-serial_and_issuer_parse(
- struct berval *assertion,
- struct berval *serial,
- struct berval *issuer_dn
-)
-{
- char *begin;
- char *end;
- char *p;
- struct berval bv;
-
- begin = assertion->bv_val;
- end = assertion->bv_val+assertion->bv_len-1;
- for (p=begin; p<=end && *p != '$'; p++) /* empty */ ;
- if ( p > end ) return LDAP_INVALID_SYNTAX;
-
- /* p now points at the $ sign, now use
- * begin and end to delimit the serial number
- */
- while (ASCII_SPACE(*begin)) begin++;
- end = p-1;
- while (ASCII_SPACE(*end)) end--;
-
- if( end <= begin ) return LDAP_INVALID_SYNTAX;
-
- bv.bv_len = end-begin+1;
- bv.bv_val = begin;
- ber_dupbv(serial, &bv);
-
- /* now extract the issuer, remember p was at the dollar sign */
- begin = p+1;
- end = assertion->bv_val+assertion->bv_len-1;
- while (ASCII_SPACE(*begin)) begin++;
- /* should we trim spaces at the end too? is it safe always? no, no */
-
- if( end <= begin ) return LDAP_INVALID_SYNTAX;
-
- if ( issuer_dn ) {
- bv.bv_len = end-begin+1;
- bv.bv_val = begin;
-
- dnNormalize2( NULL, &bv, issuer_dn );
- }
-
- return LDAP_SUCCESS;
-}
-
-static int
-certificateExactMatch(
- int *matchp,
- slap_mask_t flags,
- Syntax *syntax,
- MatchingRule *mr,
- struct berval *value,
- void *assertedValue )
-{
- X509 *xcert;
- unsigned char *p = value->bv_val;
- struct berval serial;
- struct berval issuer_dn;
- struct berval asserted_serial;
- struct berval asserted_issuer_dn;
- int ret;
-
- xcert = d2i_X509(NULL, &p, value->bv_len);
- if ( !xcert ) {
-#ifdef NEW_LOGGING
- LDAP_LOG( CONFIG, ENTRY,
- "certificateExactMatch: error parsing cert: %s\n",
- ERR_error_string(ERR_get_error(),NULL), 0, 0 );
-#else
- Debug( LDAP_DEBUG_ARGS, "certificateExactMatch: "
- "error parsing cert: %s\n",
- ERR_error_string(ERR_get_error(),NULL), NULL, NULL );
-#endif
- return LDAP_INVALID_SYNTAX;
- }
-
- asn1_integer2str(xcert->cert_info->serialNumber, &serial);
- dnX509normalize(X509_get_issuer_name(xcert), &issuer_dn);
-
- X509_free(xcert);
-
- serial_and_issuer_parse(assertedValue,
- &asserted_serial, &asserted_issuer_dn);
-
- ret = integerMatch(
- matchp,
- flags,
- slap_schema.si_syn_integer,
- slap_schema.si_mr_integerMatch,
- &serial,
- &asserted_serial);
- if ( ret == LDAP_SUCCESS ) {
- if ( *matchp == 0 ) {
- /* We need to normalize everything for dnMatch */
- ret = dnMatch(
- matchp,
- flags,
- slap_schema.si_syn_distinguishedName,
- slap_schema.si_mr_distinguishedNameMatch,
- &issuer_dn,
- &asserted_issuer_dn);
- }
- }
-
-#ifdef NEW_LOGGING
- LDAP_LOG( CONFIG, ARGS, "certificateExactMatch "
- "%d\n\t\"%s $ %s\"\n",
- *matchp, serial.bv_val, issuer_dn.bv_val );
- LDAP_LOG( CONFIG, ARGS, "\t\"%s $ %s\"\n",
- asserted_serial.bv_val, asserted_issuer_dn.bv_val,
- 0 );
-#else
- Debug( LDAP_DEBUG_ARGS, "certificateExactMatch "
- "%d\n\t\"%s $ %s\"\n",
- *matchp, serial.bv_val, issuer_dn.bv_val );
- Debug( LDAP_DEBUG_ARGS, "\t\"%s $ %s\"\n",
- asserted_serial.bv_val, asserted_issuer_dn.bv_val,
- NULL );
-#endif
-
- ber_memfree(serial.bv_val);
- ber_memfree(issuer_dn.bv_val);
- ber_memfree(asserted_serial.bv_val);
- ber_memfree(asserted_issuer_dn.bv_val);
-
- return ret;
-}
-
-/*
- * Index generation function
- * We just index the serials, in most scenarios the issuer DN is one of
- * a very small set of values.
- */
-static int certificateExactIndexer(
- slap_mask_t use,
- slap_mask_t flags,