From d4ead13624e36b4f622b3f4c5e540427976dac4f Mon Sep 17 00:00:00 2001
From: rcritten <>
Date: Tue, 24 May 2005 21:25:42 +0000
Subject: Add support for the SSL_CLIENT_CERT_CHAIN_ environment variable.
 SSL_CLIENT_I_DN_ was incorrectly parsing the client certificate subject
 instead of the issuer subject. Print out PEM files the same way as OpenSSL

---
 nss_engine_kernel.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

(limited to 'nss_engine_kernel.c')

diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c
index 6e164a8..fb47eff 100644
--- a/nss_engine_kernel.c
+++ b/nss_engine_kernel.c
@@ -809,6 +809,8 @@ int ssl_hook_Fixup(request_rec *r)
     apr_table_t *env = r->subprocess_env;
     char *var, *val = "";
     int i;
+    CERTCertificate *cert;
+    CERTCertificateList *chain = NULL;
 
     /*
      * Check to see if SSL is on
@@ -863,6 +865,29 @@ int ssl_hook_Fixup(request_rec *r)
         /* Need to fetch the entire SSL cert chain and add it to the 
          * variable SSL_CLIENT_CERT_CHAIN_[0..n]
          */
+        cert = SSL_PeerCertificate(ssl);
+
+        if (cert)
+            chain = CERT_CertChainFromCert(cert, certUsageSSLClient, PR_TRUE);
+
+        if (cert && chain) {
+            int n;
+
+            n = chain->len;
+
+            CERT_DestroyCertificateList(chain);
+
+            for (i = 0; i < n; i++) {
+                var = apr_psprintf(r->pool, "SSL_CLIENT_CERT_CHAIN_%d", i);
+                val = ssl_var_lookup(r->pool, r->server, r->connection,
+                                     r, var);
+                if (val) {
+                    apr_table_setn(env, var, val);
+                }
+            }
+        }
+        if (cert)
+            CERT_DestroyCertificate(cert);
     }
 
     return DECLINED;
-- 
cgit