SYnc

diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES
index c65aa4f..80cb856 100644 (file)
--- a/org.gridsite.core/CHANGES
+++ b/org.gridsite.core/CHANGES
@@ -1,3 +1,10 @@
+* Sun Nov 29 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- Back port fixes from 1.7.x branch:
+-  GRSTx509MakeProxyCert() now creates RFC 3280 
+   proxies if any earlier proxies are RFC style
+-  Discard X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+   errors in GRST_callback_SSLVerify_wrapper(), 
+   needed for newer OpenSSL
 * Mon Oct 19 2009 Andrew McNab <Andrew.McNab@cern.ch>
 - Discard X509_V_ERR_INVALID_PURPOSE errors in 
   GRST_callback_SSLVerify_wrapper(), needed by 

diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h
index 52cf285..772eeeb 100644 (file)
--- a/org.gridsite.core/interface/gridsite.h
+++ b/org.gridsite.core/interface/gridsite.h
@@ -141,7 +141,8 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser;
 #define GRST_DN_LISTS     "/etc/grid-security/dn-lists"
 #define GRST_RECURS_LIMIT 9
 
-#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
+#define GRST_PROXYCERTINFO_OLD_OID     "1.3.6.1.4.1.3536.1.222"
+#define GRST_PROXYCERTINFO_OID         "1.3.6.1.5.5.7.1.14"
 #define GRST_VOMS_OID          "1.3.6.1.4.1.8005.100.100.5"
 #define GRST_VOMS_DIR          "/etc/grid-security/vomsdir"
 

diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c
index 401b8e6..f2d856a 100644 (file)
--- a/org.gridsite.core/src/grst_x509.c
+++ b/org.gridsite.core/src/grst_x509.c
@@ -135,7 +135,9 @@ int GRSTx509KnownCriticalExts(X509 *cert)
           {
             OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);
 
-            if (strcmp(s, GRST_PROXYCERTINFO_OID) != 0) return GRST_RET_FAILED;
+            if ((strcmp(s, GRST_PROXYCERTINFO_OID)     != 0) &&
+                (strcmp(s, GRST_PROXYCERTINFO_OLD_OID) != 0))
+              return GRST_RET_FAILED;
           }
       }
 
@@ -1606,7 +1608,7 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
 /// the given number of minutes starting from the current time.
 {
   char *ptr, *certchain;
-  int i, ncerts;
+  int i, ncerts, any_rfc_proxies = 0;
   long serial = 1234, ptrlen;
   EVP_PKEY *pkey, *CApkey;
   const EVP_MD *digest;
@@ -1614,6 +1616,8 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
   X509_REQ *req;
   X509_NAME *name, *CAsubject, *newsubject;
   X509_NAME_ENTRY *ent;
+  ASN1_OBJECT *pcinfo_obj = NULL;
+  X509_EXTENSION *ex;
   FILE *fp;
   BIO *reqmem, *certmem;
   time_t notAfter;
@@ -1719,8 +1723,11 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
     }    
 
   /* set version number for the certificate (X509v3) and the serial number   
-     need 3 = v4 for GSI proxy?? */
-  if (X509_set_version(certs[0], 3L) != 1)
+     
+     We now use 2 = v3 for the GSI proxy, rather than the old Globus 
+     behaviour of 3 = v4. See Savannah Bug #53721 */
+     
+  if (X509_set_version(certs[0], 2L) != 1)
     {
       mpcerror(debugfp,
             "GRSTx509MakeProxyCert(): error setting certificate version\n");
@@ -1800,10 +1807,13 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
     
   /* go through chain making sure this proxy is not longer lived */
 
+  pcinfo_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0);
+
   notAfter = 
      GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[0])), 0);
-
+     
   for (i=1; i < ncerts; ++i)
+     {
        if (notAfter > 
            GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[i])),
                                0))
@@ -1814,6 +1824,23 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp,
             
            ASN1_UTCTIME_set(X509_get_notAfter(certs[0]), notAfter);
          }
+         
+       if (X509_get_ext_by_OBJ(certs[i], pcinfo_obj, -1) > 0) 
+         any_rfc_proxies = 1;
+     }
+
+   /* if any earlier proxies are RFC 3820, then new proxy must be 
+      an RFC 3820 proxy too with the required extension */ 
+   if (any_rfc_proxies)
+    {
+      ex = X509_EXTENSION_new();
+
+      X509_EXTENSION_set_object(ex, pcinfo_obj);
+      X509_EXTENSION_set_critical(ex, 1);
+      
+      X509_add_ext(certs[0], ex, -1);
+    }
+  else free(pcinfo_obj);
 
   /* sign the certificate with the signing private key */
   if (EVP_PKEY_type(CApkey->type) == EVP_PKEY_RSA)
@@ -2065,9 +2092,16 @@ int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir,
     }
         
   if ((keypair = RSA_generate_key(GRST_KEYSIZE, 65537, NULL, NULL)) == NULL)
-                                                               return 1;
+    {
+      free(prvkeyfile);
+      return 1;
+    }
           
-  if ((fp = fopen(prvkeyfile, "w")) == NULL) return 2;
+  if ((fp = fopen(prvkeyfile, "w")) == NULL) 
+    {
+      free(prvkeyfile);
+      return 2;
+    }
   
   chmod(prvkeyfile, S_IRUSR | S_IWUSR);
   free(prvkeyfile);

diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c
index 1cd6b1d..a68638c 100644 (file)
--- a/org.gridsite.core/src/mod_gridsite.c
+++ b/org.gridsite.core/src/mod_gridsite.c
@@ -3797,6 +3797,22 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx)
         X509_STORE_CTX_set_error(ctx, errnum);
      }
 
+#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+   /*
+    * Skip X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, since they are!
+    */
+   if (errnum == X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
+     {
+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+                    "Skip Proxy Certificates Not Allowed error");
+
+        sslconn->verify_error = NULL;
+        ok = TRUE;
+        errnum = X509_V_OK;
+        X509_STORE_CTX_set_error(ctx, errnum);
+     }
+#endif
+
    /*
     * New style GSI Proxy handling, with critical ProxyCertInfo
     * extension: we use GRSTx509KnownCriticalExts() to check this