On Sun, Jun 01, 2014 at 02:12:37PM +0100, Mike Cardwell wrote:
> Is this a bug:
>
> root@flan:/etc/exim4# exim4 -be '${certextract{signature}{${readfile{/etc/ssl/grepular.com/ssl.crt}}}{$value}}'
> Failed: no variable named "{readfile{/etc/ssl/grepular.com/ssl.crt"
IIRC the code for working with certificates uses the in-memory peer
or local certificate from the SSL connection. Thus it cannot
process ad-hoc certificate files, especially read into memory as
untyped strings (recall that certificates can be in PEM or DER
format, ...).
> I'm not sure if it is, because the spec.txt says:
>
> "The <certificate> must be a variable of type certificate."
An in-memory object representing the peer certificate. One of:
New expansion variables tls_(in,out)_(our,peer)cert, and
expansion item certextract with support for various fields
> Is the certificate field not expandable for security reasons? If not,
> could it be made expandable and allowed to take PEM encoded
> certificates as input too?
No, not security. Rather, certificate objects are not just some string
in memory.
--
Viktor.
