net » xrootd » src » xrootd » src » XrdSecgsi

XrdSecgsitest.cc

Go to the documentation of this file.
00001 // $Id: XrdSecgsitest.cc 30949 2009-11-02 16:37:58Z ganis $
00002 
00003 const char *XrdSecgsitestCVSID = "$Id: XrdSecgsitest.cc 30949 2009-11-02 16:37:58Z ganis $";
00004 //
00005 //  Test program for XrdSecgsi
00006 //
00007 
00008 #include <stdio.h>
00009 #include <stdlib.h>
00010 #include <string.h>
00011 
00012 #include <sys/types.h>
00013 #include <pwd.h>
00014 
00015 #include <XrdOuc/XrdOucString.hh>
00016 #include <XrdSys/XrdSysLogger.hh>
00017 #include <XrdSys/XrdSysError.hh>
00018 
00019 #include <XrdSut/XrdSutAux.hh>
00020 
00021 #include <XrdCrypto/XrdCryptoAux.hh>
00022 #include <XrdCrypto/XrdCryptoFactory.hh>
00023 #include <XrdCrypto/XrdCryptoX509.hh>
00024 #include <XrdCrypto/XrdCryptoX509Req.hh>
00025 #include <XrdCrypto/XrdCryptoX509Chain.hh>
00026 #include <XrdCrypto/XrdCryptoX509Crl.hh>
00027 
00028 #include <XrdCrypto/XrdCryptosslgsiX509Chain.hh>
00029 #include <XrdCrypto/XrdCryptosslgsiAux.hh>
00030 
00031 #include <XrdSecgsi/XrdSecgsiTrace.hh>
00032 
00033 #include <openssl/x509v3.h>
00034 #include <openssl/x509.h>
00035 
00036 //
00037 // Globals 
00038 
00039 // #define PRINT(x) {cerr <<x <<endl;}
00040 XrdCryptoFactory *gCryptoFactory = 0;
00041 
00042 XrdOucString EEcert = "";
00043 XrdOucString EEkey = "";
00044 XrdOucString PXcert = "";
00045 XrdOucString PPXcert = "";
00046 XrdOucString CAdir = "/etc/grid-security/certificates/";
00047 int          CAnum = 0;
00048 XrdOucString CAcert[5];
00049 
00050 //
00051 // For error logging and tracing
00052 static XrdSysLogger Logger;
00053 static XrdSysError eDest(0,"gsitest_");
00054 XrdOucTrace *gsiTrace = 0;
00055 
00056 int main( int argc, char **argv )
00057 {
00058    // Test implemented functionality
00059    EPNAME("main");
00060    char cryptomod[64] = "ssl";
00061    char outname[256] = {0};
00062 
00063    //
00064    // Initiate error logging and tracing
00065    eDest.logger(&Logger);
00066    if (!gsiTrace)
00067       gsiTrace = new XrdOucTrace(&eDest);
00068    if (gsiTrace) {
00069       // Medium level
00070       gsiTrace->What |= (TRACE_Authen | TRACE_Debug);
00071    }
00072    //
00073    // Set debug flags in other modules
00074    XrdSutSetTrace(sutTRACE_Debug);
00075    XrdCryptoSetTrace(cryptoTRACE_Debug);
00076 
00077    //
00078    // Determine application name
00079    char *p = argv[0];
00080    int k = strlen(argv[0]);
00081    while (k--)
00082       if (p[k] == '/') break;
00083    strcpy(outname,p+k+1);
00084 
00085    //
00086    // Load the crypto factory
00087    if (!(gCryptoFactory = XrdCryptoFactory::GetCryptoFactory(cryptomod))) {
00088       PRINT(": cannot instantiate factory "<<cryptomod);
00089       exit(1);
00090    }
00091    gCryptoFactory->SetTrace(cryptoTRACE_Debug);
00092 
00093    PRINT(": --------------------------------------------------- ");
00094 
00095    //
00096    // Find out the username and locate the relevant certificates and directories
00097    struct passwd *pw = getpwuid(geteuid());
