OBJS = sslinfo.o$(WIN32RES)

EXTENSION = sslinfo

DATA = sslinfo--1.0.sql sslinfo--unpackaged--1.0.sql

DATA = sslinfo--1.0--1.1.sql sslinfo--1.1.sql\

sslinfo--unpackaged--1.0.sql

PGFILEDESC = "sslinfo - information about client SSL certificate"

\echo Use"ALTER EXTENSION sslinfo UPDATE TO '1.1'" to load this file. \quit

CREATEOR REPLACE FUNCTION

ssl_extension_info(OUT nametext,

OUT valuetext,

OUT criticalboolean

) RETURNS SETOF record

AS'MODULE_PATHNAME','ssl_extension_info'

LANGUAGE C STRICT;

\echo Use"CREATE EXTENSION sslinfo" to load this file. \quit

CREATEFUNCTIONssl_issuer_dn() RETURNStext

AS'MODULE_PATHNAME','ssl_issuer_dn'

LANGUAGE C STRICT;

CREATE FUNCTION

ssl_extension_info(OUT nametext,

OUT valuetext,

OUT criticalboolean

) RETURNS SETOF record

AS'MODULE_PATHNAME','ssl_extension_info'

LANGUAGE C STRICT;

PG_MODULE_MAGIC;

staticDatumX509_NAME_field_to_text(X509_NAME*name,text*fieldName);

staticDatumX509_NAME_to_text(X509_NAME*name);

staticDatumASN1_STRING_to_text(ASN1_STRING*str);

{

TupleDesctupdesc;

}SSLExtensionInfoContext;

PG_RETURN_NULL();

returnX509_NAME_to_text(X509_get_issuer_name(MyProcPort->peer));

}

PG_FUNCTION_INFO_V1(ssl_extension_info);

ssl_extension_info(PG_FUNCTION_ARGS)

{

X509*cert=MyProcPort->peer;

FuncCallContext*funcctx;

intcall_cntr;

intmax_calls;

MemoryContextoldcontext;

SSLExtensionInfoContext*fctx;

STACK_OF(X509_EXTENSION)*ext_stack=NULL;

if (SRF_IS_FIRSTCALL())

{

TupleDesctupdesc;

funcctx=SRF_FIRSTCALL_INIT();

oldcontext=MemoryContextSwitchTo(funcctx->multi_call_memory_ctx);

fctx= (SSLExtensionInfoContext*)palloc(sizeof(SSLExtensionInfoContext));

if (get_call_result_type(fcinfo,NULL,&tupdesc)!=TYPEFUNC_COMPOSITE)

ereport(ERROR,

(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("function returning record called in context that cannot accept type record")));

fctx->tupdesc=BlessTupleDesc(tupdesc);

if (cert&&cert->cert_info)

ext_stack=cert->cert_info->extensions;

max_calls=cert!=NULL ?X509_get_ext_count(cert) :0;

if (cert!=NULL&&

max_calls>0)

{

funcctx->max_calls=max_calls;

funcctx->user_fctx=fctx;

}

{

MemoryContextSwitchTo(oldcontext);

SRF_RETURN_DONE(funcctx);

}

MemoryContextSwitchTo(oldcontext);

}

funcctx=SRF_PERCALL_SETUP();

call_cntr=funcctx->call_cntr;

max_calls=funcctx->max_calls;

fctx=funcctx->user_fctx;

ext_stack=cert->cert_info->extensions;

if (call_cntr<max_calls)

{

Datumvalues[3];

boolnulls[3];

char*buf;

HeapTupletuple;

Datumresult;

BIO*membuf;

X509_EXTENSION*ext;

ASN1_OBJECT*obj;

intnid;

intlen;

membuf=BIO_new(BIO_s_mem());

if (membuf==NULL)

ereport(ERROR,

(errcode(ERRCODE_OUT_OF_MEMORY),

errmsg("could not create OpenSSL BIO structure")));

ext=sk_X509_EXTENSION_value(ext_stack,call_cntr);

obj=X509_EXTENSION_get_object(ext);

nid=OBJ_obj2nid(obj);

if (nid==NID_undef)

ereport(ERROR,

(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("unknown OpenSSL extension in certificate at position %d",

call_cntr)));

values[0]=CStringGetTextDatum(OBJ_nid2sn(nid));

nulls[0]= false;

if (X509V3_EXT_print(membuf,ext,0,0) <=0)

ereport(ERROR,

(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),

errmsg("could not print extension value in certificate at position %d",

call_cntr)));

len=BIO_get_mem_data(membuf,&buf);

values[1]=PointerGetDatum(cstring_to_text_with_len(buf,len));

nulls[1]= false;

values[2]=BoolGetDatum(X509_EXTENSION_get_critical(ext));

nulls[2]= false;

tuple=heap_form_tuple(fctx->tupdesc,values,nulls);

result=HeapTupleGetDatum(tuple);

if (BIO_free(membuf)!=1)

elog(ERROR,"could not free OpenSSL BIO structure");

SRF_RETURN_NEXT(funcctx,result);

}

SRF_RETURN_DONE(funcctx);

}

# sslinfo extension

comment = 'information about SSL certificates'

default_version = '1.0'

default_version = '1.1'

module_pathname = '$libdir/sslinfo'

relocatable = true

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>

<function>ssl_extension_info() returns setof record</function>

<indexterm>

<primary>ssl_extension_info</primary>

</indexterm>

</term>

<listitem>

<para>

Provide information about extensions of client certificate: extension name,

extension value, and if it is a critical extension.

</para>

</listitem>

</varlistentry>

</variablelist>

</sect2>

Victor Wagner <email>vitus@cryptocom.ru</email>, Cryptocom LTD

</para>

<para>

Dmitry Voronin <email>carriingfate92@yandex.ru</email>

</para>

<para>

E-Mail of Cryptocom OpenSSL development group:

<email>openssl@cryptocom.ru</email>