glite_location=$PREFIX
globus_prefix=/opt/globus
-voms_prefix=/opt/glite
nothrflavour=gcc32
thrflavour=gcc32pthr
myproxy_prefix=$globus_prefix
DEBUG:=-g -O0
-# XXX: until VOMS is ready in SCM
-CFLAGS:= -DNOVOMS \
- ${DEBUG} \
- -DVOMS_INSTALL_PATH=\"${voms_prefix}\"\
+CFLAGS:= ${DEBUG} \
${MYPROXYINC} \
-I${top_srcdir}/src -I${top_srcdir}/interface \
-I${glite_location}/include
LINK:=libtool --mode=link ${CC} ${LDFLAGS}
INSTALL:=libtool --mode=install install
-DAEMONOBJ:=renewd.o renew.o common.o commands.o api.o
+DAEMONOBJ:=renewd.o renew.o common.o commands.o api.o voms.o
LIBOBJ:=api.o common.o
CLIENTOBJ:=client.o
${LINK} -o $@ ${THRLIBLOBJ} -rpath ${glite_location}/lib
${DAEMON}: ${DAEMONOBJ}
- ${LINK} -o $@ ${DAEMONOBJ} ${JOBIDLIB} ${MYPROXY_LIB} -lglobus_gss_assist_${nothrflavour} ${GLOBUS_LIBS}
+ ${LINK} -o $@ ${DAEMONOBJ} ${JOBIDLIB} ${MYPROXY_LIB} -lvomsc -lglobus_gss_assist_${nothrflavour} ${GLOBUS_LIBS}
${CLIENT}: ${CLIENTOBJ} ${LIB}
${LINK} -o $@ ${CLIENTOBJ} ${LIB} ${GLOBUS_LIBS}
Revision history:
$Log$
+ Revision 1.2 2004/07/12 16:18:37 dimeglio
+ Modified to use myproxy from the repository if available
+
-->
<!-- ======================================================
thrflavour=${with.globus.thr.flavor}
nothrflavour=${with.globus.nothr.flavor}
myproxy_prefix=${with.myproxy.prefix}
-voms_prefix=${with.glite.location}
</echo>
</target>
</project>
--- /dev/null
+/*********************************************************************
+ *
+ * Authors: Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it
+ *
+ * Copyright (c) 2002, 2003 INFN-CNAF on behalf of the EU DataGrid.
+ * For license conditions see LICENSE file or
+ * http://www.edg.org/license.html
+ *
+ * Parts of this code may be based upon or even include verbatim pieces,
+ * originally written by other people, in which case the original header
+ * follows.
+ *
+ *********************************************************************/
+#ifndef _ACSTACK_H
+#define _ACSTACK_H
+
+#include <openssl/asn1.h>
+#include <openssl/stack.h>
+#include <openssl/safestack.h>
+
+#define IMPL_STACK(type) \
+ DECLARE_STACK_OF(type) \
+ STACK_OF(type) *sk_##type##_new (int (*cmp)(const type * const *, const type * const *)) \
+ { return sk_new ( (int (*)(const char * const *, const char * const *))cmp);} \
+ STACK_OF(type) *sk_##type##_new_null () { return sk_new_null(); } \
+ void sk_##type##_free (STACK_OF(type) *st) { sk_free(st); } \
+ int sk_##type##_num (const STACK_OF(type) *st) { return sk_num(st); } \
+ type *sk_##type##_value (const STACK_OF(type) *st, int i) { return (type *)sk_value(st, i); } \
+ type *sk_##type##_set (STACK_OF(type) *st, int i, type *val) { return ((type *)sk_set(st, i, (char *)val)); } \
+ void sk_##type##_zero (STACK_OF(type) *st) { sk_zero(st);} \
+ int sk_##type##_push (STACK_OF(type) *st, type *val) { return sk_push(st, (char *)val); } \
+ int sk_##type##_unshift (STACK_OF(type) *st, type *val) { return sk_unshift(st, (char *)val); } \
+ int sk_##type##_find (STACK_OF(type) *st, type *val) { return sk_find(st, (char *)val); } \
+ type *sk_##type##_delete (STACK_OF(type) *st, int i) { return (type *)sk_delete(st, i); } \
+ type *sk_##type##_delete_ptr (STACK_OF(type) *st, type *ptr) { return (type *)sk_delete_ptr(st, (char *)ptr); } \
+ int sk_##type##_insert (STACK_OF(type) *st, type *val, int i) { return sk_insert(st, (char *)val, i); } \
+ int (*sk_##type##_set_cmp_func (STACK_OF(type) *st, int (*cmp)(const type * const *, const type * const *)))(const type * const *, const type * const *) \
+ { return (int ((*)(const type * const *, const type * const *)))sk_set_cmp_func (st, (int (*)(const char * const *, const char * const *))cmp); } \
+ STACK_OF(type) *sk_##type##_dup (STACK_OF(type) *st) { return sk_dup(st); } \
+ void sk_##type##_pop_free (STACK_OF(type) *st, void (*func)(type *)) { sk_pop_free(st, (void (*)(void *))func); } \
+ type *sk_##type##_shift (STACK_OF(type) *st) { return (type *)sk_shift(st); } \
+ type *sk_##type##_pop (STACK_OF(type) *st) { return (type *)sk_pop(st); } \
+ void sk_##type##_sort (STACK_OF(type) *st) { sk_sort(st); } \
+ STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **st, unsigned char **pp, long length, type *(*d2ifunc)(), void (*freefunc)(type *), int ex_tag, int ex_class) \
+ { return d2i_ASN1_SET(st, pp, length, (char *(*)())d2ifunc, (void (*)(void *))freefunc, ex_tag, ex_class); } \
+ int i2d_ASN1_SET_OF_##type (STACK_OF(type) *st, unsigned char **pp, int (*i2dfunc)(), int ex_tag, int ex_class, int is_set) \
+ { return i2d_ASN1_SET(st, pp, i2dfunc, ex_tag, ex_class, is_set); } \
+ unsigned char *ASN1_seq_pack_##type (STACK_OF(type) *st, int (*i2d)(), unsigned char **buf, int *len) { return ASN1_seq_pack(st, i2d, buf, len); } \
+ STACK_OF(type) *ASN1_seq_unpack_##type (unsigned char *buf, int len, type *(*d2i)(), void (*freefunc)(type *)) \
+ { return ASN1_seq_unpack(buf, len, (char *(*)())d2i, (void (*)(void *))freefunc); }
+
+
+#define DECL_STACK(type) \
+ DECLARE_STACK_OF(type) \
+ extern STACK_OF(type) *sk_##type##_new (int (*)(const type * const *, const type * const *)); \
+ extern STACK_OF(type) *sk_##type##_new_null (); \
+ extern void sk_##type##_free (STACK_OF(type) *); \
+ extern int sk_##type##_num (const STACK_OF(type) *); \
+ extern type *sk_##type##_value (const STACK_OF(type) *, int); \
+ extern type *sk_##type##_set (STACK_OF(type) *, int, type *); \
