ROOT_528-00b_version: net/xrootd/src/xrootd/src/XrdSecssl/libsslGridSite/grst

Go to the source code of this file.


Defines
#define	GRST_KEYSIZE 512
#define	GRST_PROXYCACHE "/../proxycache/"
#define	GRST_MAX_CHAIN_LEN 9
#define	GRST_BACKDATE_SECONDS 300
#define	GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d"
#define	GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1"
#define	GRST_ASN1_COORDS_VOMS_SIG "-1-1-%d-3"
#define	MAXTAG 500
#define	GRST_ASN1_COORDS_FQAN "-1-1-%d-1-7-1-2-1-2-%d"
#define	GRST_ASN1_COORDS_USER_DN "-1-1-%d-1-2-1-1-1-1-%%d-1-%%d"
#define	GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d"
#define	GRST_ASN1_COORDS_TIME1 "-1-1-%d-1-6-1"
#define	GRST_ASN1_COORDS_TIME2 "-1-1-%d-1-6-2"
#define	X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
#define	MAXTAG 500
#define	GRST_ASN1_COORDS_FQAN "-1-1-%d-1-7-1-2-1-2-%d"
#define	GRST_ASN1_COORDS_USER_DN "-1-1-%d-1-2-1-1-1-1-%%d-1-%%d"
#define	GRST_ASN1_COORDS_TIME1 "-1-1-%d-1-6-1"
#define	GRST_ASN1_COORDS_TIME2 "-1-1-%d-1-6-2"
Functions
int	GRSTx509NameCmp (char a, char b)
	Compare X509 Distinguished Name strings.
int	GRSTx509KnownCriticalExts (X509 *cert)
	Check critical extensions.
int	GRSTx509IsCA (X509 *cert)
	Check if certificate can be used as a CA to sign standard X509 certs.
int	GRSTx509ChainFree (GRSTx509Chain *chain)
static int	GRSTx509VerifySig (time_t time1_time, time_t time2_time, unsigned char txt, int txt_len, unsigned char sig, int sig_len, X509 *cert)
	Check a specific signature against a specific (VOMS) cert.
static int	GRSTx509VerifyVomsSig (time_t time1_time, time_t time2_time, unsigned char asn1string, struct GRSTasn1TagList taglist[], int lasttag, char vomsdir, int acnumber)
	Check the signature of the VOMS attributes.
static int	GRSTx509ChainVomsAdd (GRSTx509Cert *grst_cert, time_t time1_time, time_t time2_time, X509_EXTENSION ex, char ucuserdn, char vomsdir)
	Get the VOMS attributes in the given extension.
int	GRSTx509ChainLoadCheck (GRSTx509Chain *chain, STACK_OF(X509)certstack, X509 lastcert, char capath, char *vomsdir)
	Check certificate chain for GSI proxy acceptability.
int	GRSTx509CheckChain (int first_non_ca, X509_STORE_CTX ctx)
	Check certificate chain for GSI proxy acceptability.
int	GRSTx509VerifyCallback (int ok, X509_STORE_CTX *ctx)
	Example VerifyCallback routine.
int	GRSTx509ParseVomsExt (int lastcred, int maxcreds, size_t credlen, char creds, time_t time1_time, time_t time2_time, X509_EXTENSION ex, char ucuserdn, char *vomsdir)
	Get the VOMS attributes in the given extension.
int	GRSTx509GetVomsCreds (int lastcred, int maxcreds, size_t credlen, char creds, X509 usercert, STACK_OF(X509)certstack, char *vomsdir)
	Get the VOMS attributes in the extensions to the given cert stack.
GRSTgaclCred *	GRSTx509CompactToCred (char *grst_cred)
	Turn a Compact Cred line into a GRSTgaclCred object.
int	GRSTx509CompactCreds (int lastcred, int maxcreds, size_t credlen, char creds, STACK_OF(X509)certstack, char vomsdir, X509 *peercert)
	Get the credentials in an X509 cert/GSI proxy, including any VOMS.
char *	GRSTx509FindProxyFileName (void)
	Find proxy file name of the current user.
static void	mpcerror (FILE debugfp, char msg)
int	GRSTx509MakeProxyCert (char *proxychain, FILE debugfp, char reqtxt, char cert, char *key, int minutes)
	Make a GSI Proxy chain from a request, certificate and private key.
char *	GRSTx509CachedProxyFind (char proxydir, char delegation_id, char *user_dn)
	Find a proxy file in the proxy cache.
char *	GRSTx509CachedProxyKeyFind (char proxydir, char delegation_id, char *user_dn)
	Find a temporary proxy private key file in the proxy cache.
static void	mkdir_printf (mode_t mode, char *fmt,...)
int	GRSTx509CreateProxyRequest (char reqtxt, char keytxt, char *ocspurl)
	Create a X.509 request for a GSI proxy and its private key.
int	GRSTx509MakeProxyRequest (char *reqtxt, char proxydir, char delegation_id, char user_dn)
	Make and store a X.509 request for a GSI proxy.
int	GRSTx509ProxyDestroy (char proxydir, char delegation_id, char *user_dn)
	Destroy stored GSI proxy files.
int	GRSTx509ProxyGetTimes (char proxydir, char delegation_id, char user_dn, time_t start, time_t *finish)
	Get start and finish validity times of stored GSI proxy file.
int	GRSTx509StringToChain (STACK_OF(X509)*certstack, char certstring)
	Create a stack of X509 certificate from a PEM-encoded string.
char *	GRSTx509MakeDelegationID (void)
	Returns a Delegation ID based on hash of GRST_CRED_0, ...
int	GRSTx509CacheProxy (char proxydir, char delegation_id, char user_dn, char proxychain)
	Store a GSI proxy chain in the proxy cache, along with the private key.
Variables
pthread_mutex_t	vomsmutex

