+* Sun Feb 20 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- Add basic VOMS support (signature checking not yet
+ in) for X.509 Attribute Certificates.
+* Tue Feb 8 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
+- ==== GridSite version 1.1.6 ====
* Tue Feb 8 2005 Andrew McNab <Andrew.McNab@man.ac.uk>
- Include GRSTx509MakeProxyFileName() and
GRSTx509StringToChain() (code to used hashes in cached
MAJOR_VERSION=1
MINOR_VERSION=1.1
-PATCH_VERSION=1.1.5
+PATCH_VERSION=1.1.6
VERSION=$(PATCH_VERSION)
/// No such file or directory
#define GRST_RET_NO_SUCH_FILE 1003
-#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
-#define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.1"
-#define GRST_VOMS_DIR "/etc/grid-security/vomsdir"
-
-
-
typedef struct { char *name;
char *value;
void *next; } GRSTgaclNamevalue;
#define GRST_DN_LISTS "/etc/grid-security/dn-lists"
#define GRST_RECURS_LIMIT 9
+#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
+#define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5"
+#define GRST_VOMS_DIR "/etc/grid-security/vomsdir"
+
+#define GRST_ASN1_MAXCOORDLEN 50
+#define GRST_ASN1_MAXTAGS 500
+
+struct GRSTasn1TagList { char treecoords[GRST_ASN1_MAXCOORDLEN+1];
+ int start;
+ int headerlength;
+ int length;
+ int tag; } ;
+
int GRSTgaclInit(void);
/* #define GACLnewCred(x) GRSTgaclCredNew((x)) */
int GRSTx509KnownCriticalExts(X509 *);
-time_t GRSTasn1TimeToTimeT(char *);
int GRSTx509IsCA(X509 *);
int GRSTx509CheckChain(int *, X509_STORE_CTX *);
int GRSTx509VerifyCallback(int, X509_STORE_CTX *);
void GRSThttpWriteOut(GRSThttpBody *);
int GRSThttpPrintHeaderFooter(GRSThttpBody *, char *, char *);
char *GRSThttpGetCGI(char *);
+
+time_t GRSTasn1TimeToTimeT(char *);
+int GRSTasn1SearchTaglist(struct GRSTasn1TagList taglist[], int *, char *);
+int GRSTasn1ParseDump(BIO *, unsigned char *, long,
+ struct GRSTasn1TagList taglist[], int, int *);
-module.version=1.1.5
-module.age=1
+#Thu Jan 13 03:09:57 CET 2005
+module.version=1.1.6
+module.build=134
+module.age=3
# First, normal versions using system OpenSSL rather than Globus OpenSSL
-libgridsite.so.$(VERSION): grst_x509.o grst_gacl.o grst_http.o
+libgridsite.so.$(VERSION): grst_x509.o grst_gacl.o grst_http.o grst_asn1.o
gcc -shared -Wl,-soname,libgridsite.so.$(MINOR_VERSION) \
- -o libgridsite.so.$(PATCH_VERSION) grst_x509.o grst_gacl.o grst_http.o
+ -o libgridsite.so.$(PATCH_VERSION) grst_x509.o grst_gacl.o grst_http.o grst_asn1.o
-libgridsite.a: grst_x509.o grst_gacl.o grst_http.o
- ar src libgridsite.a grst_x509.o grst_gacl.o grst_http.o
+libgridsite.a: grst_x509.o grst_gacl.o grst_http.o grst_asn1.o
+ ar src libgridsite.a grst_x509.o grst_gacl.o grst_http.o grst_asn1.o
grst_x509.o: grst_x509.c ../interface/gridsite.h
- gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \
+ gcc $(MYCFLAGS) \
-I/usr/kerberos/include -c grst_x509.c
grst_gacl.o: grst_gacl.c ../interface/gridsite.h
- gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \
+ gcc $(MYCFLAGS) \
-I/usr/kerberos/include `xml2-config --cflags` -c grst_gacl.c
grst_http.o: grst_http.c ../interface/gridsite.h
- gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \
+ gcc $(MYCFLAGS) \
-I/usr/kerberos/include -c grst_http.c
+grst_asn1.o: grst_asn1.c ../interface/gridsite.h
+ gcc $(MYCFLAGS) \
+ -I/usr/kerberos/include -c grst_asn1.c
+
# Then build versions using Globus OpenSSL if configured
ifdef OPENSSL_GLOBUS_LIBS
libgridsite_globus.so.$(VERSION): \
- grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o
+ grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o \
+ grst_asn1_globus.o
gcc -shared -Wl,-soname,libgridsite_globus.so.$(MINOR_VERSION) \
-o libgridsite_globus.so.$(PATCH_VERSION) \
- grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o
+ grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o
-libgridsite_globus.a: grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o
+libgridsite_globus.a: grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o
ar src libgridsite_globus.a \
- grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o
+ grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o
grst_x509_globus.o: grst_x509.c ../interface/gridsite.h
gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \
-I/usr/kerberos/include -c grst_http.c \
-o grst_http_globus.o
+grst_asn1_globus.o: grst_asn1.c ../interface/gridsite.h
+ gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \
+ -I/usr/kerberos/include -c grst_asn1.c \
+ -o grst_asn1_globus.o
+
else
libgridsite_globus.so.$(VERSION): libgridsite.so.$(VERSION)
urlencode: urlencode.c libgridsite.a
gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) \
-o urlencode urlencode.c -L. \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite
+ -I/usr/kerberos/include -lgridsite
htcp: htcp.c
gcc -DVERSION=\"$(PATCH_VERSION)\" -I. -o htcp htcp.c \
mod_gridsite.so: mod_gridsite.c mod_ssl-private.h libgridsite.a
gcc $(MYCFLAGS) -shared -Wl,-soname=gridsite_module \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \
+ -I/usr/kerberos/include \
-I/usr/include/libxml2 \
-DVERSION=\"$(VERSION)\" -o mod_gridsite.so \
mod_gridsite.c $(MYLDFLAGS) -lxml2 -lm -lz -lgridsite
grst_admin_main.c \
grst_admin_gacl.c \
grst_admin_file.c \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \
- -DVERSION=\"$(VERSION)\" $(OPENSSL_GLOBUS_LIBS) -lgridsite -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm
+ -I/usr/kerberos/include \
+ -DVERSION=\"$(VERSION)\" -lgridsite -lssl -lcrypto -lxml2 -lz -lm
findproxyfile: findproxyfile.c libgridsite.a
gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) $(MYLDFLAGS) \
-o findproxyfile findproxyfile.c -L. \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite \
- $(OPENSSL_GLOBUS_LIBS) -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm
+ -I/usr/kerberos/include -lgridsite \
+ -lssl -lcrypto -lxml2 -lz -lm
+showx509exts: showx509exts.c libgridsite.a
+ gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) $(MYLDFLAGS) \
+ -o showx509exts showx509exts.c -L. \
+ -I/usr/kerberos/include \
+ -lgridsite \
+ -lssl -lcrypto
+
apidoc:
doxygen Doxyfile
gaclexample: gaclexample.c libgridsite.a
gcc -o gaclexample gaclexample.c -I. -L. \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite \
- -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm
+ -I/usr/kerberos/include -lgridsite \
+ -lssl -lcrypto -lxml2 -lz -lm
#
# Delegation machinery, including SOAP delegation portType. To build this
soapC.c soapServer.c
gcc $(MYCFLAGS) $(MYLDFLAGS) -o gridsite-delegation.cgi \
grst-delegation.c \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -I$(GSOAPDIR)/include \
+ -I/usr/kerberos/include -I$(GSOAPDIR)/include \
-DVERSION=\"$(VERSION)\" -L$(GSOAPDIR)/lib \
soapC.c soapServer.c -lgsoap \
- -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm
+ -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm
htproxyput: htproxyput.c delegation.h delegation.wsdl \