+ extern void sk_##type##_zero (STACK_OF(type) *); \
+ extern int sk_##type##_push (STACK_OF(type) *, type *); \
+ extern int sk_##type##_unshift (STACK_OF(type) *, type *); \
+ extern int sk_##type##_find (STACK_OF(type) *, type *); \
+ extern type *sk_##type##_delete (STACK_OF(type) *, int); \
+ extern type *sk_##type##_delete_ptr (STACK_OF(type) *, type *); \
+ extern int sk_##type##_insert (STACK_OF(type) *, type *, int); \
+ extern int (*sk_##type##_set_cmp_func (STACK_OF(type) *, int (*)(const type * const *, const type * const *)))(const type * const *, const type * const *); \
+ extern STACK_OF(type) *sk_##type##_dup (STACK_OF(type) *); \
+ extern void sk_##type##_pop_free (STACK_OF(type) *, void (*)(type *)); \
+ extern type *sk_##type##_shift (STACK_OF(type) *); \
+ extern type *sk_##type##_pop (STACK_OF(type) *); \
+ extern void sk_##type##_sort (STACK_OF(type) *); \
+ extern STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **, unsigned char **, long, type *(*)(), void (*)(type *), int, int); \
+ extern int i2d_ASN1_SET_OF_##type (STACK_OF(type) *, unsigned char **, int (*)(), int, int, int); \
+ extern unsigned char *ASN1_seq_pack_##type (STACK_OF(type) *, int (*)(), unsigned char **, int *); \
+ extern STACK_OF(type) *ASN1_seq_unpack_##type (unsigned char *, int, type *(*)(), void (*)(type *)) ;
+
+#endif
#include "renewal_locl.h"
#include "renewd_locl.h"
-#ifndef NOVOMS
-#include <voms_apic.h>
-#endif
+#include "glite/security/voms/voms_apic.h"
#ident "$Header$"
return EDG_WLPR_ERROR_VOMS;
}
- ret = load_proxy(file, &cert, &privkey, &chain);
+ ret = load_proxy(file, &cert, &privkey, &chain, NULL);
if (ret) {
VOMS_Destroy(voms_info);
return ret;
--- /dev/null
+/*********************************************************************
+ *
+ * Authors: Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it
+ *
+ * Copyright (c) 2002, 2003 INFN-CNAF on behalf of the EU DataGrid.
+ * For license conditions see LICENSE file or
+ * http://www.edg.org/license.html
+ *
+ * Parts of this code may be based upon or even include verbatim pieces,
+ * originally written by other people, in which case the original header
+ * follows.
+ *
+ *********************************************************************/
+#ifndef _NEW_FORMAT_H
+#define _NEW_FORMAT_H
+#include <openssl/evp.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1_mac.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#include <openssl/stack.h>
+#include <openssl/safestack.h>
+
+#include "acstack.h"
+#if 0
+static STACK_OF(CRYPT_EX_DATA_FUNS) *AC_meth = NULL;
+
+static AC_METHOD meth = {
+ (int (*)()) i2d_AC,
+ (char *(*)())d2i_AC,
+ (char *(*)())AC_new,
+ (void (*)()) AC_free};
+a
+ASN1_METHOD *AC_asn1_meth(void)
+{
+ return &meth;
+}
+#endif
+
+typedef struct ACDIGEST {
+ ASN1_ENUMERATED *type;
+ ASN1_OBJECT *oid;
+ X509_ALGOR *algor;
+ ASN1_BIT_STRING *digest;
+} AC_DIGEST;
+
+typedef struct ACIS {
+ STACK_OF(GENERAL_NAME) *issuer;
+ ASN1_INTEGER *serial;
+ ASN1_BIT_STRING *uid;
+} AC_IS;
+
+typedef struct ACFORM {
+ STACK_OF(GENERAL_NAME) *names;
+ AC_IS *is;
+ AC_DIGEST *digest;
+} AC_FORM;
+
+typedef struct ACACI {
+ STACK_OF(GENERAL_NAME) *names;
+ AC_FORM *form;
+} AC_ACI;
+
+typedef struct ACHOLDER {
+ AC_IS *baseid;
+ STACK_OF(GENERAL_NAMES) *name;
+ AC_DIGEST *digest;
+} AC_HOLDER;
+
+typedef struct ACVAL {
+ ASN1_GENERALIZEDTIME *notBefore;
+ ASN1_GENERALIZEDTIME *notAfter;
+} AC_VAL;
+
+typedef struct asn1_string_st AC_IETFATTRVAL;
+
+typedef struct ACIETFATTR {
+ STACK_OF(GENERAL_NAMES) *names;
+ STACK_OF(AC_IETFATTRVAL) *values;
+} AC_IETFATTR;
+
+typedef struct ACTARGET {
+ GENERAL_NAME *name;
+ GENERAL_NAME *group;
+ AC_IS *cert;
+} AC_TARGET;
+
+typedef struct ACTARGETS {
+ STACK_OF(AC_TARGET) *targets;
+} AC_TARGETS;
+
+typedef struct ACATTR {
+ ASN1_OBJECT *type;
+ STACK_OF(AC_IETFATTR) *ietfattr;
+} AC_ATTR;
+
+typedef struct ACINFO {
+ ASN1_INTEGER *version;
+ AC_HOLDER *holder;
+ AC_FORM *form;
+ X509_ALGOR *alg;
+ ASN1_INTEGER *serial;
+ AC_VAL *validity;
+ STACK_OF(AC_ATTR) *attrib;
+ ASN1_BIT_STRING *id;
+ STACK_OF(X509_EXTENSION) *exts;
+} AC_INFO;
+
+typedef struct ACC {
+ AC_INFO *acinfo;
+ X509_ALGOR *sig_alg;
+ ASN1_BIT_STRING *signature;
+} AC;
+
+typedef struct ACSEQ {
+ STACK_OF(AC) *acs;
+} AC_SEQ;
+
+DECL_STACK(AC_TARGET)
+DECL_STACK(AC_TARGETS)
+DECL_STACK(AC_IETFATTR)
+DECL_STACK(AC_IETFATTRVAL)
+DECL_STACK(AC_ATTR)
+DECL_STACK(AC);
+DECL_STACK(AC_INFO);
+DECL_STACK(AC_VAL);
+DECL_STACK(AC_HOLDER);
+DECL_STACK(AC_ACI);
+DECL_STACK(AC_FORM);
+DECL_STACK(AC_IS);
+DECL_STACK(AC_DIGEST);
+
+extern int i2d_AC_ATTR(AC_ATTR *a, unsigned char **pp);
+extern AC_ATTR *d2i_AC_ATTR(AC_ATTR **a, unsigned char **p, long length);
+extern AC_ATTR *AC_ATTR_new();
+extern void AC_ATTR_free(AC_ATTR *a);
+extern int i2d_AC_IETFATTR(AC_IETFATTR *a, unsigned char **pp);
+extern AC_IETFATTR *d2i_AC_IETFATTR(AC_IETFATTR **a, unsigned char **p, long length);
+extern AC_IETFATTR *AC_IETFATTR_new();
+extern void AC_IETFATTR_free (AC_IETFATTR *a);
+extern int i2d_AC_IETFATTRVAL(AC_IETFATTRVAL *a, unsigned char **pp);
+extern AC_IETFATTRVAL *d2i_AC_IETFATTRVAL(AC_IETFATTRVAL **a, unsigned char **pp, long length);
+extern AC_IETFATTRVAL *AC_IETFATTRVAL_new();
+extern void AC_IETFATTRVAL_free(AC_IETFATTRVAL *a);
+extern int i2d_AC_DIGEST(AC_DIGEST *a, unsigned char **pp);
+extern AC_DIGEST *d2i_AC_DIGEST(AC_DIGEST **a, unsigned char **pp, long length);;