Define Documentation

#define GRST_ASN1_COORDS_FQAN "-1-1-%d-1-7-1-2-1-2-%d"

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

#define GRST_ASN1_COORDS_TIME1 "-1-1-%d-1-6-1"

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

#define GRST_ASN1_COORDS_TIME2 "-1-1-%d-1-6-2"

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

#define GRST_ASN1_COORDS_USER_DN "-1-1-%d-1-2-1-1-1-1-%%d-1-%%d"

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

#define GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d"

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509VerifyVomsSig().

#define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1"

Referenced by GRSTx509VerifyVomsSig().

#define GRST_ASN1_COORDS_VOMS_SIG "-1-1-%d-3"

Referenced by GRSTx509VerifyVomsSig().

#define GRST_BACKDATE_SECONDS 300

Definition at line 77 of file grst_x509.c.

Referenced by GRSTx509MakeProxyCert().

#define GRST_KEYSIZE 512

Definition at line 74 of file grst_x509.c.

Referenced by GRSTx509CreateProxyRequest(), and GRSTx509MakeProxyRequest().

#define GRST_MAX_CHAIN_LEN 9

Definition at line 76 of file grst_x509.c.

Referenced by GRSTx509MakeProxyCert().

#define GRST_PROXYCACHE "/../proxycache/"

Definition at line 75 of file grst_x509.c.

#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34

Function Documentation

char* GRSTx509CachedProxyFind	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Find a proxy file in the proxy cache.

Returns the full path and file name of proxy file associated with given delegation ID and user DN.

Return a pointer to a malloc'd string with the full path of the proxy file corresponding to the given delegation_id, or NULL if not found.

Definition at line 1586 of file grst_x509.c.

References free(), GRSThttpUrlEncode(), malloc(), NULL, S_ISREG, sprintf(), and stat.

char* GRSTx509CachedProxyKeyFind	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Find a temporary proxy private key file in the proxy cache.

Returns the full path and file name of the private key file associated with given delegation ID and user DN.

Return a pointer to a malloc'd string with the full path of the private proxy key corresponding to the given delegation_id, or NULL if not found.

Definition at line 1617 of file grst_x509.c.

References free(), GRSThttpUrlEncode(), malloc(), NULL, S_ISREG, sprintf(), and stat.

Referenced by GRSTx509CacheProxy().

int GRSTx509CacheProxy	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn,
		char *	proxychain
	)

Store a GSI proxy chain in the proxy cache, along with the private key.

Returns GRST_RET_OK on success, non-zero otherwise. The existing private key with the same delegation ID and user DN is moved out of the temporary cache.

Definition at line 2071 of file grst_x509.c.

References c, EOF, fclose(), fopen, free(), fwrite, GRST_RET_FAILED, GRST_RET_OK, GRSThttpUrlEncode(), GRSTx509CachedProxyKeyFind(), GRSTx509StringToChain(), mkdir_printf(), NULL, ptr, S_IRUSR, S_IWUSR, S_IXUSR, sprintf(), and unlink.

int GRSTx509ChainFree ( GRSTx509Chain * chain )

Definition at line 170 of file grst_x509.c.

