From 358950e8ad90919d20094fa3ab3d196966c7f660 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Julio=20S=C3=A1nchez=20Fern=C3=A1ndez?= Date: Tue, 23 Oct 2001 13:39:07 +0000 Subject: [PATCH] And this change implements indexing for certificateExactMatch. Now you can search efficiently the directory for a certificate. Notice that we index certificates just as serial integers. A full index should combine the issuer DN too, but I think in most scenarios that would be extremely redundant and of little benefit. We can add an option later to do full indexing. --- servers/slapd/schema_init.c | 102 +++++++++++++++++++++++++++++++++++- 1 file changed, 101 insertions(+), 1 deletion(-) diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 4b6b52335a..ac11d4c6a4 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -3735,6 +3735,105 @@ certificateExactMatch( return ret; } + +/* + * Index generation function + * We just index the serials, in most scenarios the issuer DN is one of + * a very small set of values. + */ +int certificateExactIndexer( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + struct berval **values, + struct berval ***keysp ) +{ + int i; + struct berval **keys; + X509 *xcert; + unsigned char *p; + struct berval * serial; + + /* we should have at least one value at this point */ + assert( values != NULL && values[0] != NULL ); + + for( i=0; values[i] != NULL; i++ ) { + /* empty -- just count them */ + } + + keys = ch_malloc( sizeof( struct berval * ) * (i+1) ); + + for( i=0; values[i] != NULL; i++ ) { + p = values[i]->bv_val; + xcert = d2i_X509(NULL, &p, values[i]->bv_len); + if ( !xcert ) { +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, + "certificateExactIndexer: error parsing cert: %s\n", + ERR_error_string(ERR_get_error(),NULL))); +#else + Debug( LDAP_DEBUG_ARGS, "certificateExactIndexer: " + "error parsing cert: %s\n", + ERR_error_string(ERR_get_error(),NULL), + NULL, NULL ); +#endif + /* Do we leak keys on error? */ + return LDAP_INVALID_SYNTAX; + } + + serial = asn1_integer2str(xcert->cert_info->serialNumber); + X509_free(xcert); + integerNormalize( slap_schema.si_syn_integer, + serial, + &keys[i] ); + ber_bvfree(serial); +#ifdef NEW_LOGGING + LDAP_LOG(( "schema", LDAP_LEVEL_ENTRY, + "certificateExactIndexer: returning: %s\n", + keys[i]->bv_val)); +#else + Debug( LDAP_DEBUG_ARGS, "certificateExactIndexer: " + "returning: %s\n", + keys[i]->bv_val, + NULL, NULL ); +#endif + } + + keys[i] = NULL; + *keysp = keys; + return LDAP_SUCCESS; +} + +/* Index generation function */ +/* We think this is always called with a value in matching rule syntax */ +int certificateExactFilter( + slap_mask_t use, + slap_mask_t flags, + Syntax *syntax, + MatchingRule *mr, + struct berval *prefix, + void * assertValue, + struct berval ***keysp ) +{ + struct berval **keys; + struct berval *asserted_serial; + struct berval *asserted_issuer_dn; + + serial_and_issuer_parse(assertValue, + &asserted_serial, + &asserted_issuer_dn); + + keys = ch_malloc( sizeof( struct berval * ) * 2 ); + integerNormalize( syntax, asserted_serial, &keys[0] ); + keys[1] = NULL; + *keysp = keys; + + ber_bvfree(asserted_serial); + ber_bvfree(asserted_issuer_dn); + return LDAP_SUCCESS; +} #endif static int @@ -4493,7 +4592,8 @@ struct mrule_defs_rec mrule_defs[] = { "SYNTAX 1.2.826.0.1.3344810.7.1 )", SLAP_MR_EQUALITY | SLAP_MR_EXT, certificateExactConvert, NULL, - certificateExactMatch, NULL, NULL, + certificateExactMatch, + certificateExactIndexer, certificateExactFilter, NULL}, #endif -- 2.39.5