+extern AC_DIGEST *AC_DIGEST_new(void);
+extern void AC_DIGEST_free(AC_DIGEST *a);
+extern int i2d_AC_IS(AC_IS *a, unsigned char **pp);
+extern AC_IS *d2i_AC_IS(AC_IS **a, unsigned char **pp, long length);
+extern AC_IS *AC_IS_new(void);
+extern void AC_IS_free(AC_IS *a);
+extern int i2d_AC_FORM(AC_FORM *a, unsigned char **pp);
+extern AC_FORM *d2i_AC_FORM(AC_FORM **a, unsigned char **pp, long length);
+extern AC_FORM *AC_FORM_new(void);
+extern void AC_FORM_free(AC_FORM *a);
+extern int i2d_AC_ACI(AC_ACI *a, unsigned char **pp);
+extern AC_ACI *d2i_AC_ACI(AC_ACI **a, unsigned char **pp, long length);
+extern AC_ACI *AC_ACI_new(void);
+extern void AC_ACI_free(AC_ACI *a);
+
+extern int i2d_AC_HOLDER(AC_HOLDER *a, unsigned char **pp);
+extern AC_HOLDER *d2i_AC_HOLDER(AC_HOLDER **a, unsigned char **pp, long length);
+extern AC_HOLDER *AC_HOLDER_new(void);
+extern void AC_HOLDER_free(AC_HOLDER *a);
+
+/* new AC_VAL functions by Valerio */
+extern int i2d_AC_VAL(AC_VAL *a, unsigned char **pp);
+extern AC_VAL *d2i_AC_VAL(AC_VAL **a, unsigned char **pp, long length);
+extern AC_VAL *AC_VAL_new(void);
+extern void AC_VAL_free(AC_VAL *a);
+/* end*/
+
+extern int i2d_AC_INFO(AC_INFO *a, unsigned char **pp);
+extern AC_INFO *d2i_AC_INFO(AC_INFO **a, unsigned char **p, long length);
+extern AC_INFO *AC_INFO_new(void);
+extern void AC_INFO_free(AC_INFO *a);
+extern int i2d_AC(AC *a, unsigned char **pp) ;
+extern AC *d2i_AC(AC **a, unsigned char **pp, long length);
+extern AC *AC_new(void);
+extern void AC_free(AC *a);
+extern int i2d_AC_TARGETS(AC_TARGETS *a, unsigned char **pp) ;
+extern AC_TARGETS *d2i_AC_TARGETS(AC_TARGETS **a, unsigned char **pp, long length);
+extern AC_TARGETS *AC_TARGETS_new(void);
+extern void AC_TARGETS_free(AC_TARGETS *a);
+extern int i2d_AC_TARGET(AC_TARGET *a, unsigned char **pp) ;
+extern AC_TARGET *d2i_AC_TARGET(AC_TARGET **a, unsigned char **pp, long length);
+extern AC_TARGET *AC_TARGET_new(void);
+extern void AC_TARGET_free(AC_TARGET *a);
+extern int i2d_AC_SEQ(AC_SEQ *a, unsigned char **pp) ;
+extern AC_SEQ *d2i_AC_SEQ(AC_SEQ **a, unsigned char **pp, long length);
+extern AC_SEQ *AC_SEQ_new(void);
+extern void AC_SEQ_free(AC_SEQ *a);
+
+#endif
#include "renewal_locl.h"
#include "renewd_locl.h"
-#ifndef NOVOMS
-#include <voms_apic.h>
-#endif
+#include "glite/security/voms/voms_apic.h"
#ident "$Header$"
extern char *vomsdir;
extern int voms_enabled;
extern char *vomsconf;
-extern struct vomses_records vomses;
static int received_signal = -1;
static void
register_signal(int signal);
-
#define DGPR_RETRIEVE_DEFAULT_HOURS 10
#define RENEWAL_CLOCK_SKEW 5 * 60
-static const char *
-get_ssl_err()
-{
- return "SSL failed";
-}
-
int
-load_proxy(const char *filename, X509 **cert, EVP_PKEY **privkey,
- STACK_OF(X509) **chain)
+load_proxy(const char *cur_file, X509 **cert, EVP_PKEY **priv_key,
+ STACK_OF(X509) **chain, globus_gsi_cred_handle_t *cur_proxy)
{
- X509 *my_cert = NULL;
- EVP_PKEY *my_key = NULL;
- STACK_OF(X509) *my_chain = NULL;
- FILE *fd = NULL;
- int ret;
-
- fd = fopen(filename, "r");
- if (fd == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot read VOMS certificate (fopen() failed on %s: %s)",
- filename, strerror(errno));
- return errno;
- }
-
- my_cert = PEM_read_X509(fd, NULL, NULL, NULL);
- if (my_cert == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot read VOMS certificate (PEM_read_X509() failed: %s)",
- get_ssl_err());
- ret = EDG_WLPR_ERROR_SSL;
- goto end;
- }
+ globus_result_t result;
+ globus_gsi_cred_handle_t proxy = NULL;
- my_key = PEM_read_PrivateKey(fd, NULL, NULL, NULL);
- if (my_key == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot read VOMS certificate (PEM_read_PrivateKey() failed: %s)",
- get_ssl_err());
- ret = EDG_WLPR_ERROR_SSL;
+ result = globus_gsi_cred_handle_init(&proxy, NULL);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_handle_init() failed\n");
goto end;
}
- my_chain = sk_X509_new_null();
- if (my_chain == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot read VOMS certificate (sk_X509_new_null() failed: %s)",
- get_ssl_err());
- ret = EDG_WLPR_ERROR_SSL;
+ result = globus_gsi_cred_read_proxy(proxy, cur_file);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_read_proxy() failed\n");
goto end;
}
- while (1) {
- X509 *c;
-
- c = PEM_read_X509(fd, NULL, NULL, NULL);
- if (c == NULL) {
- if (ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) {
- /* End of file reached. no error */
- ERR_clear_error();
- break;
- }
- edg_wlpr_Log(LOG_ERR,
- "Cannot read VOMS certificate (PEM_read_X509() failed: %s)",
- get_ssl_err());
- ret = EDG_WLPR_ERROR_SSL;
+ if (cert) {
+ result = globus_gsi_cred_get_cert(proxy, cert);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_cert() failed\n");
goto end;
}
- sk_X509_push(my_chain, c);
}
- *cert = my_cert;
- *privkey = my_key;
- *chain = my_chain;
- my_cert = NULL; my_key = NULL; my_chain = NULL;
- ret = 0;
-
-end:
- fclose(fd);
-
- if (my_cert)
- X509_free(my_cert);
- if (my_key)
- EVP_PKEY_free(my_key);
- if (my_chain)
- sk_X509_pop_free(my_chain, X509_free);
-
- return ret;
-}
-
-static int
-save_proxy(const char *filename, X509 *new_cert, EVP_PKEY *new_privkey,
- STACK_OF(X509) *chain)
-{
- FILE *fd = NULL;
- int ret, i;
- int retval = EDG_WLPR_ERROR_SSL;
-
- fd = fopen(filename, "w");
- if (fd == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot store proxy (fopen() failed on %s: %s)",
- filename, strerror(errno));
