Remove SSLPKCS7CertificateFile support:

author Kaspar Brand <kbrand@apache.org>

Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)

committer Kaspar Brand <kbrand@apache.org>

Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)
author Kaspar Brand <kbrand@apache.org>
Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)
committer Kaspar Brand <kbrand@apache.org>
Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)
diff --git a/docs/STATUS b/docs/STATUS

index 4da6e6ca0a89b5ceec49c50912ee8e3d8cddf24e..bcaa0f875a2fb1a5828af9a6f101a44aebacb7ea 100644 (file)
--- a/docs/STATUS
+++ b/docs/STATUS
@@ -9,9 +9,6 @@ http://httpd.apache.org/docs-project/docsformat.html
  To Do List
  =======================
  
-- The following directives of modules included in 2.4.x are not documented:
-  SSLPKCS7CertificateFile (mod_ssl)
-
  - Update the http://httpd.apache.org/docs-project/docsformat.html
    document to be useful. In particular:
      - Document the translation process.
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index d699d2ecab0eeb00613cb10e18f015014bc8266b..98896c6f5fe3f994d7ff6b19b472df9524e196bf 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -96,9 +96,6 @@ static const command_rec ssl_config_cmds[] = {
      SSL_CMD_SRV(CertificateChainFile, TAKE1,
                  "SSL Server CA Certificate Chain file "
                  "('/path/to/file' - PEM encoded)")
-    SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
-                "PKCS#7 file containing server certificate and chain"
-                " certificates ('/path/to/file' - PEM encoded)")
  #ifdef HAVE_TLS_SESSION_TICKETS
      SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
                  "TLS session ticket encryption/decryption key file (RFC 5077) "
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c

index 0870786e528dd308b31cbb4faee2ba7b4dbd28da..a1e050efdb472c8ca7dfb91cdac9ebbc2ffa2982 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -116,7 +116,6 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
      mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
      mctx->pphrase_dialog_path = NULL;
  
-    mctx->pkcs7               = NULL;
      mctx->cert_chain          = NULL;
  
      mctx->crl_path            = NULL;
@@ -839,22 +838,6 @@ const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *cmd,
      return NULL;
  }
  
-const char *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *cmd,
-                                            void *dcfg,
-                                            const char *arg)
-{
-    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
-    const char *err;
-
-    if ((err = ssl_cmd_check_file(cmd, &arg))) {
-        return err;
-    }
-
-    sc->server->pkcs7 = arg;
-
-    return NULL;
-}
-
  #ifdef HAVE_TLS_SESSION_TICKETS
  const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
                                              void *dcfg,
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c

index 0008a326604699771d8dec76b222a8631d33e878..c3ceb2e7a9ce82e3b5dd15fc920f9da0a0cd488e 100644 (file)
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -308,7 +308,7 @@ static apr_status_t ssl_init_server_check(server_rec *s,
       * check for important parameters and the
       * possibility that the user forgot to set them.
       */
-    if (!mctx->pks->cert_files[0] && !mctx->pkcs7) {
+    if (!mctx->pks->cert_files[0]) {
          ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01891)
                  "No SSL Certificate set [hint: SSLCertificateFile]");
          return ssl_die(s);
@@ -780,29 +780,6 @@ static apr_status_t ssl_init_ctx_crl(server_rec *s,
      return APR_SUCCESS;
  }
  