References chain, GRSTx509Cert::dn, free(), GRST_RET_OK, GRSTx509Cert::issuer, GRSTx509Cert::next, NULL, and GRSTx509Cert::ocsp.

Referenced by GRST_callback_SSLVerify_wrapper(), GRST_free_chain(), and GRST_get_voms_roles_and_free().

int GRSTx509ChainLoadCheck	(	GRSTx509Chain **	chain,
		STACK_OF(X509)*	certstack,
		X509 *	lastcert,
		char *	capath,
		char *	vomsdir
	)

Check certificate chain for GSI proxy acceptability.

Returns GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

Definition at line 506 of file grst_x509.c.

References chain, GRSTx509Cert::delegation, depth, GRSTx509Cert::dn, GRSTx509Cert::errors, FALSE, fclose(), fopen, fp, GRST_CERT_BAD_CHAIN, GRST_CERT_BAD_SIG, GRST_CERT_BAD_TIME, GRST_CERT_TYPE_CA, GRST_CERT_TYPE_EEC, GRST_CERT_TYPE_PROXY, GRST_LOG_DEBUG, GRST_RET_FAILED, GRST_RET_OK, GRST_VOMS_OID, GRSTasn1TimeToTimeT(), GRSTerrorLog, GRSTx509ChainVomsAdd(), GRSTx509IsCA(), i, int, GRSTx509Cert::issuer, j, len, malloc(), GRSTx509Cert::next, GRSTx509Cert::notafter, GRSTx509Cert::notbefore, NULL, s, GRSTx509Cert::serial, size_t, sprintf(), TRUE, and GRSTx509Cert::type.

Referenced by GRST_callback_SSLVerify_wrapper().

static int GRSTx509ChainVomsAdd	(	GRSTx509Cert **	grst_cert,
		time_t	time1_time,
		time_t	time2_time,
		X509_EXTENSION *	ex,
		char *	ucuserdn,
		char *	vomsdir
	)			`[static]`

Get the VOMS attributes in the given extension.

Add any VOMS credentials found into the chain. Always returns GRST_RET_OK

even for invalid credentials, which are flagged in errors field

Definition at line 399 of file grst_x509.c.

References GRST_ASN1_COORDS_FQAN, GRST_ASN1_COORDS_TIME1, GRST_ASN1_COORDS_TIME2, GRST_ASN1_COORDS_USER_DN, GRST_ASN1_COORDS_VOMS_DN, GRST_CERT_BAD_CHAIN, GRST_CERT_BAD_SIG, GRST_CERT_BAD_TIME, GRST_CERT_TYPE_VOMS, GRST_RET_OK, GRSTasn1GetX509Name(), GRSTasn1ParseDump(), GRSTasn1SearchTaglist(), GRSTasn1TimeToTimeT(), GRSTx509NameCmp(), GRSTx509VerifyVomsSig(), GRSTasn1TagList::headerlength, i, length, GRSTasn1TagList::length, malloc(), GRSTx509Cert::next, NULL, snprintf, sprintf(), start, and GRSTasn1TagList::start.

Referenced by GRSTx509ChainLoadCheck().

int GRSTx509CheckChain	(	int *	first_non_ca,
		X509_STORE_CTX *	ctx
	)

Check certificate chain for GSI proxy acceptability.

Returns X509_V_OK/GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

Inspired by GSIcheck written by Mike Jones, SVE, Manchester Computing, The University of Manchester.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

We do not check chain links between certs here: this is done by GRST_check_issued/X509_check_issued in mod_ssl's ssl_engine_init.c

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

Definition at line 807 of file grst_x509.c.

References depth, FALSE, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSTx509IsCA(), i, len, NULL, size_t, and TRUE.

Referenced by GRSTx509VerifyCallback().

int GRSTx509CompactCreds	(	int *	lastcred,
		int	maxcreds,
		size_t	credlen,
		char *	creds,
		STACK_OF(X509)*	certstack,
		char *	vomsdir,
		X509 *	peercert
	)

Get the credentials in an X509 cert/GSI proxy, including any VOMS.

Credentials are placed in Compact Creds string array at *creds.

Function returns GRST_RET_OK on success, or GRST_RET_FAILED if some inconsistency found in certificate.

Definition at line 1203 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSTx509GetVomsCreds(), GRSTx509IsCA(), i, NULL, snprintf, and strcpy().