- return errno;
- }
-
- ret = PEM_write_X509(fd, new_cert);
- if (ret == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot store proxy (PEM_write_X509() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- ret = PEM_write_PrivateKey(fd, new_privkey, NULL, NULL, 0, NULL, NULL);
- if (ret == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot store proxy (PEM_write_PrivateKey() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- for (i = 0; i < sk_X509_num(chain); i++) {
- X509 *cert = sk_X509_value(chain, i);
- ret = PEM_write_X509(fd, cert);
- if (ret == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot store proxy (PEM_write_X509() failed: %s)",
- get_ssl_err());
+ if (priv_key) {
+ result = globus_gsi_cred_get_key(proxy, priv_key);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_key() failed\n");
goto end;
}
}
-
- retval = 0;
-
-end:
- fclose(fd);
-
- return retval;
-}
-
-static int
-gen_keypair(EVP_PKEY **keypair, int requested_bits)
-{
- RSA *rsa = NULL;
- EVP_PKEY *key;
-
- *keypair = NULL;
- rsa = RSA_generate_key(requested_bits,
- RSA_F4 /* public exponent */,
- NULL, NULL);
- if (rsa == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (RSA_generate_key() failed: %s)",
- get_ssl_err());
- return EDG_WLPR_ERROR_SSL;
- }
-
- key = EVP_PKEY_new();
- if (key == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (EVP_PKEY_new() failed: %s)",
- get_ssl_err());
- RSA_free(rsa);
- return EDG_WLPR_ERROR_SSL;
- }
-
- if (EVP_PKEY_assign_RSA(key, rsa) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (EVP_PKEY_assign_RSA() failed: %s)",
- get_ssl_err());
- RSA_free(rsa);
- EVP_PKEY_free(key);
- return EDG_WLPR_ERROR_SSL;
- }
-
- *keypair = key;
-
- return 0;
-}
-
-static int
-gen_subject_name(X509 *old_cert, X509 *new_cert)
-{
- X509_NAME *name = NULL;
- X509_NAME_ENTRY *name_entry = NULL;
- int ret = EDG_WLPR_ERROR_SSL;
-
- name = X509_NAME_dup(X509_get_subject_name(old_cert));
- if (name == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_NAME_dup() failed: %s",
- get_ssl_err());
- goto end;
- }
-
- name_entry = X509_NAME_ENTRY_create_by_NID(NULL /* make new entry */,
- NID_commonName,
- V_ASN1_APP_CHOOSE,
- "proxy", -1);
- if (name_entry == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_NAME_ENTRY_create_by_NID() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- if (X509_NAME_add_entry(name, name_entry, X509_NAME_entry_count(name), 0) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_NAME_add_entry() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
-
- if (X509_set_subject_name(new_cert, name) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_set_subject_name() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- ret = 0;
-
-end:
- if (name)
- X509_NAME_free(name);
- if (name_entry != NULL)
- X509_NAME_ENTRY_free(name_entry);
-
- return ret;
-}
-
-static int
-create_proxy(X509 *old_cert, EVP_PKEY *old_privkey, X509_EXTENSION *extension,
- X509 **new_cert, EVP_PKEY **new_privkey)
-{
- /* Inspired by code from Myproxy */
- EVP_PKEY *key_pair = NULL;
- X509 *cert = NULL;
- int ret;
- int retval = EDG_WLPR_ERROR_SSL;
-
- ret = gen_keypair(&key_pair, 512);
- if (ret)
- return ret;
-
- cert = X509_new();
- if (cert == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot generate new proxy (X509_new() failed: Not enough memory)");
- goto end;
- }
-
- ret = gen_subject_name(old_cert, cert);
- if (ret) {
- retval = ret;
- goto end;
- }
-
- if (X509_set_issuer_name(cert, X509_get_subject_name(old_cert)) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_set_issuer_name() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- if (X509_set_serialNumber(cert, X509_get_serialNumber(old_cert)) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_set_serialNumber() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- X509_gmtime_adj(X509_get_notBefore(cert), -(60 * 5));
- X509_set_notAfter(cert, X509_get_notAfter(old_cert));
-
- if (X509_set_pubkey(cert, key_pair) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_set_pubkey() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- /* set v3 */
- if (X509_set_version(cert, 2L) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_set_version() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- if (cert->cert_info->extensions != NULL)
- sk_X509_EXTENSION_pop_free(cert->cert_info->extensions,
- X509_EXTENSION_free);
- cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
- sk_X509_EXTENSION_push(cert->cert_info->extensions, extension);
-
- if (X509_sign(cert, old_privkey, EVP_md5()) == 0) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (X509_sign() failed: %s)",
- get_ssl_err());
- goto end;
- }
-
- *new_privkey = key_pair;
- *new_cert = cert;
- key_pair = NULL;
- cert = NULL;
-
- retval = 0;
-
-end:
- if (key_pair)
- EVP_PKEY_free(key_pair);
- if (cert)
- X509_free(cert);
-
- return retval;
-}
-
-static int
-create_voms_extension(char *buf, size_t buf_len, X509_EXTENSION **extensions)
-{
- ASN1_OBJECT *voms_obj = NULL;
- ASN1_OCTET_STRING *voms_oct = NULL;
-
- *extensions = NULL;
-
- voms_oct = ASN1_OCTET_STRING_new();
- if (voms_oct == NULL) {
- edg_wlpr_Log(LOG_ERR,
- "Cannot generate new proxy (ASN1_OCTET_STRING_new() failed: %s)",
- get_ssl_err());
- return EDG_WLPR_ERROR_SSL;
- }
-
- voms_oct->data = buf;
- voms_oct->length = buf_len;
-
- voms_obj = OBJ_nid2obj(OBJ_txt2nid("VOMS"));
