Returns GRST_RET_OK on success, non-zero otherwise. The existing private key with the same delegation ID and user DN is moved out of the temporary cache.

Definition at line 2071 of file grst_x509.c.

References c, EOF, fclose(), fopen, free(), fwrite, GRST_RET_FAILED, GRST_RET_OK, GRSThttpUrlEncode(), GRSTx509CachedProxyKeyFind(), GRSTx509StringToChain(), mkdir_printf(), NULL, ptr, S_IRUSR, S_IWUSR, S_IXUSR, sprintf(), and unlink.

int GRSTx509CertLoad	(	GRSTx509Cert *	,
		X509 *
	)

int GRSTx509ChainFree ( GRSTx509Chain * )

Definition at line 170 of file grst_x509.c.

References chain, GRSTx509Cert::dn, free(), GRST_RET_OK, GRSTx509Cert::issuer, GRSTx509Cert::next, NULL, and GRSTx509Cert::ocsp.

Referenced by GRST_callback_SSLVerify_wrapper(), GRST_free_chain(), and GRST_get_voms_roles_and_free().

int GRSTx509ChainLoadCheck	(	GRSTx509Chain **	chain,
		STACK_OF(X509)*	certstack,
		X509 *	lastcert,
		char *	capath,
		char *	vomsdir
	)

Check certificate chain for GSI proxy acceptability.

Returns GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

Definition at line 506 of file grst_x509.c.

References chain, GRSTx509Cert::delegation, depth, GRSTx509Cert::dn, GRSTx509Cert::errors, FALSE, fclose(), fopen, fp, GRST_CERT_BAD_CHAIN, GRST_CERT_BAD_SIG, GRST_CERT_BAD_TIME, GRST_CERT_TYPE_CA, GRST_CERT_TYPE_EEC, GRST_CERT_TYPE_PROXY, GRST_LOG_DEBUG, GRST_RET_FAILED, GRST_RET_OK, GRST_VOMS_OID, GRSTasn1TimeToTimeT(), GRSTerrorLog, GRSTx509ChainVomsAdd(), GRSTx509IsCA(), i, int, GRSTx509Cert::issuer, j, len, malloc(), GRSTx509Cert::next, GRSTx509Cert::notafter, GRSTx509Cert::notbefore, NULL, s, GRSTx509Cert::serial, size_t, sprintf(), TRUE, and GRSTx509Cert::type.

Referenced by GRST_callback_SSLVerify_wrapper().

int GRSTx509CheckChain	(	int *	first_non_ca,
		X509_STORE_CTX *	ctx
	)

Check certificate chain for GSI proxy acceptability.

Returns X509_V_OK/GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

Inspired by GSIcheck written by Mike Jones, SVE, Manchester Computing, The University of Manchester.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

We do not check chain links between certs here: this is done by GRST_check_issued/X509_check_issued in mod_ssl's ssl_engine_init.c

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

Definition at line 807 of file grst_x509.c.

References depth, FALSE, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSTx509IsCA(), i, len, NULL, size_t, and TRUE.

Referenced by GRSTx509VerifyCallback().

int GRSTx509CompactCreds	(	int *	lastcred,
		int	maxcreds,
		size_t	credlen,
		char *	creds,
		STACK_OF(X509)*	certstack,
		char *	vomsdir,
		X509 *	peercert
	)

Get the credentials in an X509 cert/GSI proxy, including any VOMS.

Credentials are placed in Compact Creds string array at *creds.

Function returns GRST_RET_OK on success, or GRST_RET_FAILED if some inconsistency found in certificate.

Definition at line 1203 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSTx509GetVomsCreds(), GRSTx509IsCA(), i, NULL, snprintf, and strcpy().

GRSTgaclCred* GRSTx509CompactToCred ( char * grst_cred )

Turn a Compact Cred line into a GRSTgaclCred object.

Returns pointer to created GRSTgaclCred or NULL or failure.

Definition at line 1142 of file grst_x509.c.

