Bug 47514

Summary: Personal data and restrictions based on subject directory attributes extension
Product: Apache httpd-2 Reporter: Jordi Marine <jmarine>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement Keywords: PatchAvailable
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch to add basic suport for Subject Directory Attributes extension
Patch to add basic suport for Subject Directory Attributes extension (revision 2)

Description Jordi Marine 2009-07-12 11:58:37 UTC 
Created attachment 23961 [details]
Patch to add basic suport for Subject Directory Attributes extension

Hello everyone.

I think "mod_ssl" doesn't have enough support for Subject Directory Attributes extension (that may contain personal data information). It doesn't generates environment variables for the common attributes, and restrictions seem  impossible (PeerExtList "function" returns a mix of all attribute values with incorrect characters, but doesn't allow to select one of the attributes of the "SDA").

So, I would like to contribute the attached patch to add basic support for Subject Directory Attributes extension. It generates the following environment variables (when present in peer certificate, and the new "SubjectDirAttrVars" option is enabled in "SSLOptions"):

SSL_CLIENT_EXT_SDA_GENDER
SSL_CLIENT_EXT_SDA_COUNTRYOFRESIDENCE_n
SSL_CLIENT_EXT_SDA_COUNTRYOFCITIZENSHIP_n
SSL_CLIENT_EXT_SDA_PLACEOFBIRTH
SSL_CLIENT_EXT_SDA_DATEOFBIRTH
SSL_CLIENT_EXT_SDA_AGE


It is also possible to add restrictions on the previous variables.
For example:
SSLRequire %{SSL_CLIENT_EXT_SDA_AGE} >= 18

That can be very useful to restrict adult contents, when using client credentials like Spanish electronic National Identity Card (DNIe).


The enhancements are only implemented for OpenSSL toolkit (I don't have SSL-C toolkit).

But I expect you will find it interesting enough, to commit the patch to the apache server project.

-----
Jordi Marine
<jmarine@dev.java.net>
Comment 1 Jordi Marine 2009-07-13 06:38:56 UTC 
Created attachment 23967 [details]
Patch to add basic suport for Subject Directory Attributes extension (revision 2)

The first patch didn't free the peer certificate memory when generating the new environment variables for the "SubjectDirAttrVars" option, but "Subject Directory Attributes" extension was not present in client certificate. The second patch, also includes the proposed enhancement, and fixes this memory issue.