Belgian eID proxy code
I was recently
(at FOSDEM) made aware of the fact that apart
from the client-side software, Zetes also provides some server-side
software to allow one to verify electronic ID card certificates on an
HTTP server. I didn't know about that, since nobody ever told me about
it; and none of the eID sites that I know of mention it, either. So
today I had a first look at the code to see what I'd need to do to
properly package it.
The code does contain a few WTFs, though.
- if (!r->proxyreq || !r->filename || strncmp(r->filename, "proxy:", 6) != 0)
+ if (!r->proxyreq)
+ return DECLINED;
+
+ if (!r->filename)
+ return DECLINED;
+
+ if (strncmp(r->filename, "proxy:", 6) != 0)
return DECLINED;
This one is especially silly if you know that the above is the only change to mod_proxy.c.
They do extensive changes to apache's mod_ssl, since that is where most of the needed work is done. The changes include the following stuff:
#ifndef BOOL
-#define BOOL unsigned int
+#define BOOL int
#endif
It's a boolean. By definition, that needs to keep only 2 values. The ability to set it to negative values doesn't matter.
But, well; the above two could be explained by compilers having strange ideas about what should be warned about. So let's ignore those. The code should be sane then, right?
Well, almost.
--- httpd-2.0.54/modules/ssl/mod_ssl.h 2005-02-04 21:21:18.000000000 +0100
+++ httpd-2.0.54-beid-proxy/modules/ssl/mod_ssl.h 2007-04-15 13:45:27.0000
00000 +0200
@@ -74,7 +74,7 @@
#include "apr_global_mutex.h"
#include "apr_optional.h"
-#define MOD_SSL_VERSION AP_SERVER_BASEREVISION
+#define MOD_SSL_VERSION AP_SERVER_BASEREVISION "+OCSP (1.0.8)"
#ifdef HAVE_SSLC
@@ -152,7 +152,7 @@
That's okay, sure? If you change mod_ssl to include OCSP support, you may want to change its version number to reflect that? Yes, indeed. But if you set the version number like above, and spread the rest of the mod_ssl code with patches like...
+#ifndef NOOCSP
(...)
+#endif
...and...
+ifndef NO_OCSP
(...)
+#endif
... then my guess is something's wrong with your processes.
Anyway. The modified SSL code for apache will be coming to a Debian mirror near you some time. But not soon.
The "developer kit" really is nothing more than an overpriced eID card that expires in two years. If you're willing to use your own identity card for testing, you don't actually need it.
libbeid is documented in the "DeveloperGuide" PDF file that you can download from http://www.belgium.be/zip/eid_datacapture_nl.html (or _fr.html); for libbeidlibopensc2, just use the documentation of OpenSC on which it is based.
If you need any more information, feel free to ask.