNVBAoTA0lHSTEOMAwG
+	A1UEAxMFdGVzdDAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKxtrw
+	hoZ27SxxISjlRqWmBWB6U+N/xW2kS1uUfrQRav6auVtmtEW45J44VTi3WW6Y113R
+	BwmS6oW+3lzyBBZVPqnhV9/VkTxLp83gGVVvHATgGgkjeTxIsOE+TkPKAoZJ/QFc
+	CfPh3WdZ3ANI14WYkAM9VXsSbh2okCsWGa4o6pzt3Pt1zKkyO4PW0cBkletDImJK
+	2vufuDVNm7Iz/y3/8pY8p3MoiwbF/PdSba7XQAxBWUJMoaleh8xy8HSROn7tF2al
+	xoDLH4QWhp6UDn2rvOWseBqUMPXFjsUi1/rkw1oHAjMroTk5lL15GI0LGd5dTVop
+	kKXFbTTYxSkPz1MLAgMBAAGjgcowgccwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
+	fLdB5+jO9LyWN2/VCNYgMa0jvHEwDgYDVR0PAQH/BAQDAgXgMD4GA1UdJQQ3MDUG
+	CCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBBggrBgEF
+	BQcDBDAfBgNVHSMEGDAWgBSRdzZ7LrRp8yfqt/YIi0ojohFJxjAnBgNVHREEIDAe
+	gRxhbmRyZWEuY2VjY2FudGlAY25hZi5pbmZuLml0MA0GCSqGSIb3DQEBBQUAA4IB
+	AQANYtWXetheSeVpCfnId9TkKyKTAp8RahNZl4XFrWWn2S9We7ACK/G7u1DebJYx
+	d8POo8ClscoXyTO2BzHHZLxauEKIzUv7g2GehI+SckfZdjFyRXjD0+wMGwzX7MDu
+	SL3CG2aWsYpkBnj6BMlr0P3kZEMqV5t2+2Tj0+aXppBPVwzJwRhnrSJiO5WIZAZf
+	49YhMn61sQIrepvhrKEUR4XVorH2Bj8ek1/iLlgcmFMBOds+PrehSRR8Gn0IjlEg
+	C68EY6KPE+FKySuS7Ur7lTAjNdddfdAgKV6hJyST6/dx8ymIkb8nxCPnxCcT2I2N
+	vDxcPMc/wmnMa+smNal0sJ6m
+	-----END CERTIFICATE-----
+--- error_code: 200