- if (voms_obj == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot generate new proxy (OBJ_nid2obj() failed");
- goto end;
- }
-
- *extensions = X509_EXTENSION_create_by_OBJ(NULL, voms_obj, 0, voms_oct);
- if (*extensions == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot generate new proxy (X509_EXTENSION_create_by_OBJ() failed");
- goto end;
- }
-
- return 0;
-
-end:
- if (voms_oct)
- ASN1_OCTET_STRING_free(voms_oct);
- if (voms_obj)
- ASN1_OBJECT_free(voms_obj);
- return EDG_WLPR_ERROR_SSL;
-}
-
-#ifndef NOVOMS
-static int
-export_std_data(struct data *voms_data, char **buf)
-{
- asprintf(buf, "GROUP: %s\n"
- "ROLE:%s\n" /* the space is missing intentionaly */
- "CAP: %s\n",
- (voms_data->group) ? voms_data->group : "NULL",
- (voms_data->role) ? voms_data->role : "NULL",
- (voms_data->cap) ? voms_data->cap : "NULL");
- return 0;
-}
-
-static int
-export_user_data(struct voms *voms_cert, char **buf, size_t *len)
-{
- struct data **voms_data;
- char *str = NULL;
- char *ptr;
-
- *buf = NULL;
-
- switch (voms_cert->type) {
- case TYPE_NODATA:
- *buf = strdup("NO DATA");
- break;
- case TYPE_CUSTOM:
- *buf = strdup(voms_cert->custom);
- break;
- case TYPE_STD:
- for (voms_data = voms_cert->std; voms_data && *voms_data; voms_data++) {
- export_std_data(*voms_data, &str);
- if (*buf == NULL)
- ptr = calloc(strlen(str) + 1, 1);
- else
- ptr = realloc(*buf, strlen(*buf) + strlen(str) + 1);
- if (ptr == NULL) {
- return ENOMEM;
- }
- *buf = ptr;
- strcat(*buf, str);
- free(str);
- }
-
- break;
- default:
- return -1;
- }
-
- *len = strlen(*buf);
- return 0;
-}
-
-#endif
-
-static int
-encode_voms_buf(const char *label, char *data, size_t data_len,
- char **buf, size_t *buf_len)
-{
- char *tmp;
-
- tmp = realloc(*buf, *buf_len + strlen(label) + data_len + 1);
- if (tmp == NULL)
- return ENOMEM;
-
- memcpy(tmp + *buf_len, label, strlen(label));
-
- memcpy(tmp + *buf_len + strlen(label), data, data_len);
- tmp[*buf_len + strlen(label) + data_len] = '\n';
- *buf = tmp;
- *buf_len = *buf_len + strlen(label) + data_len + 1;
-
- return 0;
-}
-
-static int
-encode_voms_int(const char *label, int value, char **buf, size_t *buf_len)
-{
- char tmp[16];
-
- snprintf(tmp, sizeof(tmp), "%d", value);
- return encode_voms_buf(label, tmp, strlen(tmp), buf, buf_len);
-}
-
-static int
-encode_voms_str(const char *label, char *value, char **buf, size_t *buf_len)
-{
- return encode_voms_buf(label, value, strlen(value), buf, buf_len);
-}
-
-#if 0
-static int
-VOMS_Export(struct vomsdata *voms_info, char **buf, size_t *len)
-{
- struct voms *vc;
- char *enc_voms = NULL;
- size_t enc_voms_len = 0;
- char *data_buf;
- size_t data_len;
- int ret;
-
- if (voms_info == NULL || voms_info->data == NULL || *voms_info->data == NULL)
- return EINVAL;
- vc = *voms_info->data;
-
- ret = export_user_data(vc, &data_buf, &data_len);
- if (ret)
- return ret;
-
- encode_voms_int("SIGLEN:", vc->siglen, &enc_voms, &enc_voms_len);
- encode_voms_buf("SIGNATURE:",vc->signature, vc->siglen,
- &enc_voms, &enc_voms_len);
- enc_voms_len--; /* Signature is not followed by '\n' */
- encode_voms_str("USER:", vc->user, &enc_voms, &enc_voms_len);
- encode_voms_str("UCA:", vc->userca, &enc_voms, &enc_voms_len);
- encode_voms_str("SERVER:", vc->server, &enc_voms, &enc_voms_len);
- encode_voms_str("SCA:", vc->serverca, &enc_voms, &enc_voms_len);
- encode_voms_str("VO:", vc->voname, &enc_voms, &enc_voms_len);
- encode_voms_str("URI:", vc->uri, &enc_voms, &enc_voms_len);
- encode_voms_str("TIME1:", vc->date1, &enc_voms, &enc_voms_len);
- encode_voms_str("TIME2:", vc->date2, &enc_voms, &enc_voms_len);
- encode_voms_int("DATALEN:", data_len, &enc_voms, &enc_voms_len);
- encode_voms_buf("", data_buf, data_len, &enc_voms, &enc_voms_len);
- enc_voms_len--; /* the data already contains endind '\n' */
-
- free(data_buf);
- if (enc_voms == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot renew VOMS certificate (Not enough memory)");
- return ENOMEM;
- }
- *buf = enc_voms;
- *len = enc_voms_len;
- return 0;
-}
-
-static int
-voms_cert_renew(char *hostname, int port, char *voms_subject,
- char *proxy,
- struct voms **cur_voms_cert, struct vomsdata *voms_info)
-{
- int ret = 0;
- char *command = "A";
- int err = 0;
- char *old_env_proxy = getenv("X509_USER_PROXY");
-
- setenv("X509_USER_PROXY", proxy, 1);
-
- /* hack (suggested by Vincenzo Ciaschini) to work around problem with
- * unitialized VOMS struct */
- ret = VOMS_Ordering("zzz:zzz", voms_info, &err);
- if (ret == 0) {
- edg_wlpr_Log(LOG_ERR, "Cannot renew VOMS certificate (VOMS_Ordering() failed");
- ret = EDG_WLPR_ERROR_VOMS;
- goto end;
- }
- /* XXX only attributes which are in current certificate should be requested*/
- ret = VOMS_Contact(hostname, port, (*cur_voms_cert)->server, command,
- voms_info, &err);
- if (ret == 0) {
-#if 0
- if (err == 1) { /* XXX cannot connect voms server */
- ret = 0;
+ if (chain) {
+ result = globus_gsi_cred_get_cert_chain(proxy, chain);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_cert_chain() failed\n");
goto end;
}
-#endif
- edg_wlpr_Log(LOG_ERR, "Cannot renew VOMS certificate (VOMS_Contact() failed: %d)", err);
- ret = EDG_WLPR_ERROR_VOMS;
- } else
- ret = 0;
-
-end:
- (old_env_proxy) ? setenv("X509_USER_PROXY", old_env_proxy, 1) :
- unsetenv("X509_USER_PROXY");
-
- return ret;
-}
-
-static int
-renew_voms_cert(struct voms **cur_voms_cert, char *proxy, char **buf, size_t *buf_len)
-{
- struct vomsdata *voms_info = NULL;