00098    if (!pw) {
00099       PRINT(": could not resolve user info - exit");
00100       exit(1);
00101    }
00102    PRINT(": effective user is : "<<pw->pw_name<<", $HOME : "<<pw->pw_dir);
00103 
00104    //
00105    // User certificate
00106    EEcert = pw->pw_dir;
00107    EEcert += "/.globus/usercert.pem";
00108    if (getenv("X509_USER_CERT")) EEcert = getenv("X509_USER_CERT");
00109    PRINT(": user EE certificate: "<<EEcert);
00110    XrdCryptoX509 *xEE = gCryptoFactory->X509(EEcert.c_str());
00111    if (xEE) {
00112       xEE->Dump();
00113    } else {
00114       PRINT( ": problems loading user EE cert");
00115    }
00116    //
00117    // User key
00118    EEkey = pw->pw_dir;
00119    EEkey += "/.globus/userkey.pem";
00120    if (getenv("X509_USER_KEY")) EEkey = getenv("X509_USER_KEY");
00121    PRINT(": user EE key: "<<EEkey);
00122    //
00123    // User Proxy certificate
00124    PXcert = "/tmp/x509up_u";
00125    PXcert += (int) pw->pw_uid;
00126    if (getenv("X509_USER_PROXY")) PXcert = getenv("X509_USER_PROXY");
00127    PRINT(": user proxy certificate: "<<PXcert);
00128    XrdCryptoX509 *xPX = gCryptoFactory->X509(PXcert.c_str());
00129    if (xPX) {
00130       xPX->Dump();
00131    } else {
00132       PRINT( ": problems loading user proxy cert");
00133    }
00134 
00135    //
00136    PRINT(": --------------------------------------------------- ");
00137    PRINT(": recreate the proxy certificate ");
00138    XrdProxyOpt_t *pxopt = 0;   // defaults
00139    XrdCryptosslgsiX509Chain *cPXp = new XrdCryptosslgsiX509Chain();
00140    XrdCryptoRSA *kPXp = 0;
00141    XrdCryptoX509 *xPXp = 0;
00142    X509_EXTENSION *ext = 0;
00143    int prc = XrdSslgsiX509CreateProxy(EEcert.c_str(), EEkey.c_str(),
00144                                       pxopt, cPXp, &kPXp, PXcert.c_str());
00145    if (prc == 0) {
00146       cPXp->Dump();
00147       xPXp = (XrdCryptoX509 *)(cPXp->Begin());
00148       ext = (X509_EXTENSION *)(xPXp->GetExtension("1.3.6.1.4.1.3536.1.222"));
00149    } else {
00150       PRINT( ": problems creating proxy");
00151       exit(1);
00152    }
00153 
00154    //
00155    // Load CA certificates now
00156    XrdCryptoX509 *xCA[5], *xCAref = 0;
00157    if (getenv("X509_CERT_DIR")) CAdir = getenv("X509_CERT_DIR");
00158    if (!CAdir.endswith("/")) CAdir += "/";
00159    XrdCryptoX509 *xc = xEE;
00160    bool rCAfound = 0;
00161    int nCA = 0;
00162    while (!rCAfound && nCA < 5) {
00163       CAcert[nCA] = CAdir;
00164       CAcert[nCA] += xc->IssuerHash();
00165       PRINT(": issuer CA certificate path "<<CAcert[nCA]);
00166       xCA[nCA] = gCryptoFactory->X509(CAcert[nCA].c_str());
00167       if (xCA[nCA]) {
00168          xCA[nCA]->Dump();
00169       } else {
00170          PRINT( ": problems loading CA cert from : "<<CAcert[nCA]);
00171       }
00172       // Check if self-signed
00173       if (!strcmp(xCA[nCA]->IssuerHash(), xCA[nCA]->SubjectHash())) {
00174          rCAfound = 1;
00175          break;
00176       }
00177       // If not, parse the issuer ...