-static apr_status_t ssl_init_ctx_pkcs7_cert_chain(server_rec *s,
-                                                  modssl_ctx_t *mctx)
-{
-    STACK_OF(X509) *certs = ssl_read_pkcs7(s, mctx->pkcs7);
-    int n;
-    STACK_OF(X509) *extra_certs = NULL;
-
-    if (!certs)
-        return APR_EGENERAL;
-
-#ifdef OPENSSL_NO_SSL_INTERN
-    SSL_CTX_get_extra_chain_certs(mctx->ssl_ctx, &extra_certs);
-#else
-    extra_certs = mctx->ssl_ctx->extra_certs;
-#endif
-
-    if (!extra_certs)
-        for (n = 1; n < sk_X509_num(certs); ++n)
-             SSL_CTX_add_extra_chain_cert(mctx->ssl_ctx, sk_X509_value(certs, n));
-
-    return APR_SUCCESS;
-}
-
  static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
                                              apr_pool_t *p,
                                              apr_pool_t *ptemp,
@@ -812,10 +789,6 @@ static apr_status_t ssl_init_ctx_cert_chain(server_rec *s,
      int i, n;
      const char *chain = mctx->cert_chain;
  
-    if (mctx->pkcs7) {
-        return ssl_init_ctx_pkcs7_cert_chain(s, mctx);
-    }
-
      /*
       * Optionally configure extra server certificate chain certificates.
       * This is usually done by OpenSSL automatically when one of the
diff --git a/modules/ssl/ssl_engine_pphrase.c b/modules/ssl/ssl_engine_pphrase.c

index f7cca71580a62a51041701316b2ad89ebdb58643..51b23f32a43028c0a4ed67857c0233ce9ff4adc2 100644 (file)
--- a/modules/ssl/ssl_engine_pphrase.c
+++ b/modules/ssl/ssl_engine_pphrase.c
@@ -190,8 +190,7 @@ apr_status_t ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
           * Read in server certificate(s): This is the easy part
           * because this file isn't encrypted in any way.
           */
-        if (sc->server->pks->cert_files[0] == NULL
-            && sc->server->pkcs7 == NULL) {
+        if (sc->server->pks->cert_files[0] == NULL) {
              ap_log_error(APLOG_MARK, APLOG_EMERG, 0, pServ, APLOGNO(02240)
                           "Server should be SSL-aware but has no certificate "
                           "configured [Hint: SSLCertificateFile] (%s:%d)",
@@ -207,39 +206,27 @@ apr_status_t ssl_pphrase_Handle(server_rec *s, apr_pool_t *p)
          /* Iterate through configured certificate files for this
           * server. */
          for (i = 0, j = 0; i < SSL_AIDX_MAX
-                 && (sc->server->pks->cert_files[i] != NULL
-                     || sc->server->pkcs7); i++) {
+                 && (sc->server->pks->cert_files[i] != NULL); i++) {
              const char *key_id;
              int using_cache = 0;
  
-            if (sc->server->pkcs7) {
-                STACK_OF(X509) *certs = ssl_read_pkcs7(pServ,
-                                                       sc->server->pkcs7);
-                if (!certs)
-                    return APR_EGENERAL;
-                pX509Cert = sk_X509_value(certs, 0);
-                i = SSL_AIDX_MAX;
-            } else {
-                apr_cpystrn(szPath, sc->server->pks->cert_files[i],
-                            sizeof(szPath));
-                if ((rv = exists_and_readable(szPath, p, NULL))
-                    != APR_SUCCESS) {
-                    ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
-                                 "Init: Can't open server certificate file %s",
-                                 szPath);
-                    return ssl_die(s);
-                }
-                if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
-                    ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
-                                 "Init: Unable to read server certificate from"
-                                 " file %s", szPath);
-                    ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
-                    return ssl_die(s);
-                }
-                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
-                             "Init: Read server certificate from '%s'",
+            apr_cpystrn(szPath, sc->server->pks->cert_files[i], sizeof(szPath));
+            if ((rv = exists_and_readable(szPath, p, NULL)) != APR_SUCCESS) {
+                ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, APLOGNO(02201)
+                             "Init: Can't open server certificate file %s",
                               szPath);
+                return ssl_die(s);
              }
+            if ((pX509Cert = SSL_read_X509(szPath, NULL, NULL)) == NULL) {
+                ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02241)
+                             "Init: Unable to read server certificate from"
+                             " file %s", szPath);
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
+                return ssl_die(s);
+            }
+            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02202)
+                         "Init: Read server certificate from '%s'", szPath);
+
              /*
               * check algorithm type of certificate and make
               * sure only one certificate per type is used.
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index a0d7ad6487900ad4b940a69d220143f1f072c060..94aeedb475611e69edf0c29bf48b2a440082bce5 100644 (file)
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -620,7 +620,6 @@ typedef struct {
      const char   *pphrase_dialog_path;
  
      const char  *cert_chain;
-    const char  *pkcs7;
  
