CFLAGS_PRX=-Wall -g -I${top_srcdir}/src -I.
LFLAGS_PRX=-L. -lcanl_c
+CFLAGS_DEL=-Wall -g -I${top_srcdir}/src -I.
+LFLAGS_DEL=-L. -lcanl_c
+
HEAD_CANL=canl.h canl_locl.h canl_err.h canl_cred.h canl_ssl.h canl_mech_ssl.h
SRC_CLI=canl_sample_client.c
HEAD_PRX=canl.h canl_cred.h
OBJ_PRX=canl_proxy_init.lo
+SRC_DEL=delegation.c
+HEAD_DEL=canl.h canl_cred.h
+OBJ_DEL=canl_delegation.lo
+
CFLAGS:=-Wall -g -I${top_srcdir}/src/proxy -I. ${CFLAGS}
LIBCANL=libcanl_c.la
major:=${shell \
perl -e '$$,=":"; @F=split "\\.","${module.version}"; print $$F[0]+$$F[1]+${offset}' }
-all: ${LIBCANL} server client proxy
+all: ${LIBCANL} server client proxy
${LIBCANL}:\
canl.lo canl_err.lo canl_dns.lo canl_ssl.lo canl_cert.lo canl_cred.lo \
${OBJ_PRX}: ${SRC_PRX} ${HEAD_PRX} ${LIBCANL}
${COMPILE} -c ${top_srcdir}/examples/${SRC_PRX} ${CFLAGS_PRX} -o $@
+delegation: ${OBJ_DEL}
+ ${LINK} $< ${LFLAGS_DEL} -o $@
+
+${OBJ_DEL}: ${SRC_DEL} ${HEAD_DEL} ${LIBCANL}
+ ${COMPILE} -c ${top_srcdir}/examples/${SRC_DEL} ${CFLAGS_DEL} -o $@
canl_err.h: canl_error_codes
${top_srcdir}/src/gen_err_codes.pl < $^ > $@
${INSTALL} -m 755 client ${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-client
${INSTALL} -m 755 proxy \
${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-proxy-init
+ ${INSTALL} -m 755 delegation \
+ ${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-delegation
${INSTALL} -m 755 ${LIBCANL} ${DESTDIR}${PREFIX}${prefix}/${libdir}
${INSTALL} -m 644 ${top_srcdir}/src/canl.h \
${top_srcdir}/src/canl_ssl.h canl_err.h \
$(MAKE) install PREFIX=${stagedir}
clean:
- rm -rfv *.o *.lo ${LIBCANL} .libs client server \
+ rm -rfv *.o *.lo ${LIBCANL} .libs client server proxy delegation \
${top_srcdir}/*.c ${top_srcdir}/*.h lex.backup stage
distclean:
+#include <stdio.h>
+#include <unistd.h>
#include <canl.h>
#include <canl_cred.h>
+#define BITS 1024
+#define LIFETIME 43200 /*12 hours*/
+#define OUTPUT "/tmp/x509_u99999"
+
int
main(int argc, char *argv[])
{
canl_cred signer = NULL;
canl_cred proxy = NULL;
canl_cred proxy_cert = NULL;
- canl_x509_req proxy_req = NULL;
+ canl_cred proxy_bob = NULL;
X509_REQ *req = NULL;
X509 *x509_cert = NULL;
STACK_OF(X509) *x509_chain= NULL;
canl_ctx ctx = NULL;
canl_err_code ret;
+ char *user_cert = NULL;
+ char *output = NULL;
+ char *user_key = NULL;
+ long int lifetime = 0;
+ unsigned int bits = 0;
+ int opt = 0;
+
+ while ((opt = getopt(argc, argv, "hc:k:l:b:o:")) != -1) {
+ switch (opt) {
+ case 'h':
+ fprintf(stderr, "Usage: %s [-c certificate]"
+ " [-k private key] [-h] [-l lifetime] [-b bits]"
+ " [-o output]"
+ "\n", argv[0]);
+ exit(0);
+ case 'c':
+ user_cert = optarg;
+ break;
+ case 'k':
+ user_key = optarg;
+ break;
+ case 'l':
+ lifetime = atoi(optarg);
+ break;
+ case 'b':
+ bits = atoi(optarg);
+ break;
+ case 'o':
+ output = optarg;
+ break;
+ default: /* '?' */
+ fprintf(stderr, "Usage: %s [-c certificate]"
+ " [-k private key] [-h] [-l lifetime] [-b bits]"
+ " [-o output]"
+ "\n", argv[0]);
+ exit(-1);
+ }
+ }
+
ctx = canl_create_ctx();
+ if (ctx == NULL) {
+ fprintf(stderr, "[DELEGATION] Failed to create library context\n");
+ return 1;
+ }