References free(), GRSTgaclCredCreate(), GRSTgaclCredSetDelegation, GRSThttpUrlMildencode(), NULL, and p.

int GRSTx509CreateProxyRequest	(	char **	reqtxt,
		char **	keytxt,
		char *	ocspurl
	)

Create a X.509 request for a GSI proxy and its private key.

Returns GRST_RET_OK on success, non-zero otherwise. Request string and private key are PEM encoded strings

Definition at line 1661 of file grst_x509.c.

References GRST_KEYSIZE, malloc(), NULL, ptr, and size_t.

char* GRSTx509FindProxyFileName ( void )

Find proxy file name of the current user.

Return a string with the proxy file name or NULL if not present. This function does not check if the proxy has expired.

Definition at line 1284 of file grst_x509.c.

References getenv(), malloc(), NULL, p, and sprintf().

int GRSTx509GetVomsCreds	(	int *	lastcred,
		int	maxcreds,
		size_t	credlen,
		char *	creds,
		X509 *	usercert,
		STACK_OF(X509)*	certstack,
		char *	vomsdir
	)

Get the VOMS attributes in the extensions to the given cert stack.

Puts any VOMS credentials found into the Compact Creds string array starting at *creds. Always returns GRST_RET_OK.

Definition at line 1091 of file grst_x509.c.

References GRST_RET_OK, GRST_VOMS_OID, GRSTasn1TimeToTimeT(), GRSTx509ParseVomsExt(), i, j, NULL, and s.

Referenced by GRSTx509CompactCreds().

int GRSTx509IsCA ( X509 * cert )

Check if certificate can be used as a CA to sign standard X509 certs.

Return GRST_RET_OK if true; GRST_RET_FAILED if not.

Definition at line 156 of file grst_x509.c.

References GRST_RET_FAILED, and GRST_RET_OK.

Referenced by GRSTx509ChainLoadCheck(), GRSTx509CheckChain(), and GRSTx509CompactCreds().

int GRSTx509KnownCriticalExts ( X509 * cert )

Check critical extensions.

Returning GRST_RET_OK if all of extensions are known to us or OpenSSL; GRST_REF_FAILED otherwise.

Since this function relies on functionality (X509_supported_extension) introduced in 0.9.7, then we do nothing and report an error (GRST_RET_FAILED) if one of the associated defines (X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) is absent.

Definition at line 120 of file grst_x509.c.

References GRST_PROXYCERTINFO_OID, GRST_PROXYCERTNEWINFO_OID, GRST_RET_FAILED, GRST_RET_OK, i, and s.

Referenced by GRST_callback_SSLVerify_wrapper(), and GRSTx509VerifyCallback().

char* GRSTx509MakeDelegationID ( void )

Returns a Delegation ID based on hash of GRST_CRED_0, ...

Returns a malloc'd string with Delegation ID made by SHA1-hashing the values of the compact credentials exported by mod_gridsite

Definition at line 1943 of file grst_x509.c.

References getenv(), i, m, malloc(), NULL, snprintf, and sprintf().

int GRSTx509MakeProxyCert	(	char **	proxychain,
		FILE *	debugfp,
		char *	reqtxt,
		char *	cert,
		char *	key,
		int	minutes
	)

Make a GSI Proxy chain from a request, certificate and private key.

The proxy chain is returned in *proxychain. If debugfp is non-NULL, errors are output to that file pointer. The proxy will expired in the given number of minutes starting from the current time.

Definition at line 1312 of file grst_x509.c.

References fclose(), fopen, fp, GRST_BACKDATE_SECONDS, GRST_MAX_CHAIN_LEN, GRST_RET_FAILED, GRST_RET_OK, GRSTasn1TimeToTimeT(), i, RooFitShortHand::L(), mpcerror(), name, NULL, ptr, and realloc().

char* GRSTx509MakeProxyFileName	(	char *	,
		STACK_OF(X509)*
	)

int GRSTx509MakeProxyRequest	(	char **	reqtxt,
		char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Make and store a X.509 request for a GSI proxy.

