Bug 47514 - Personal data and restrictions based on subject directory attributes extension
Summary: Personal data and restrictions based on subject directory attributes extension
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2009-07-12 11:58 UTC by Jordi Marine
Modified: 2009-07-13 06:38 UTC (History)
0 users



Attachments
Patch to add basic suport for Subject Directory Attributes extension (13.13 KB, patch)
2009-07-12 11:58 UTC, Jordi Marine
Details | Diff
Patch to add basic suport for Subject Directory Attributes extension (revision 2) (13.34 KB, patch)
2009-07-13 06:38 UTC, Jordi Marine
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jordi Marine 2009-07-12 11:58:37 UTC
Created attachment 23961 [details]
Patch to add basic suport for Subject Directory Attributes extension

Hello everyone.

I think "mod_ssl" doesn't have enough support for Subject Directory Attributes extension (that may contain personal data information). It doesn't generates environment variables for the common attributes, and restrictions seem  impossible (PeerExtList "function" returns a mix of all attribute values with incorrect characters, but doesn't allow to select one of the attributes of the "SDA").

So, I would like to contribute the attached patch to add basic support for Subject Directory Attributes extension. It generates the following environment variables (when present in peer certificate, and the new "SubjectDirAttrVars" option is enabled in "SSLOptions"):

SSL_CLIENT_EXT_SDA_GENDER
SSL_CLIENT_EXT_SDA_COUNTRYOFRESIDENCE_n
SSL_CLIENT_EXT_SDA_COUNTRYOFCITIZENSHIP_n
SSL_CLIENT_EXT_SDA_PLACEOFBIRTH
SSL_CLIENT_EXT_SDA_DATEOFBIRTH
SSL_CLIENT_EXT_SDA_AGE


It is also possible to add restrictions on the previous variables.
For example:
SSLRequire %{SSL_CLIENT_EXT_SDA_AGE} >= 18

That can be very useful to restrict adult contents, when using client credentials like Spanish electronic National Identity Card (DNIe).


The enhancements are only implemented for OpenSSL toolkit (I don't have SSL-C toolkit).

But I expect you will find it interesting enough, to commit the patch to the apache server project.

-----
Jordi Marine
<jmarine@dev.java.net>
Comment 1 Jordi Marine 2009-07-13 06:38:56 UTC
Created attachment 23967 [details]
Patch to add basic suport for Subject Directory Attributes extension (revision 2)

The first patch didn't free the peer certificate memory when generating the new environment variables for the "SubjectDirAttrVars" option, but "Subject Directory Attributes" extension was not present in client certificate. The second patch, also includes the proposed enhancement, and fixes this memory issue.