-/* Bob - after Alice has asked to delegate her credentials */
- ret = canl_req_new(ctx, &proxy_req);
- ret = canl_req_gen_key(ctx, proxy_req, 1024);
- ret = canl_req_get_req(ctx, proxy_req, &req);
+ /* Bob - after Alice has asked to delegate her credentials */
+ ret = canl_cred_new(ctx, &proxy_bob);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Proxy context cannot be created"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ if (!bits)
+ bits = BITS;
+ ret = canl_cred_new_req(ctx, &proxy_bob, bits);
+ if (ret) {
+ fprintf(stderr, "[DELEGATION] Failed to create certificate "
+ "request container: %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+ ret = canl_cred_save_req(ctx, proxy_bob, &req);
+ if (ret) {
+ fprintf(stderr, "[DELEGATION] Failed to get certificate "
+ "request container: %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
/* serialize 'req' and send it to Alice */
/* Alice - after receiving the CSR from Bob. (The private key stays with Bob.) */
{
- ret = canl_cred_new(ctx, &signer);
- ret = canl_cred_load_cert_file(ctx, signer, "$HOME/.globus/usercert.pem");
- ret = canl_cred_load_priv_key_file(ctx, signer, "$HOME/.globus/userkey.pem",
- NULL, NULL);
-
- /* deserialize 'req' from Bob */
- ret = canl_cred_new(ctx, &proxy_cert);
- ret = canl_cred_load_req(ctx, proxy_cert, req);
- ret = canl_cred_set_lifetime(ctx, proxy_cert, 60*10);
- ret = canl_cred_set_cert_type(ctx, proxy_cert, CANL_RFC);
- ret = canl_cred_sign_proxy(ctx, signer, proxy_cert);
-
- ret = canl_cred_save_cert(ctx, proxy_cert, &x509_cert);
+ ret = canl_cred_new(ctx, &signer);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Proxy context cannot be created"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ ret = canl_cred_load_cert_file(ctx, signer, user_cert);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot load signer's certificate"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+ ret = canl_cred_load_priv_key_file(ctx, signer, user_key, NULL, NULL);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot access signer's key"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ /* deserialize 'req' from Bob */
+ ret = canl_cred_new(ctx, &proxy_cert);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Proxy context cannot be created"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+ ret = canl_cred_load_req(ctx, proxy_cert, req);
+ if (ret) {
+ fprintf(stderr, "[DELEGATION] Failed to load certificate "
+ "request container: %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+
+ if (!lifetime)
+ lifetime = LIFETIME;
+ ret = canl_cred_set_lifetime(ctx, proxy_cert, lifetime);
+ if (ret)
+ fprintf(stderr, "[DELEGATION] Failed set new cert lifetime"
+ ": %s\n", canl_get_error_message(ctx));
+
+ ret = canl_cred_set_cert_type(ctx, proxy_cert, CANL_RFC);
+ if (ret)
+ fprintf(stderr, "[DELEGATION] Failed set new cert type"
+ ": %s\n", canl_get_error_message(ctx));
+
+ ret = canl_cred_sign_proxy(ctx, signer, proxy_cert);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot sign new proxy"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ ret = canl_cred_save_cert(ctx, proxy_cert, &x509_cert);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot save new cert file"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