Returns GRST_RET_OK on success, non-zero otherwise. Request string is PEM encoded, and the key is stored in the temporary cache under proxydir

Definition at line 1732 of file grst_x509.c.

References fclose(), fopen, fp, free(), GRST_KEYSIZE, GRST_RET_FAILED, GRSThttpUrlEncode(), malloc(), mkdir_printf(), NULL, ptr, S_IRUSR, S_IWUSR, S_IXUSR, size_t, and sprintf().

int GRSTx509NameCmp	(	char *	a,
		char *	b
	)

Compare X509 Distinguished Name strings.

This function attempts to do with string representations what would ideally be done with OIDs/values. In particular, we equate "/Email=" == "/emailAddress=" to deal with this important change between OpenSSL 0.9.6 and 0.9.7. Other than that, it is currently the same as ordinary strcasecmp(3) (for consistency with EDG/LCG/EGEE gridmapdir case insensitivity.)

Definition at line 82 of file grst_x509.c.

References free(), memmove, NULL, p, and strcasecmp.

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

int GRSTx509ProxyDestroy	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Destroy stored GSI proxy files.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the private key or cert chain were not found.)

Definition at line 1824 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_NO_SUCH_FILE, GRST_RET_OK, GRSThttpUrlEncode(), sprintf(), and unlink.

int GRSTx509ProxyGetTimes	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn,
		time_t *	start,
		time_t *	finish
	)

Get start and finish validity times of stored GSI proxy file.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the cert chain was not found.)

Definition at line 1855 of file grst_x509.c.

References fclose(), fopen, fp, free(), GRST_RET_FAILED, GRST_RET_NO_SUCH_FILE, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSThttpUrlEncode(), NULL, and sprintf().

int GRSTx509StringToChain	(	STACK_OF(X509)**	certstack,
		char *	certstring
	)

Create a stack of X509 certificate from a PEM-encoded string.

Creates a dynamically allocated stack of X509 certificate objects by walking through the PEM-encoded X509 certificates.

Returns GRST_RET_OK on success, non-zero otherwise.

Definition at line 1893 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_OK, and NULL.

Referenced by GRSTx509CacheProxy().

int GRSTx509VerifyCallback	(	int	,
		X509_STORE_CTX *
	)

Example VerifyCallback routine.

Definition at line 972 of file grst_x509.c.

References FALSE, GRST_RET_OK, GRSTx509CheckChain(), GRSTx509KnownCriticalExts(), TRUE, and X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION.

Variable Documentation

void(*) GRSTerrorLogFunc(char *, int, int, char *,...)

Definition at line 42 of file grst_err.c.

Referenced by XrdSecProtocolsslInit().