- char *hostname = NULL;
- char *p;
- int port, ret;
-
- hostname = strdup((*cur_voms_cert)->uri);
- p = strchr(hostname, ':');
- if (p)
- *p = '\0';
- port = (p) ? atoi(p+1) : 15000;
-
- voms_info = VOMS_Init(vomsdir, cadir);
- if (voms_info == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot renew VOMS certificate (VOMS_Init() failed)");
- ret = EDG_WLPR_ERROR_VOMS;
- goto end;
}
- ret = voms_cert_renew(hostname, port, (*cur_voms_cert)->server, proxy, cur_voms_cert,
- voms_info);
- if (ret)
- goto end;
-
- ret = VOMS_Export(voms_info, buf, buf_len);
- if (ret) {
- edg_wlpr_Log(LOG_ERR, "Cannot renew VOMS certificate (VOMS_Export() failed)");
- ret = EDG_WLPR_ERROR_VOMS;
- goto end;
+ if (cur_proxy) {
+ *cur_proxy = proxy;
+ proxy = NULL;
}
-
- ret = 0;
-
+
end:
- if (hostname)
- free(hostname);
-#if 0
- if (voms_info)
- VOMS_Destroy(voms_info);
-#endif
- return ret;
-}
-#endif
-
-#ifndef NOVOMS
-static vomses_record *
-find_vomses_record(char *hostname, int port)
-{
- int i;
-
- for (i = 0; i < vomses.len; i++) {
- if (strcmp(vomses.val[i]->hostname, hostname) == 0 &&
- vomses.val[i]->port == port)
- return vomses.val[i];
- }
-
- return NULL;
-}
-
-static int
-set_vo_params(struct voms **voms_cert, char **arg)
-{
- vomses_record *r;
- char *tmp;
- int port;
- char *hostname;
- char *p;
-
- hostname = strdup((*voms_cert)->uri);
- p = strchr(hostname, ':');
- if (p)
- *p = '\0';
- port = (p) ? atoi(p+1) : 15000;
-
- r = find_vomses_record(hostname, port);
- if (r == NULL)
- return EINVAL;
-
- if (*arg == NULL) {
- asprintf(arg, " -voms %s", r->nick);
- } else {
- tmp = realloc(*arg,
- strlen(*arg) + strlen(" -voms ") + strlen(r->nick) + 1);
- if (tmp == NULL)
- return ENOMEM;
- *arg = tmp;
- *arg = strcat(*arg, " -voms ");
- *arg = strcat(*arg, r->nick);
- }
return 0;
}
-#endif
-
-static int
-exec_voms_proxy_init(char *arg, char *old_proxy, char *new_proxy)
-{
- char command[256];
- int ret;
- char *old_env_proxy = getenv("X509_USER_PROXY");
-
- setenv("X509_USER_PROXY", old_proxy, 1);
-
- snprintf(command, sizeof(command),
- "edg-voms-proxy-init -out %s -key %s -cert %s -confile %s -q %s",
- new_proxy, old_proxy, old_proxy, vomsconf, arg);
- ret = system(command);
-
- (old_env_proxy) ? setenv("X509_USER_PROXY", old_env_proxy, 1) :
- unsetenv("X509_USER_PROXY");
-
- return ret;
-}
-
-#if 0
-static int
-renew_voms_certs(const char *old_proxy, const char *new_proxy)
-{
- struct vomsdata *voms_info = NULL;
- struct voms **voms_cert = NULL;
- STACK_OF(X509) *chain = NULL;
- EVP_PKEY *privkey = NULL;
- X509 *cert = NULL;
- int ret, err;
- char *buf = NULL;
- size_t buf_len = 0;
- X509_EXTENSION *extension = NULL;
- X509 *new_cert = NULL;
- EVP_PKEY *new_privkey = NULL;
-
- voms_info = VOMS_Init(vomsdir, cadir);
- if (voms_info == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot initialize VOMS context (VOMS_Init() failed)");
- return EDG_WLPR_ERROR_VOMS;
- }
-
- ret = load_proxy(old_proxy, &cert, &privkey, &chain);
- if (ret)
- goto end;
-
- ret = VOMS_Retrieve(cert, chain, RECURSE_CHAIN, voms_info, &err);
- if (ret == 0) {
- if (err == VERR_NOEXT) {
- /* no VOMS cred, no problem; continue */
- ret = 0;
- } else {
- edg_wlpr_Log(LOG_ERR, "Cannot get VOMS certificate(s) from proxy");
- ret = EDG_WLPR_ERROR_VOMS;
- }
- goto end;
- }
-
- for (voms_cert = voms_info->data; voms_cert && *voms_cert; voms_cert++) {
- char *tmp, *ptr;
- size_t tmp_len;
-
- ret = renew_voms_cert(voms_cert, old_proxy, &tmp, &tmp_len);
- if (ret)
- continue;
- ptr = realloc(buf, buf_len + tmp_len);
- if (ptr == NULL) {
- ret = ENOMEM;
- goto end;
- }
- buf = ptr;
- memcpy(buf + buf_len, tmp, tmp_len);
- buf_len += tmp_len;
- }
-
- if (buf == NULL) {
- /* no extension renewed, return */
- ret = 0;
- goto end;
- }
-
- ret = create_voms_extension(buf, buf_len, &extension);
- if (ret)
- goto end;
-
- X509_free(cert);
- EVP_PKEY_free(privkey);
- sk_X509_pop_free(chain, X509_free);
-
- ret = load_proxy(new_proxy, &cert, &privkey, &chain);
- if (ret)
- goto end;
-
- ret = create_proxy(cert, privkey, extension, &new_cert, &new_privkey);
- if (ret)
- goto end;
-
- sk_X509_insert(chain, cert, 0);
-
- ret = save_proxy(new_proxy, new_cert, new_privkey, chain);
- if (ret)
- goto end;
-
- ret = 0;
-
-end:
- VOMS_Destroy(voms_info);
-
- return ret;
-}
-#else /* 0 */
-
-#ifdef NOVOMS
-static int
-renew_voms_certs(const char *old_proxy, char *myproxy_proxy, const char *new_proxy)
-{
- return 0;
-}
-
-#else
-static int
-renew_voms_certs(const char *old_proxy, char *myproxy_proxy, const char *new_proxy)
-{
- struct vomsdata *voms_info = NULL;
- struct voms **voms_cert = NULL;
- STACK_OF(X509) *chain = NULL;
- EVP_PKEY *privkey = NULL;
- X509 *cert = NULL;
- int ret, err;
- char *arg = NULL;
-
- voms_info = VOMS_Init(vomsdir, cadir);
- if (voms_info == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot initialize VOMS context (VOMS_Init() failed)");
- return EDG_WLPR_ERROR_VOMS;
- }
-
- ret = load_proxy(old_proxy, &cert, &privkey, &chain);
- if (ret)
- goto end;
-
- ret = VOMS_Retrieve(cert, chain, RECURSE_CHAIN, voms_info, &err);
- if (ret == 0) {
- if (err == VERR_NOEXT) {
- /* no VOMS cred, no problem; continue */
- ret = 0;
- } else {
- edg_wlpr_Log(LOG_ERR, "Cannot get VOMS certificate(s) from proxy");
- ret = EDG_WLPR_ERROR_VOMS;
- }
- goto end;
- }
-
- for (voms_cert = voms_info->data; voms_cert && *voms_cert; voms_cert++) {
- ret = set_vo_params(voms_cert, &arg);