GRSTgaclCred* GRSTx509CompactToCred ( char * grst_cred )

Turn a Compact Cred line into a GRSTgaclCred object.

Returns pointer to created GRSTgaclCred or NULL or failure.

Definition at line 1142 of file grst_x509.c.

References free(), GRSTgaclCredCreate(), GRSTgaclCredSetDelegation, GRSThttpUrlMildencode(), NULL, and p.

int GRSTx509CreateProxyRequest	(	char **	reqtxt,
		char **	keytxt,
		char *	ocspurl
	)

Create a X.509 request for a GSI proxy and its private key.

Returns GRST_RET_OK on success, non-zero otherwise. Request string and private key are PEM encoded strings

Definition at line 1661 of file grst_x509.c.

References GRST_KEYSIZE, malloc(), NULL, ptr, and size_t.

char* GRSTx509FindProxyFileName ( void )

Find proxy file name of the current user.

Return a string with the proxy file name or NULL if not present. This function does not check if the proxy has expired.

Definition at line 1284 of file grst_x509.c.

References getenv(), malloc(), NULL, p, and sprintf().

int GRSTx509GetVomsCreds	(	int *	lastcred,
		int	maxcreds,
		size_t	credlen,
		char *	creds,
		X509 *	usercert,
		STACK_OF(X509)*	certstack,
		char *	vomsdir
	)

Get the VOMS attributes in the extensions to the given cert stack.

Puts any VOMS credentials found into the Compact Creds string array starting at *creds. Always returns GRST_RET_OK.

Definition at line 1091 of file grst_x509.c.

References GRST_RET_OK, GRST_VOMS_OID, GRSTasn1TimeToTimeT(), GRSTx509ParseVomsExt(), i, j, NULL, and s.

Referenced by GRSTx509CompactCreds().

int GRSTx509IsCA ( X509 * cert )

Check if certificate can be used as a CA to sign standard X509 certs.

Return GRST_RET_OK if true; GRST_RET_FAILED if not.

Definition at line 156 of file grst_x509.c.

References GRST_RET_FAILED, and GRST_RET_OK.

Referenced by GRSTx509ChainLoadCheck(), GRSTx509CheckChain(), and GRSTx509CompactCreds().

int GRSTx509KnownCriticalExts ( X509 * cert )

Check critical extensions.

Returning GRST_RET_OK if all of extensions are known to us or OpenSSL; GRST_REF_FAILED otherwise.

Since this function relies on functionality (X509_supported_extension) introduced in 0.9.7, then we do nothing and report an error (GRST_RET_FAILED) if one of the associated defines (X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) is absent.

Definition at line 120 of file grst_x509.c.

References GRST_PROXYCERTINFO_OID, GRST_PROXYCERTNEWINFO_OID, GRST_RET_FAILED, GRST_RET_OK, i, and s.

Referenced by GRST_callback_SSLVerify_wrapper(), and GRSTx509VerifyCallback().

char* GRSTx509MakeDelegationID ( void )

Returns a Delegation ID based on hash of GRST_CRED_0, ...

Returns a malloc'd string with Delegation ID made by SHA1-hashing the values of the compact credentials exported by mod_gridsite

Definition at line 1943 of file grst_x509.c.

References getenv(), i, m, malloc(), NULL, snprintf, and sprintf().

int GRSTx509MakeProxyCert	(	char **	proxychain,
		FILE *	debugfp,
		char *	reqtxt,
		char *	cert,
		char *	key,
		int	minutes
	)

Make a GSI Proxy chain from a request, certificate and private key.

The proxy chain is returned in *proxychain. If debugfp is non-NULL, errors are output to that file pointer. The proxy will expired in the given number of minutes starting from the current time.

Definition at line 1312 of file grst_x509.c.

References fclose(), fopen, fp, GRST_BACKDATE_SECONDS, GRST_MAX_CHAIN_LEN, GRST_RET_FAILED, GRST_RET_OK, GRSTasn1TimeToTimeT(), i, RooFitShortHand::L(), mpcerror(), name, NULL, ptr, and realloc().

int GRSTx509MakeProxyRequest	(	char **	reqtxt,
		char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Make and store a X.509 request for a GSI proxy.

Returns GRST_RET_OK on success, non-zero otherwise. Request string is PEM encoded, and the key is stored in the temporary cache under proxydir

Definition at line 1732 of file grst_x509.c.