ret = canl_cred_save_chain(ctx, proxy_cert, &x509_chain);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot save cert chain"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
/* serialize the new proxy cert and chain and send it back to Bob */
}
/* deserialize the new proxy cert and chain from Alice */
ret = canl_cred_new(ctx, &proxy);
- ret = canl_cred_load_req(ctx, proxy, proxy_req);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Proxy context cannot be created"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ ret = canl_cred_load_req(ctx, proxy, proxy_bob);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot load cert. request container"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
ret = canl_cred_load_cert(ctx, proxy, x509_cert);
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot load certificate"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
ret = canl_cred_load_chain(ctx, proxy, x509_chain);
- ret = canl_cred_save_proxyfile(ctx, proxy, "/tmp/x509up_u11930");
-
+ if (ret){
+ fprintf(stderr, "[DELEGATION] Cannot load cert. chain"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
+ if (!output)
+ output = OUTPUT;
+ ret = canl_cred_save_proxyfile(ctx, proxy, output);
+ if (ret){
+ fprintf(stderr, "[PROXY-INIT] Cannot save new proxy"
+ ": %s\n", canl_get_error_message(ctx));
+ goto end;
+ }
+
ret = 0;
-
+end:
if (signer)
canl_cred_free(ctx, signer);
if (proxy)
canl_cred_free(ctx, proxy);
if (proxy_cert)
canl_cred_free(ctx, proxy_cert);
- if (proxy_req)
- canl_req_free(ctx, proxy_req);
+ if (proxy_bob)
+ canl_cred_free(ctx, proxy_bob);
if (req)
X509_REQ_free(req);
+ if (x509_cert)
+ X509_free(x509_cert);
+/* TODO free stack
+ * if (x509_chain)
+ X509_free(x509_cert);
+*/
if (ctx)
canl_free_ctx(ctx);
}
canl_err_code CANL_CALLCONV
-canl_req_get_req(canl_ctx ctx, canl_cred req_in, X509_REQ ** req_ret)
+canl_cred_save_req(canl_ctx ctx, canl_cred req_in, X509_REQ ** req_ret)
{
glb_ctx *cc = (glb_ctx*) ctx;
creds *req = (creds*) req_in;
/*TODO free REQ if req_ret full*/
*req_ret = X509_REQ_dup(req->c_req);
- if (*req_ret)
+ if (!(*req_ret))
return set_error(cc, ENOMEM, POSIX_ERROR, "Cannot copy"
" X509 request handler" ); //TODO check ret val
return 0;
}
+canl_err_code CANL_CALLCONV
+canl_cred_load_req(canl_ctx ctx, canl_cred cred_out, const X509_REQ *req_in)
+{
+ glb_ctx *cc = (glb_ctx*) ctx;
+ creds *req = (creds*) cred_out;
+
+ if (!ctx)
+ return EINVAL;
+ if (!req)
+ return set_error(cc, EINVAL, POSIX_ERROR, "Request handler"
+ " not initialized" );
+ if (!req_in)
+ return set_error(cc, EINVAL, POSIX_ERROR, "Request handler"
+ " not initialized" );
+ if (req->c_req) {
+ X509_REQ_free(req->c_req);
+ req->c_req = NULL;
+ }
+
+ req->c_req = X509_REQ_dup(req_in);
+ if (!req->c_req)
+ return set_error(cc, ENOMEM, POSIX_ERROR, "Cannot copy"
+ " X509 request handler" ); //TODO check ret val
+ return 0;
+}
+
+
#if 0
canl_err_code CANL_CALLCONV
canl_req_get_pair(canl_ctx, canl_x509_req, EVP_PKEY **)
git://scientific.zcu.cz / jra1mw.git / commitdiff