Generated on Tue Jul 5 16:08:13 2011 for ROOT_528-00b_version by

1.5.1


Classes
struct	GRSTgaclCred
struct	GRSTgaclNamevalue
struct	GRSTgaclEntry
struct	GRSTgaclAcl
struct	GRSTgaclUser
struct	GRSTasn1TagList
struct	GRSTx509Cert
struct	GRSTx509Chain
struct	GRSThtcpCountstr
struct	GRSThtcpMessage
struct	GRSThttpCharsList
struct	GRSThttpBody
Defines
#define	GRST_VERSION 010500
#define	FALSE (0)
#define	TRUE (!FALSE)
#define	GRST_RET_OK 0
#define	GRST_RET_FAILED 1000
#define	GRST_RET_CERT_NOT_FOUND 1001
#define	GRST_RET_BAD_SIGNATURE 1002
#define	GRST_RET_NO_SUCH_FILE 1003
#define	GRSTerrorLog(GRSTerrorLevel,...) if (GRSTerrorLogFunc != NULL) (GRSTerrorLogFunc)(__FILE__, __LINE__, GRSTerrorLevel, __VA_ARGS__)
#define	GRST_LOG_EMERG 0
#define	GRST_LOG_ALERT 1
#define	GRST_LOG_CRIT 2
#define	GRST_LOG_ERR 3
#define	GRST_LOG_WARNING 4
#define	GRST_LOG_NOTICE 5
#define	GRST_LOG_INFO 6
#define	GRST_LOG_DEBUG 7
#define	GRST_MAX_TIME_T INT32_MAX
#define	GRST_PERM_NONE 0
#define	GRST_PERM_READ 1
#define	GRST_PERM_EXEC 2
#define	GRST_PERM_LIST 4
#define	GRST_PERM_WRITE 8
#define	GRST_PERM_ADMIN 16
#define	GRST_PERM_ALL 31
#define	GRSTgaclPermIsNone(perm) ((perm) == 0)
#define	GRSTgaclPermHasNone(perm) ((perm) == 0)
#define	GRSTgaclPermHasRead(perm) (((perm) & GRST_PERM_READ ) != 0)
#define	GRSTgaclPermHasExec(perm) (((perm) & GRST_PERM_EXEC ) != 0)
#define	GRSTgaclPermHasList(perm) (((perm) & GRST_PERM_LIST ) != 0)
#define	GRSTgaclPermHasWrite(perm) (((perm) & GRST_PERM_WRITE) != 0)
#define	GRSTgaclPermHasAdmin(perm) (((perm) & GRST_PERM_ADMIN) != 0)
#define	GRST_ACTION_ALLOW 0
#define	GRST_ACTION_DENY 1
#define	GRST_HIST_PREFIX ".grsthist"
#define	GRST_ACL_FILE ".gacl"
#define	GRST_DN_LISTS "/etc/grid-security/dn-lists"
#define	GRST_RECURS_LIMIT 9
#define	GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
#define	GRST_PROXYCERTNEWINFO_OID "1.3.6.1.5.5.7.1.14"
#define	GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5"
#define	GRST_VOMS_DIR "/etc/grid-security/vomsdir"
#define	GRST_ASN1_MAXCOORDLEN 50
#define	GRST_ASN1_MAXTAGS 500
#define	GRST_CERT_BAD_FORMAT 1
#define	GRST_CERT_BAD_CHAIN 2
#define	GRST_CERT_BAD_SIG 4
#define	GRST_CERT_BAD_TIME 8
#define	GRST_CERT_BAD_OCSP 16
#define	GRST_CERT_TYPE_CA 1
#define	GRST_CERT_TYPE_EEC 2
#define	GRST_CERT_TYPE_PROXY 3
#define	GRST_CERT_TYPE_VOMS 4
#define	GRST_HTTP_PORT 777
#define	GRST_HTTPS_PORT 488
#define	GRST_HTCP_PORT 777
#define	GRST_GSIFTP_PORT 2811
#define	GRSThtcpNOPop 0
#define	GRSThtcpTSTop 1
#define	GRSThtcpCountstrLen(string) (256*((string)->length_msb) + (string)->length_lsb)
#define	GRSTgaclCredGetAuri(cred) ((cred)->auri)
#define	GRSTgaclCredSetNotBefore(cred, time) ((cred)->notbefore = (time))
#define	GRSTgaclCredGetNotBefore(cred) ((cred)->notbefore)
#define	GRSTgaclCredSetNotAfter(cred, time) ((cred)->notafter = (time))
#define	GRSTgaclCredGetNotAfter(cred) ((cred)->notafter)