soapC.c soapServer.c
gcc $(MYCFLAGS) $(MYLDFLAGS) -o htproxyput \
htproxyput.c \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \
+ -I/usr/kerberos/include \
-g -DVERSION=\"$(VERSION)\" \
-I$(GSOAPDIR)/include -DWITH_OPENSSL -L$(GSOAPDIR)/lib \
soapC.c soapClient.c -lgsoap \
- -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm
+ -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm
proxyput-example: proxyput-example.c delegation.h delegation.wsdl \
soapC.c soapServer.c libstdsoap2.a
gcc $(MYCFLAGS) $(MYLDFLAGS) -o proxyput-example \
proxyput-example.c \
- $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \
+ -I/usr/kerberos/include \
-g -DVERSION=\"$(VERSION)\" \
-I$(GSOAPDIR) -DWITH_OPENSSL \
soapC.c soapClient.c libstdsoap2.a \
- -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm
+ -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm
clean:
$(MYRPMDIR)/SRPMS $(MYRPMDIR)/RPMS/i386 $(MYRPMDIR)/BUILDROOT
cp -f ../gridsite-$(PATCH_VERSION).src.tar.gz $(MYRPMDIR)/SOURCES
cp -f gridsite.spec $(MYRPMDIR)/SPECS
- export OPENSSL_GLOBUS_FLAGS=$(OPENSSL_GLOBUS_FLAGS) ; export OPENSSL_GLOBUS_LIBS=$(OPENSSL_GLOBUS_LIBS) ; export FLAVOR_GLOBUS_EXT=$(FLAVOR_GLOBUS_EXT) ; \
- export GSOAPDIR=$(GSOAPDIR) ; \
export MYPREFIX=/usr ; export MYVERSION=$(PATCH_VERSION) ; \
$(RPMCMD) --define "_topdir $(MYRPMDIR)" \
-ba --buildroot $(MYRPMDIR)/BUILDROOT gridsite.spec
--- /dev/null
+
+#include <stdio.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+
+#include "gridsite.h"
+
+/// ASN1 time string (in a char *) to time_t
+/**
+ * (Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if
+ * necessary)
+ */
+
+time_t GRSTasn1TimeToTimeT(char *asn1time)
+{
+ char zone;
+ struct tm time_tm;
+
+ if ((sscanf(asn1time, "%02d%02d%02d%02d%02d%02d%c",
+ &(time_tm.tm_year),
+ &(time_tm.tm_mon),
+ &(time_tm.tm_mday),
+ &(time_tm.tm_hour),
+ &(time_tm.tm_min),
+ &(time_tm.tm_sec),
+ &zone) != 7) || (zone != 'Z')) return 0; /* dont understand */
+
+ /* time format fixups */
+
+ if (time_tm.tm_year < 90) time_tm.tm_year += 100;
+ --(time_tm.tm_mon);
+
+ return timegm(&time_tm);
+}
+
+/* this function is taken from OpenSSL without modification */
+
+static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
+ int indent)
+ {
+ static const char fmt[]="%-18s";
+ static const char fmt2[]="%2d %-15s";
+ char str[128];
+ const char *p,*p2=NULL;
+
+ if (constructed & V_ASN1_CONSTRUCTED)
+ p="cons: ";
+ else
+ p="prim: ";
+ if (BIO_write(bp,p,6) < 6) goto err;
+ BIO_indent(bp,indent,128);
+
+ p=str;
+ if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
+ sprintf(str,"priv [ %d ] ",tag);
+ else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
+ sprintf(str,"cont [ %d ]",tag);
+ else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
+ sprintf(str,"appl [ %d ]",tag);
+ else p = ASN1_tag2str(tag);
+
+ if (p2 != NULL)
+ {
+ if (BIO_printf(bp,fmt2,tag,p2) <= 0) goto err;
+ }
+ else
+ {
+ if (BIO_printf(bp,fmt,p) <= 0) goto err;
+ }
+ return(1);
+err:
+ return(0);
+ }
+
+static void GRSTasn1AddToTaglist(struct GRSTasn1TagList taglist[],
+ int maxtag, int *lasttag,
+ char *treecoords, int start, int headerlength,
+ int length, int tag)
+{
+ if ((strlen(treecoords) > GRST_ASN1_MAXCOORDLEN) ||
+ (*lasttag + 1 > maxtag)) return;
+
+ ++(*lasttag);
+
+ strncpy(taglist[*lasttag].treecoords, treecoords, GRST_ASN1_MAXCOORDLEN+1);
+ taglist[*lasttag].start = start;
+ taglist[*lasttag].headerlength = headerlength;
+ taglist[*lasttag].length = length;