      /** certificate revocation list */
      const char    *crl_path;
@@ -729,7 +728,6 @@ const char  *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
-const char  *ssl_cmd_SSLPKCS7CertificateFile(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCACertificatePath(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCACertificateFile(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLCADNRequestPath(cmd_parms *, void *, const char *);
@@ -909,8 +907,6 @@ const char *ssl_asn1_table_keyfmt(apr_pool_t *p,
                                    const char *id,
                                    int keytype);
  
-STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7);
-
  /**  Mutex Support  */
  int          ssl_mutex_init(server_rec *, apr_pool_t *);
  int          ssl_mutex_reinit(server_rec *, apr_pool_t *);
diff --git a/modules/ssl/ssl_util.c b/modules/ssl/ssl_util.c

index 39ecb419a323c0e170e04e560c75808f6641b1fb..5f8039c20649463acd0b5726d090d6fc17469853 100644 (file)
--- a/modules/ssl/ssl_util.c
+++ b/modules/ssl/ssl_util.c
@@ -277,56 +277,6 @@ const char *ssl_asn1_table_keyfmt(apr_pool_t *p,
      return apr_pstrcat(p, id, ":", keystr, NULL);
  }
  
-STACK_OF(X509) *ssl_read_pkcs7(server_rec *s, const char *pkcs7)
-{
-    PKCS7 *p7;
-    STACK_OF(X509) *certs = NULL;
-    FILE *f;
-
-    f = fopen(pkcs7, "r");
-    if (!f) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02212) "Can't open %s", pkcs7);
-        return NULL;
-    }
-
-    p7 = PEM_read_PKCS7(f, NULL, NULL, NULL);
-    fclose(f);
-    if (!p7) {
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02274)
-                     "Can't read PKCS7 object %s", pkcs7);
-        ssl_log_ssl_error(SSLLOG_MARK, APLOG_CRIT, s);
-        return NULL;
-    }
-
-    switch (OBJ_obj2nid(p7->type)) {
-    case NID_pkcs7_signed:
-        certs = p7->d.sign->cert;
-        p7->d.sign->cert = NULL;
-        PKCS7_free(p7);
-        break;
-
-    case NID_pkcs7_signedAndEnveloped:
-        certs = p7->d.signed_and_enveloped->cert;
-        p7->d.signed_and_enveloped->cert = NULL;
-        PKCS7_free(p7);
-        break;
-
-    default:
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02213)
-                     "Don't understand PKCS7 file %s", pkcs7);
-        return NULL;
-    }
-
-    if (!certs) {
-        ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02214)
-                     "No certificates in %s", pkcs7);
-        return NULL;
-    }
-
-    return certs;
-}
-
-
  #if APR_HAS_THREADS
  /*
   * To ensure thread-safetyness in OpenSSL - work in progress
author	Kaspar Brand <kbrand@apache.org>
	Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)
committer	Kaspar Brand <kbrand@apache.org>
	Sat, 23 Nov 2013 13:03:25 +0000 (13:03 +0000)
docs/STATUS		patch \| blob \| history
modules/ssl/mod_ssl.c		patch \| blob \| history
modules/ssl/ssl_engine_config.c		patch \| blob \| history
modules/ssl/ssl_engine_init.c		patch \| blob \| history
modules/ssl/ssl_engine_pphrase.c		patch \| blob \| history
modules/ssl/ssl_private.h		patch \| blob \| history
modules/ssl/ssl_util.c		patch \| blob \| history