- if (ret)
- goto end;
- }
- ret = exec_voms_proxy_init(arg, myproxy_proxy, new_proxy);
-
-end:
- VOMS_Destroy(voms_info);
- return ret;
-}
-#endif /* NOVOMS */
-
-#endif /* 0 */
static void
register_signal(int signal)
goto end;
}
- ret = renew_voms_certs(repository_file, tmp_proxy, tmp_voms_proxy);
+ ret = renew_voms_certs(repository_file, tmp_voms_proxy);
if (ret)
goto end;
sa.sa_handler = register_signal;
sigaction(SIGUSR1, &sa, NULL);
- /* load_vomses(); */
-
while (1) {
received_signal = -1;
sleep(60 * 5);
int voms_enabled = 0;
char *vomsconf = "/opt/edg/etc/vomses";
-#ifndef NOVOMS
-struct vomses_records vomses;
-#endif
static struct option opts[] = {
{ "help", no_argument, NULL, 'h' },
exit(0);
}
-#ifdef NOVOMS
-static int
-load_vomses()
-{
- return ENOSYS;
-}
-
-#else
-static int
-load_vomses()
-{
- FILE *fd = NULL;
- char line[1024];
- char *nick, *hostname;
- int port;
- vomses_record *rec;
- vomses_record **tmp;
- char *p;
-
- fd = fopen(vomsconf, "r");
- if (fd == NULL) {
- edg_wlpr_Log(LOG_ERR, "Cannot open vomses configuration file (%s)",
- strerror(errno));
- return errno;
- }
- while (fgets(line, sizeof(line), fd) != NULL) {
- p = line;
- if (*p != '"') {
- edg_wlpr_Log(LOG_ERR, "Parsing error when reading vomses configuration file");
- return EINVAL;
- }
- nick = strdup(strtok(p+1, "\""));
-
- p = strtok(NULL, "\"");
- hostname = strdup(strtok(NULL, "\""));
-
- p = strtok(NULL, "\"");
- port = atoi(strdup(strtok(NULL, "\"")));
-
- if (nick == NULL || hostname == NULL) {
- edg_wlpr_Log(LOG_ERR, "Parsing error when reading vomses configuration file");
- return EINVAL;
- }
-
- rec = calloc(1, sizeof(*rec));
- if (rec == NULL) {
- edg_wlpr_Log(LOG_ERR, "Not enough memory");
- return ENOMEM;
- }
- rec->nick = nick;
- rec->hostname = hostname;
- rec->port = port;
-
- tmp = realloc(vomses.val, vomses.len + 1);
- if (tmp == NULL) {
- edg_wlpr_Log(LOG_ERR, "Not enough memory");
- return ENOMEM;
- }
- vomses.val = tmp;
- vomses.len++;
-
- vomses.val[vomses.len-1] = rec;
- }
- fclose(fd);
- return 0;
-}
-#endif
-
int main(int argc, char *argv[])
{
int sock;
}
globus_module_activate(GLOBUS_GSI_CERT_UTILS_MODULE);
+ globus_module_activate(GLOBUS_GSI_PROXY_MODULE);
if (!debug)
for (fd = 3; fd < OPEN_MAX; fd++) close(fd);
openlog(progname, LOG_PID, LOG_DAEMON);
}
- if (voms_enabled) {
- char *path;
- char *new_path;
- ret = load_vomses();
- if (ret)
- return 1;
- setenv("GLOBUS_VERSION", "22", 0);
- if (VOMS_INSTALL_PATH != NULL && *VOMS_INSTALL_PATH != '\0') {
- path = getenv("PATH");
- asprintf(&new_path, "%s:%s/bin", path, VOMS_INSTALL_PATH);
- setenv("PATH", new_path, 1);
- }
- }
-
ret = start_watchdog(&pid);
if (ret)
return 1;
X509_NAME *subject = NULL;
int ret;
- ret = load_proxy(file, &cert, &key, &chain);
+ ret = load_proxy(file, &cert, &key, &chain, NULL);
if (ret)
return ret;
#include <myproxy.h>
#include <myproxy_delegation.h>
-#include <globus_gsi_cert_utils.h>
+#include <globus_gsi_credential.h>
+#include <globus_gsi_proxy.h>
+#include <globus_gsi_cert_utils_constants.h>
#include "renewal.h"
time_t next_renewal;
} proxy_record;
-typedef struct vomses_record {
- char *nick;
- char *hostname;
- int port;
-} vomses_record;
-
-typedef struct vomses_records {
- unsigned int len;
- struct vomses_record **val;
-} vomses_records;
-
/* commands */
void
register_proxy(edg_wlpr_Request *request, edg_wlpr_Response *response);
int
load_proxy(const char *filename, X509 **cert, EVP_PKEY **privkey,
- STACK_OF(X509) **chain);
+ STACK_OF(X509) **chain, globus_gsi_cred_handle_t *proxy);
int
get_proxy_base_name(char *file, char **subject);
+int
+renew_voms_certs(const char *cur_file, const char *new_file);
+
#endif /* RENEWALD_LOCL_H */
--- /dev/null
+#include "renewal_locl.h"
+#include "renewd_locl.h"
+
+#include <string.h>
+#include <openssl/x509.h>
+
+#include "glite/security/voms/voms_apic.h"
+
+#include "newformat.h"
+
+char * Decode(const char *, int, int *);
+char **listadd(char **, char *, int);
+
+static int
+generate_proxy(globus_gsi_cred_handle_t cur_proxy,
+ X509_EXTENSION *voms_extension, const char *new_file)
+{
+ globus_result_t result;
+ globus_gsi_proxy_handle_t proxy_handle = NULL;
+ globus_gsi_cred_handle_t proxy = NULL;
+ EVP_PKEY *cur_proxy_priv_key = NULL;
+ X509 *new_cert = NULL;
+ X509 *voms_cert = NULL;
+ globus_gsi_cert_utils_cert_type_t proxy_type;
+
+ result = globus_gsi_proxy_handle_init(&proxy_handle, NULL);
+ if (result) {
+ fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n");
+ goto end;
+ }
+
+ result = globus_gsi_cred_get_key(cur_proxy, &cur_proxy_priv_key);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_key() failed\n");
+ goto end;
+ }
+
+ /* Create and sign a new proxy */
+ result = globus_gsi_cred_get_cert_type(cur_proxy, &proxy_type);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_cert_type() failed\n");
+ goto end;
+ }
+
+ result = globus_gsi_proxy_handle_set_type(proxy_handle, proxy_type);
+ if (result) {
+ fprintf(stderr, "globus_gsi_proxy_handle_set_type() failed\n");
+ goto end;
+ }
+
+ result = globus_gsi_proxy_create_signed(proxy_handle, cur_proxy, &proxy);
+ if (result) {
+ fprintf(stderr, "globus_gsi_proxy_handle_init() failed\n");
+ goto end;
+ }
+
+ /* Get the new proxy */
+ result = globus_gsi_cred_get_cert(proxy, &new_cert);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_get_cert() failed\n");
+ goto end;
+ }
+