00178       xc = xCA[nCA];
00179       nCA++;
00180    }
00181 
00182    //
00183    PRINT(": --------------------------------------------------- ");
00184    PRINT(": Testing ParseFile ... ");
00185    XrdCryptoX509ParseFile_t ParseFile = gCryptoFactory->X509ParseFile();
00186    XrdCryptoRSA *key = 0;
00187    XrdCryptoX509Chain *chain = new XrdCryptoX509Chain();
00188    if (ParseFile) {
00189       int nci = (*ParseFile)(PXcert.c_str(), chain);
00190       key = chain->Begin()->PKI();
00191       PRINT(nci <<" certificates found parsing file");
00192       chain->Dump();
00193       int jCA = nCA + 1;
00194       while (jCA--) {
00195          chain->PushBack(xCA[jCA]);
00196       }
00197       chain->Dump();
00198       int rorc = chain->Reorder();
00199       if (rCAfound) {
00200          chain->Dump();
00201          PRINT(": form reorder: "<<rorc);
00202          XrdCryptoX509Chain::EX509ChainErr ecod = XrdCryptoX509Chain::kNone;
00203          int verc = chain->Verify(ecod);
00204          PRINT(": form verify: "<<verc);
00205       } else {
00206          PRINT(": full CA chain not available: verification not done ");
00207       }
00208    } else {
00209       PRINT( ": problems attaching to X509ParseFile");
00210       exit (1);
00211    }
00212 
00213    //
00214    PRINT(": Testing ExportChain ... ");
00215    XrdCryptoX509ExportChain_t ExportChain = gCryptoFactory->X509ExportChain();
00216    XrdSutBucket *chainbck = 0;
00217    if (ExportChain) {
00218       chainbck = (*ExportChain)(chain, 0);
00219    } else {
00220       PRINT( ": problems attaching to X509ExportChain");
00221       exit (1);
00222    }
00223    //
00224    PRINT(": Testing Chain import ... ");
00225    XrdCryptoX509ParseBucket_t ParseBucket = gCryptoFactory->X509ParseBucket();
00226    // Init new chain with CA certificate 
00227    int jCA = nCA;
00228    XrdCryptoX509Chain *CAchain = new XrdCryptoX509Chain(xCA[jCA]);
00229    while (jCA) { CAchain->PushBack(xCA[--jCA]); }
00230    if (ParseBucket && CAchain) {
00231       int nci = (*ParseBucket)(chainbck, CAchain);
00232       PRINT(nci <<" certificates found parsing bucket");
00233       CAchain->Dump();
00234       int rorc = CAchain->Reorder();
00235       PRINT(": form reorder: "<<rorc);
00236       CAchain->Dump();
00237       XrdCryptoX509Chain::EX509ChainErr ecod = XrdCryptoX509Chain::kNone;
00238       int verc = CAchain->Verify(ecod);
00239       PRINT(": form verify: "<<verc);
00240    } else {
00241       PRINT( ": problems creating new X509Chain" <<
00242                        " or attaching to X509ParseBucket");
00243       exit (1);
00244    }
00245 
00246    //
00247    PRINT(": Testing GSI chain import and verification ... ");
00248    // Init new GSI chain with CA certificate 
00249    jCA = nCA;
00250    XrdCryptosslgsiX509Chain *GSIchain = new XrdCryptosslgsiX509Chain(xCA[jCA]);
00251    while (jCA) { GSIchain->PushBack(xCA[--jCA]); }
00252    if (ParseBucket && GSIchain) {
00253       int nci = (*ParseBucket)(chainbck, GSIchain);
00254       PRINT(nci <<" certificates found parsing bucket");
00255       GSIchain->Dump();
00256       XrdCryptoX509Chain::EX509ChainErr ecod = XrdCryptoX509Chain::kNone;
00257       x509ChainVerifyOpt_t vopt = { kOptsRfc3820, 0, -1 };
00258       int verc = GSIchain->Verify(ecod, &vopt);
00259       PRINT(": form verify: "<<verc);
00260       GSIchain->Dump();
00261    } else {
00262       PRINT( ": problems creating new gsiX509Chain");
00263       exit (1);
00264    }
00265 
00266 
00267    //
00268    PRINT(": Testing GSI chain copy ... ");
00269    // Init new GSI chain with CA certificate 
00270    XrdCryptosslgsiX509Chain *GSInew = new XrdCryptosslgsiX509Chain(GSIchain);
00271    if (GSInew) {
00272       GSInew->Dump();
00273    } else {
00274       PRINT( ": problems creating new gsiX509Chain with copy");
00275       exit (1);
00276    }
00277 
00278    //
00279    PRINT(": Testing Cert verification ... ");
00280    XrdCryptoX509VerifyCert_t VerifyCert = gCryptoFactory->X509VerifyCert();
00281    if (VerifyCert) {
00282       bool ok;
