Re: [exim-dev] ${certextract} bug?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] ${certextract} bug?
On Sun, Jun 01, 2014 at 02:12:37PM +0100, Mike Cardwell wrote:

> Is this a bug:
>
> root@flan:/etc/exim4# exim4 -be '${certextract{signature}{${readfile{/etc/ssl/grepular.com/ssl.crt}}}{$value}}'
> Failed: no variable named "{readfile{/etc/ssl/grepular.com/ssl.crt"


IIRC the code for working with certificates uses the in-memory peer
or local certificate from the SSL connection. Thus it cannot
process ad-hoc certificate files, especially read into memory as
untyped strings (recall that certificates can be in PEM or DER
format, ...).

> I'm not sure if it is, because the spec.txt says:
>
> "The <certificate> must be a variable of type certificate."


An in-memory object representing the peer certificate. One of:

    New expansion variables tls_(in,out)_(our,peer)cert, and
    expansion item certextract with support for various fields


> Is the certificate field not expandable for security reasons? If not,
> could it be made expandable and allowed to take PEM encoded
> certificates as input too?


No, not security. Rather, certificate objects are not just some string
in memory.

-- 
    Viktor.