References fclose(), fopen, fp, free(), GRST_KEYSIZE, GRST_RET_FAILED, GRSThttpUrlEncode(), malloc(), mkdir_printf(), NULL, ptr, S_IRUSR, S_IWUSR, S_IXUSR, size_t, and sprintf().

int GRSTx509NameCmp	(	char *	a,
		char *	b
	)

Compare X509 Distinguished Name strings.

This function attempts to do with string representations what would ideally be done with OIDs/values. In particular, we equate "/Email=" == "/emailAddress=" to deal with this important change between OpenSSL 0.9.6 and 0.9.7. Other than that, it is currently the same as ordinary strcasecmp(3) (for consistency with EDG/LCG/EGEE gridmapdir case insensitivity.)

Definition at line 82 of file grst_x509.c.

References free(), memmove, NULL, p, and strcasecmp.

Referenced by GRSTx509ChainVomsAdd(), and GRSTx509ParseVomsExt().

int GRSTx509ParseVomsExt	(	int *	lastcred,
		int	maxcreds,
		size_t	credlen,
		char *	creds,
		time_t	time1_time,
		time_t	time2_time,
		X509_EXTENSION *	ex,
		char *	ucuserdn,
		char *	vomsdir
	)

Get the VOMS attributes in the given extension.

Puts any VOMS credentials found into the Compact Creds string array starting at *creds. Always returns GRST_RET_OK - even for invalid credentials, which are just ignored.

Definition at line 1006 of file grst_x509.c.

References GRST_ASN1_COORDS_FQAN, GRST_ASN1_COORDS_TIME1, GRST_ASN1_COORDS_TIME2, GRST_ASN1_COORDS_USER_DN, GRST_RET_OK, GRSTasn1GetX509Name(), GRSTasn1ParseDump(), GRSTasn1SearchTaglist(), GRSTasn1TimeToTimeT(), GRSTx509NameCmp(), GRSTx509VerifyVomsSig(), GRSTasn1TagList::headerlength, i, length, long, NULL, snprintf, and start.

Referenced by GRSTx509GetVomsCreds().

int GRSTx509ProxyDestroy	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn
	)

Destroy stored GSI proxy files.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the private key or cert chain were not found.)

Definition at line 1824 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_NO_SUCH_FILE, GRST_RET_OK, GRSThttpUrlEncode(), sprintf(), and unlink.

int GRSTx509ProxyGetTimes	(	char *	proxydir,
		char *	delegation_id,
		char *	user_dn,
		time_t *	start,
		time_t *	finish
	)

Get start and finish validity times of stored GSI proxy file.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the cert chain was not found.)

Definition at line 1855 of file grst_x509.c.

References fclose(), fopen, fp, free(), GRST_RET_FAILED, GRST_RET_NO_SUCH_FILE, GRST_RET_OK, GRSTasn1TimeToTimeT(), GRSThttpUrlEncode(), NULL, and sprintf().

int GRSTx509StringToChain	(	STACK_OF(X509)**	certstack,
		char *	certstring
	)

Create a stack of X509 certificate from a PEM-encoded string.

Creates a dynamically allocated stack of X509 certificate objects by walking through the PEM-encoded X509 certificates.

Returns GRST_RET_OK on success, non-zero otherwise.

Definition at line 1893 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_OK, and NULL.

Referenced by GRSTx509CacheProxy().

int GRSTx509VerifyCallback	(	int	ok,
		X509_STORE_CTX *	ctx
	)

Example VerifyCallback routine.

Definition at line 972 of file grst_x509.c.

References FALSE, GRST_RET_OK, GRSTx509CheckChain(), GRSTx509KnownCriticalExts(), TRUE, and X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION.

static int GRSTx509VerifySig	(	time_t *	time1_time,
		time_t *	time2_time,
		unsigned char *	txt,
		int	txt_len,
		unsigned char *	sig,
		int	sig_len,
		X509 *	cert
	)			`[static]`

Check a specific signature against a specific (VOMS) cert.

Returns GRST_RET_OK if signature is ok, other values if not.

Definition at line 196 of file grst_x509.c.

References GRST_RET_FAILED, GRST_RET_OK, GRSTasn1TimeToTimeT(), and NULL.

Referenced by GRSTx509VerifyVomsSig().

static int GRSTx509VerifyVomsSig	(	time_t *	time1_time,
		time_t *	time2_time,
		unsigned char *	asn1string,
		struct GRSTasn1TagList	taglist[],
		int	lasttag,
		char *	vomsdir,
		int	acnumber
	)			`[static]`