+ /* The Globus API doesn't allow to store custom X.509 extensions */
+ voms_cert = X509_dup(new_cert);
+ if (voms_cert->cert_info->extensions == NULL)
+ voms_cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
+ sk_X509_EXTENSION_push(voms_cert->cert_info->extensions, voms_extension);
+
+ /* Openssl ensures that memory containing old signature structures is unallocated */
+#if 0
+ X509_sign(voms_cert, cur_proxy_priv_key, proxy_handle->attrs->signing_algorithm);
+#else
+ X509_sign(voms_cert, cur_proxy_priv_key, EVP_md5());
+#endif
+
+ /* And put the cert back, older one is unallocated by the function */
+ result = globus_gsi_cred_set_cert(proxy, voms_cert);
+ if (result) {
+ fprintf(stderr, "globus_gsi_cred_set_cert() failed\n");
+ goto end;
+ }
+
+ result = globus_gsi_cred_write_proxy(proxy, (char *)new_file);
+
+end:
+
+ return 0;
+}
+
+static int
+my_VOMS_Export(void *buf, int buf_len, X509_EXTENSION **extension)
+{
+ AC *ac = NULL;
+ unsigned char *p, *pp;
+ AC **voms_attrs = NULL;
+
+ p = pp = buf;
+ ac = d2i_AC(NULL, &p, buf_len+1);
+ if (ac == NULL) {
+ fprintf(stderr, "d2i_AC() failed\n");
+ return 1;
+ }
+
+ voms_attrs = (AC **)listadd((char **)voms_attrs, (char *)ac, sizeof(AC *));
+
+ *extension = X509V3_EXT_conf_nid(NULL, NULL, OBJ_txt2nid("acseq"),
+ (char*)voms_attrs);
+ return 0;
+}
+
+static int
+create_voms_command(struct vomsdata *vd, struct voms **voms_cert, char **command)
+{
+ int voms_error, ret;
+ struct data **attribs;
+
+#if 0
+ VOMS_ResetOrder(vd, &voms_error);
+ for (i = 2; i < argc; i++) {
+ ret = VOMS_Ordering(argv[i], vd, &voms_error);
+ if (ret == 0) {
+ fprintf(stderr, "VOMS_Ordering() failed\n");
+ return 1;
+ }
+ }
+#endif
+
+ if (voms_cert == NULL || *voms_cert == NULL || (*voms_cert)->std == NULL) {
+ fprintf(stderr, "Invalid VOMS certificate\n");
+ return 1;
+ }
+
+ attribs = (*voms_cert)->std;
+
+ if (strcmp (attribs[0]->role, "NULL") == 0 )
+ ret = asprintf(command, "G%s", attribs[0]->group);
+ else
+ ret = asprintf(command, "B%s:%s", attribs[0]->group, attribs[0]->role);
+
+end:
+
+ return 0;
+}
+
+static int
+renew_voms_cert(struct vomsdata *vd, struct voms **voms_cert,
+ char **buf, size_t *buf_len)
+{
+ int voms_error = 0, i, ret, voms_version;
+ struct contactdata **voms_contacts = NULL;
+ char *command = NULL;
+
+ voms_contacts = VOMS_FindByVO(vd, (*voms_cert)->voname, "/etc/vomses", "/home/kouril/.globus/vomses", &voms_error);
+ if (voms_contacts == NULL) {
+ fprintf(stderr, "VOMS_FindByVO() failed\n");
+ return 1;
+ }
+
+ ret = create_voms_command(vd, voms_cert, &command);
+
+ /* XXX iterate over all servers on the list on errors */
+ ret = VOMS_ContactRaw(voms_contacts[0]->host, voms_contacts[0]->port,
+ voms_contacts[0]->contact, command,
+ (void**) buf, buf_len, &voms_version,
+ vd, &voms_error);
+ if (ret == 0) {
+ fprintf(stderr, "VOMS_Contact() failed\n");
+ return 1;
+ }
+
+ VOMS_DeleteContacts(voms_contacts);
+
+ if (command)
+ free(command);
+
+ return 0;
+}
+
+int
+renew_voms_certs(const char *cur_file, const char *new_file)
+{
+ globus_gsi_cred_handle_t cur_proxy = NULL;
+ struct vomsdata *vd = NULL;
+ struct voms **voms_cert = NULL;
+ int voms_err, ret;
+ X509 *cert = NULL;
+ STACK_OF(X509) *chain = NULL;
+ char *buf = NULL;
+ size_t buf_len;
+ X509_EXTENSION *extension = NULL;
+ char *old_env_proxy = getenv("X509_USER_PROXY");
+
+ setenv("X509_USER_PROXY", cur_file, 1);
+
+ ret = load_proxy(cur_file, &cert, NULL, &chain, &cur_proxy);
+ if (ret)
+ goto end;
+
+ vd = VOMS_Init(NULL, NULL);
+ if (vd == NULL) {
+ fprintf(stderr, "VOMS_Init() failed\n");
+ return 1;
+ }
+
+ ret = VOMS_Retrieve(cert, chain, RECURSE_CHAIN, vd, &voms_err);
+ if (ret == 0) {
+ if (voms_err == VERR_NOEXT) {
+ /* no VOMS cred, no problem; continue */
+ fprintf(stderr, "No VOMS attributes found in proxy %s\n", cur_file);
+ ret = 0;
+ goto end;
+ } else {
+ fprintf(stderr, "Cannot get VOMS certificate(s) from proxy");
+ ret = 1;
+ goto end;
+ }
+ }
+
+ /* XXX make sure this loop can really work for multiple voms certificates
+ * embedded in the proxy */
+ for (voms_cert = vd->data; voms_cert && *voms_cert; voms_cert++) {
+ char *tmp, *ptr;
+ size_t tmp_len;
+
+ ret = renew_voms_cert(vd, voms_cert, &tmp, &tmp_len);
+ if (ret)
+ goto end;
+ ptr = realloc(buf, buf_len + tmp_len);
+ if (ptr == NULL) {
+ ret = ENOMEM;
+ goto end;
+ }
+ buf = ptr;
+ memcpy(buf + buf_len, tmp, tmp_len);
+ buf_len += tmp_len;
+ }
+
+ if (buf == NULL) {
+ /* no extension renewed, return */
+ ret = 0;
+ goto end;
+ }
+
+ ret = my_VOMS_Export(buf, buf_len, &extension);
+ if (ret)
+ goto end;
+
+ ret = generate_proxy(cur_proxy, extension, new_file);
+
+end:
+#if 0
+ if (ret)
+ unlink(new_file);
+#endif
+ (old_env_proxy) ? setenv("X509_USER_PROXY", old_env_proxy, 1) :
+ unsetenv("X509_USER_PROXY");
+
+ VOMS_Destroy(vd);
+
+ return ret;
+}
+
+#if 0
+int
+main(int argc, char *argv[])
+{
+ int ret;
+ const char *current_proxy = "/tmp/x509up_u11930";
+ const char *renewed_proxy = "/tmp/proxy";
+
+ if (argc > 1)
+ current_proxy = argv[1];
+ if (argc > 2)
+ renewed_proxy = argv[2];
+
+ if (globus_module_activate(GLOBUS_GSI_PROXY_MODULE) != GLOBUS_SUCCESS ||
+ globus_module_activate(GLOBUS_GSI_CERT_UTILS_MODULE) != GLOBUS_SUCCESS) {
+ fprintf(stderr, "[%d]: Unable to initialize Globus modules\n", getpid());
+ return 1;
+ }
+
+ ret = renew_voms_certs(current_proxy, renewed_proxy);
+
+ return 0;
+}
+#endif
git://scientific.zcu.cz / jra1mw.git / commitdiff