#define	GRSTgaclCredSetDelegation(cred, level) ((cred)->delegation = (level))
#define	GRSTgaclCredGetDelegation(cred) ((cred)->delegation)
#define	GRSTgaclCredSetNistLoa(cred, level) ((cred)->nist_loa = (level))
#define	GRSTgaclCredGetNistLoa(cred) ((cred)->nist_loa)
#define	GRST_HEADFILE "gridsitehead.txt"
#define	GRST_FOOTFILE "gridsitefoot.txt"
#define	GRST_ADMIN_FILE "gridsite-admin.cgi"
Typedefs
typedef int	GRSTgaclAction
typedef int	GRSTgaclPerm
Functions
int	GRSTx509CertLoad (GRSTx509Cert , X509 )
int	GRSTx509ChainLoadCheck (GRSTx509Chain *, STACK_OF(X509), X509 , char , char *)
	Check certificate chain for GSI proxy acceptability.
int	GRSTx509ChainFree (GRSTx509Chain *)
int	GRSTgaclInit (void)
GRSTgaclCred *	GRSTgaclCredNew (char *)
GRSTgaclCred *	GRSTgaclCredCreate (char , char )
int	GRSTgaclCredAddValue (GRSTgaclCred , char , char *)
int	GRSTgaclCredFree (GRSTgaclCred *)
int	GRSTgaclEntryAddCred (GRSTgaclEntry , GRSTgaclCred )
int	GRSTgaclEntryDelCred (GRSTgaclEntry , GRSTgaclCred )
int	GRSTgaclCredCredPrint (GRSTgaclCred , FILE )
int	GRSTgaclCredCmpAuri (GRSTgaclCred , GRSTgaclCred )
GRSTgaclEntry *	GRSTgaclEntryNew (void)
int	GRSTgaclEntryFree (GRSTgaclEntry *)
int	GRSTgaclAclAddEntry (GRSTgaclAcl , GRSTgaclEntry )
int	GRSTgaclEntryPrint (GRSTgaclEntry , FILE )
int	GRSTgaclPermPrint (GRSTgaclPerm, FILE *)
int	GRSTgaclEntryAllowPerm (GRSTgaclEntry *, GRSTgaclPerm)
int	GRSTgaclEntryUnallowPerm (GRSTgaclEntry *, GRSTgaclPerm)
int	GRSTgaclEntryDenyPerm (GRSTgaclEntry *, GRSTgaclPerm)
int	GRSTgaclEntryUndenyPerm (GRSTgaclEntry *, GRSTgaclPerm)
char *	GRSTgaclPermToChar (GRSTgaclPerm)
GRSTgaclPerm	GRSTgaclPermFromChar (char *)
GRSTgaclAcl *	GRSTgaclAclNew (void)
int	GRSTgaclAclFree (GRSTgaclAcl *)
int	GRSTgaclAclPrint (GRSTgaclAcl , FILE )
int	GRSTgaclAclSave (GRSTgaclAcl , char )
GRSTgaclAcl *	GRSTgaclAclLoadFile (char *)
char *	GRSTgaclFileFindAclname (char *)
GRSTgaclAcl *	GRSTgaclAclLoadforFile (char *)
int	GRSTgaclFileIsAcl (char *)
GRSTgaclUser *	GRSTgaclUserNew (GRSTgaclCred *)
int	GRSTgaclUserFree (GRSTgaclUser *)
int	GRSTgaclUserAddCred (GRSTgaclUser , GRSTgaclCred )
int	GRSTgaclUserHasCred (GRSTgaclUser , GRSTgaclCred )
int	GRSTgaclUserSetDNlists (GRSTgaclUser , char )
int	GRSTgaclUserLoadDNlists (GRSTgaclUser , char )
GRSTgaclCred *	GRSTgaclUserFindCredtype (GRSTgaclUser , char )
int	GRSTgaclDNlistHasUser (char , GRSTgaclUser )
int	GRSTgaclUserHasAURI (GRSTgaclUser , char )
GRSTgaclPerm	GRSTgaclAclTestUser (GRSTgaclAcl , GRSTgaclUser )
GRSTgaclPerm	GRSTgaclAclTestexclUser (GRSTgaclAcl , GRSTgaclUser )
char *	GRSThttpUrlDecode (char *)
char *	GRSThttpUrlEncode (char *)
char *	GRSThttpUrlMildencode (char *)
int	GRSTx509NameCmp (char , char )
	Compare X509 Distinguished Name strings.
int	GRSTx509KnownCriticalExts (X509 *)
	Check critical extensions.
int	GRSTx509IsCA (X509 *)
	Check if certificate can be used as a CA to sign standard X509 certs.
int	GRSTx509CheckChain (int , X509_STORE_CTX )