00283       jCA = nCA;
00284       while (jCA >= 0) {
00285          ok = xEE->Verify(xCA[jCA]);
00286          PRINT( ": verify cert: EE signed by CA? " <<ok<<" ("<<xCA[jCA]->Subject()<<")");
00287          if (ok) xCAref = xCA[jCA];
00288          jCA--;
00289       }
00290       ok = xPX->Verify(xEE);
00291       PRINT( ": verify cert: PX signed by EE? " <<ok);
00292       jCA = nCA;
00293       while (jCA >= 0) {
00294          ok = xPX->Verify(xCA[jCA]);
00295          PRINT( ": verify cert: PX signed by CA? " <<ok<<" ("<<xCA[jCA]->Subject()<<")");
00296          jCA--;
00297       }
00298    } else {
00299       PRINT( ": problems attaching to X509VerifyCert");
00300       exit (1);
00301    }
00302 
00303 
00304    //
00305    PRINT(": --------------------------------------------------- ");
00306    PRINT(": Testing request creation ");
00307    XrdCryptoX509Req *rPXp = 0;
00308    XrdCryptoRSA *krPXp = 0;
00309    prc = XrdSslgsiX509CreateProxyReq(xPX, &rPXp, &krPXp);
00310    if (prc == 0) {
00311       rPXp->Dump();
00312    } else {
00313       PRINT( ": problems creating request");
00314       exit(1);
00315    }
00316 
00317    //
00318    PRINT(": --------------------------------------------------- ");
00319    PRINT(": Testing request signature ");
00320    XrdCryptoX509 *xPXpp = 0;
00321    prc = XrdSslgsiX509SignProxyReq(xPX, kPXp, rPXp, &xPXpp);
00322    if (prc == 0) {
00323       xPXpp->Dump();
00324       xPXpp->SetPKI((XrdCryptoX509data) krPXp->Opaque());
00325       ext = (X509_EXTENSION *)xPXpp->GetExtension("1.3.6.1.4.1.3536.1.222");
00326    } else {
00327       PRINT( ": problems signing request");
00328       exit(1);
00329    }
00330 
00331    //
00332    PRINT(": --------------------------------------------------- ");
00333    PRINT(": Testing export of signed proxy ");
00334    PPXcert = PXcert;
00335    PPXcert += "p";
00336    PRINT(": file for signed proxy chain: "<<PPXcert);
00337    XrdCryptoX509ChainToFile_t ChainToFile = gCryptoFactory->X509ChainToFile();
00338    // Init the proxy chain 
00339    XrdCryptoX509Chain *PXchain = new XrdCryptoX509Chain(xPXpp);
00340    PXchain->PushBack(xPX);
00341    PXchain->PushBack(xEE);
00342    if (ChainToFile && PXchain) {
00343       if ((*ChainToFile)(PXchain, PPXcert.c_str()) != 0) {
00344          PRINT(": problems saving signed proxy chain to file: "<<PPXcert);
00345       }
00346    } else {
00347       PRINT( ": problems creating new X509Chain" <<
00348                        " or attaching to X509ParseBucket");
00349       exit (1);
00350    }
00351 
00352    //
00353    PRINT(": --------------------------------------------------- ");
00354    PRINT(": Testing CRL identification ");
00355    X509_EXTENSION *crlext = 0;
00356    if (xCAref) {
00357       if ((crlext = (X509_EXTENSION *)xCAref->GetExtension("crlDistributionPoints"))) {
00358          PRINT( ": CRL distribution points extension OK");
00359       } else {
00360          PRINT( ": problems getting extension");
00361       }
00362    }
00363 
00364    //
00365    PRINT(": --------------------------------------------------- ");
00366    PRINT(": Testing CRL loading ");
00367    XrdCryptoX509Crl *xCRL1 = gCryptoFactory->X509Crl(xCAref);
00368    if (xCRL1) {
00369       xCRL1->Dump();
00370       // Verify CRL signature
00371       bool crlsig = 0;
00372       for (jCA = 0; jCA <= nCA; jCA++) {
00373          crlsig = xCRL1->Verify(xCA[jCA]);
00374          PRINT( ": CRL signature OK? "<<crlsig<<" ("<<xCA[jCA]->Subject()<<")");
00375       }
00376       // Verify a serial number
00377       bool snrev = xCRL1->IsRevoked(25, 0);
00378       PRINT( ": SN: 25 revoked? "<<snrev);
00379       // Verify another serial number
00380       snrev = xCRL1->IsRevoked(0x20, 0);
00381       PRINT( ": SN: 32 revoked? "<<snrev);
00382    } else {
00383       PRINT( ": problems loading CA1 crl");
00384    }
00385 
00386    PRINT(": --------------------------------------------------- ");
00387    exit(0);
00388 }
Generated on Tue Jul 5 14:46:58 2011 for ROOT_528-00b_version by  doxygen 1.5.1