	Check certificate chain for GSI proxy acceptability.
int	GRSTx509VerifyCallback (int, X509_STORE_CTX *)
	Example VerifyCallback routine.
int	GRSTx509GetVomsCreds (int , int, size_t, char , X509 , STACK_OF(X509), char *)
	Get the VOMS attributes in the extensions to the given cert stack.
GRSTgaclCred *	GRSTx509CompactToCred (char *)
	Turn a Compact Cred line into a GRSTgaclCred object.
int	GRSTx509CompactCreds (int , int, size_t, char , STACK_OF(X509), char , X509 *)
	Get the credentials in an X509 cert/GSI proxy, including any VOMS.
char *	GRSTx509CachedProxyFind (char , char , char *)
	Find a proxy file in the proxy cache.
char *	GRSTx509FindProxyFileName (void)
	Find proxy file name of the current user.
int	GRSTx509MakeProxyCert (char *, FILE , char , char , char *, int)
	Make a GSI Proxy chain from a request, certificate and private key.
char *	GRSTx509CachedProxyKeyFind (char , char , char *)
	Find a temporary proxy private key file in the proxy cache.
int	GRSTx509ProxyDestroy (char , char , char *)
	Destroy stored GSI proxy files.
int	GRSTx509ProxyGetTimes (char , char , char , time_t , time_t *)
	Get start and finish validity times of stored GSI proxy file.
int	GRSTx509CreateProxyRequest (char , char , char *)
	Create a X.509 request for a GSI proxy and its private key.
int	GRSTx509MakeProxyRequest (char *, char , char , char )
	Make and store a X.509 request for a GSI proxy.
char *	GRSTx509MakeDelegationID (void)
	Returns a Delegation ID based on hash of GRST_CRED_0, ...
int	GRSTx509StringToChain (STACK_OF(X509)*, char )
	Create a stack of X509 certificate from a PEM-encoded string.
char *	GRSTx509MakeProxyFileName (char , STACK_OF(X509))
int	GRSTx509CacheProxy (char , char , char , char )
	Store a GSI proxy chain in the proxy cache, along with the private key.
void	GRSThttpBodyInit (GRSThttpBody *)
void	GRSThttpPrintf (GRSThttpBody , char ,...)
int	GRSThttpCopy (GRSThttpBody , char )
void	GRSThttpWriteOut (GRSThttpBody *)
int	GRSThttpPrintHeaderFooter (GRSThttpBody , char , char *)
int	GRSThttpPrintHeader (GRSThttpBody , char )
int	GRSThttpPrintFooter (GRSThttpBody , char )
char *	GRSThttpGetCGI (char *)
time_t	GRSTasn1TimeToTimeT (unsigned char *, size_t)
	ASN1 time string (in a char *) to time_t.
int	GRSTasn1SearchTaglist (struct GRSTasn1TagList taglist[], int, char *)
int	GRSTasn1ParseDump (BIO , unsigned char , long, struct GRSTasn1TagList taglist[], int, int *)
int	GRSTasn1GetX509Name (char , int, char , char *, struct GRSTasn1TagList taglist[], int)
int	GRSThtcpNOPrequestMake (char *, int , unsigned int)
int	GRSThtcpNOPresponseMake (char *, int , unsigned int)
int	GRSThtcpTSTrequestMake (char *, int , unsigned int, char , char , char *)
int	GRSThtcpTSTresponseMake (char *, int , unsigned int, char , char , char *)
int	GRSThtcpMessageParse (GRSThtcpMessage , char , int)
Variables
void(*)	GRSTerrorLogFunc (char , int, int, char ,...)