+ taglist[*lasttag].tag = tag;
+}
+
+int GRSTasn1SearchTaglist(struct GRSTasn1TagList taglist[],
+ int *lasttag, char *treecoords)
+{
+ int i;
+
+ for (i=0; i <= *lasttag; ++i)
+ {
+ if (strcmp(treecoords, taglist[i].treecoords) == 0) return i;
+ }
+
+ return -1;
+}
+
+static int GRSTasn1Parse2(BIO *bp, unsigned char **pp, long length, int offset,
+ int depth, int indent, int dump, char *treecoords,
+ struct GRSTasn1TagList taglist[], int maxtag, int *lasttag)
+ {
+ int sibling = 0;
+ char sibtreecoords[512];
+
+ unsigned char *p,*ep,*tot,*op,*opp;
+ long len;
+ int tag,xclass,ret=0;
+ int nl,hl,j,r;
+ ASN1_OBJECT *o=NULL;
+ ASN1_OCTET_STRING *os=NULL;
+ int dump_indent;
+
+
+ dump_indent = 6; /* Because we know BIO_dump_indent() */
+ p= *pp;
+ tot=p+length;
+ op=p-1;
+ while ((p < tot) && (op < p))
+ {
+ op=p;
+ j=ASN1_get_object(&p,&len,&tag,&xclass,length);
+
+ if (j & 0x80)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"Error in encoding\n",18) <= 0))
+ goto end;
+ ret=0;
+ goto end;
+ }
+ hl=(p-op);
+ length-=hl;
+
+ ++sibling;
+ sprintf(sibtreecoords, "%s-%d", treecoords, sibling);
+
+ GRSTasn1AddToTaglist(taglist, maxtag, lasttag, sibtreecoords,
+ (int)offset+(int)(op - *pp),
+ (int) hl, len, tag);
+
+ if (bp != NULL)
+ BIO_printf(bp, " %s %ld %ld %d %d\n", sibtreecoords,
+ (long)offset+(long)(op - *pp), hl, len, tag);
+
+
+ /* if j == 0x21 it is a constructed indefinite length object */
+ if ((bp != NULL) &&
+ (BIO_printf(bp,"%5ld:",(long)offset+(long)(op- *pp))
+ <= 0)) goto end;
+
+ if (j != (V_ASN1_CONSTRUCTED | 1))
+ {
+ if ((bp != NULL) &&
+ (BIO_printf(bp,"d=%-2d hl=%ld l=%4ld ",
+ depth,(long)hl,len) <= 0))
+ goto end;
+ }
+ else
+ {
+ if ((bp != NULL) &&
+ (BIO_printf(bp,"d=%-2d hl=%ld l=inf ",
+ depth,(long)hl) <= 0))
+ goto end;
+ }
+ if ((bp != NULL) &&
+ !asn1_print_info(bp,tag,xclass,j,(indent)?depth:0))
+ goto end;
+ if (j & V_ASN1_CONSTRUCTED)
+ {
+ ep=p+len;
+ if ((bp != NULL) &&
+ (BIO_write(bp,"\n",1) <= 0)) goto end;
+ if (len > length)
+ {
+ if (bp != NULL) BIO_printf(bp,
+ "length is greater than %ld\n",length);
+ ret=0;
+ goto end;
+ }
+ if ((j == 0x21) && (len == 0))
+ {
+ for (;;)
+ {
+ r=GRSTasn1Parse2(bp,&p,(long)(tot-p),
+ offset+(p - *pp),depth+1,
+ indent,dump,sibtreecoords,
+ taglist, maxtag, lasttag);
+ if (r == 0) { ret=0; goto end; }
+ if ((r == 2) || (p >= tot)) break;
+ }
+ }
+ else
+ while (p < ep)
+ {
+ r=GRSTasn1Parse2(bp,&p,(long)len,
+ offset+(p - *pp),depth+1,
+ indent,dump,sibtreecoords,
+ taglist, maxtag, lasttag);
+ if (r == 0) { ret=0; goto end; }
+ }
+ }
+ else if (xclass != 0)
+ {
+ p+=len;
+ if ((bp != NULL) &&
+ (BIO_write(bp,"\n",1) <= 0)) goto end;
+ }
+ else
+ {
+ nl=0;
+ if ( (tag == V_ASN1_PRINTABLESTRING) ||
+ (tag == V_ASN1_T61STRING) ||
+ (tag == V_ASN1_IA5STRING) ||
+ (tag == V_ASN1_VISIBLESTRING) ||
+ (tag == V_ASN1_UTCTIME) ||
+ (tag == V_ASN1_GENERALIZEDTIME))
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,":",1) <= 0)) goto end;
+ if ((len > 0) && (bp != NULL) &&
+ BIO_write(bp,(char *)p,(int)len)
+ != (int)len)
+ goto end;
+ }
+ else if (tag == V_ASN1_OBJECT)
+ {
+ opp=op;
+ if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL)
+ {
+ if (bp != NULL)
+ {
+ if (BIO_write(bp,":",1) <= 0) goto end;
+ i2a_ASN1_OBJECT(bp,o);
+ }
+ }
+ else
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,":BAD OBJECT",11) <= 0))
+ goto end;
+ }
+ }
+ else if (tag == V_ASN1_BOOLEAN)
+ {
+ int ii;
+
+ opp=op;
+ ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl);
+ if (ii < 0)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"Bad boolean\n",12)))
+ goto end;
+ }
+ if (bp != NULL) BIO_printf(bp,":%d",ii);
+ }
+ else if (tag == V_ASN1_BMPSTRING)
+ {
+ /* do the BMP thang */
+ }
+ else if (tag == V_ASN1_OCTET_STRING)
+ {
+ int i,printable=1;
+
+ opp=op;
+ os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl);
+ if (os != NULL)
+ {
+ opp=os->data;
+ for (i=0; i<os->length; i++)
+ {
+ if (( (opp[i] < ' ') &&
+ (opp[i] != '\n') &&
+ (opp[i] != '\r') &&
+ (opp[i] != '\t')) ||
+ (opp[i] > '~'))
+ {
+ printable=0;
+ break;
+ }
+ }
+ if (printable && (os->length > 0))
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,":",1) <= 0))
+ goto end;
+ if ((bp != NULL) &&
+ (BIO_write(bp,(char *)opp,
+ os->length) <= 0))
+ goto end;
+ }
+ if (!printable && (os->length > 0)
+ && dump)
+ {
+ if (!nl)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"\n",1) <= 0))
+ goto end;
+ }
+ if ((bp != NULL) &&
+ (BIO_dump_indent(bp,(char *)opp,
+ ((dump == -1 || dump > os->length)?os->length:dump),
+ dump_indent) <= 0))
+ goto end;
+ nl=1;
+ }
+ M_ASN1_OCTET_STRING_free(os);
+ os=NULL;
+ }
+ }
+ else if (tag == V_ASN1_INTEGER)
+ {
+ ASN1_INTEGER *bs;
+ int i;
+
+ opp=op;
+ bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl);
+ if (bs != NULL)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,":",1) <= 0)) goto end;
+ if (bs->type == V_ASN1_NEG_INTEGER)
+ if ((bp != NULL) &&
+ (BIO_write(bp,"-",1) <= 0))
+ goto end;
+ for (i=0; i<bs->length; i++)
+ {
+ if ((bp != NULL) &&
+ (BIO_printf(bp,"%02X",
+ bs->data[i]) <= 0))
+ goto end;
+ }
+ if (bs->length == 0)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"00",2) <= 0))
+ goto end;
+ }
+ }
+ else
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"BAD INTEGER",11) <= 0))
+ goto end;
+ }
+ M_ASN1_INTEGER_free(bs);
+ }
+ else if (tag == V_ASN1_ENUMERATED)
+ {
+ ASN1_ENUMERATED *bs;
+ int i;
+
+ opp=op;
+ bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl);
+ if (bs != NULL)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,":",1) <= 0)) goto end;
+ if (bs->type == V_ASN1_NEG_ENUMERATED)
+ if ((bp != NULL) &&
+ (BIO_write(bp,"-",1) <= 0))
+ goto end;
+ for (i=0; i<bs->length; i++)
+ {
+ if ((bp != NULL) &&
+ (BIO_printf(bp,"%02X",
+ bs->data[i]) <= 0))
+ goto end;
+ }
+ if (bs->length == 0)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"00",2) <= 0))
+ goto end;
+ }
+ }
+ else
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"BAD ENUMERATED",11) <= 0))
+ goto end;
+ }
+ M_ASN1_ENUMERATED_free(bs);
+ }
+ else if (len > 0 && dump)
+ {
+ if (!nl)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"\n",1) <= 0))
+ goto end;
+ }
+ if ((bp != NULL) &&
+ (BIO_dump_indent(bp,(char *)p,
+ ((dump == -1 || dump > len)?len:dump),
+ dump_indent) <= 0))
+ goto end;
+ nl=1;
+ }
+
+ if (!nl)
+ {
+ if ((bp != NULL) &&
+ (BIO_write(bp,"\n",1) <= 0)) goto end;
+ }
+ p+=len;
+ if ((tag == V_ASN1_EOC) && (xclass == 0))
+ {
+ ret=2; /* End of sequence */
+ goto end;
+ }
+ }
+
+ length-=len;
+ }
+ ret=1;
+end:
+ if (o != NULL) ASN1_OBJECT_free(o);
+ if (os != NULL) M_ASN1_OCTET_STRING_free(os);
+ *pp=p;
+ return(ret);
+ }
+
+int GRSTasn1ParseDump(BIO *bp, unsigned char *pp, long len,
+ struct GRSTasn1TagList taglist[],
+ int maxtag, int *lasttag)
+ {
+ return(GRSTasn1Parse2(bp,&pp,len,0,0,0,0,"",
+ taglist, maxtag, lasttag));
+ }
#include <openssl/des.h>
#include <openssl/rand.h>
-#ifdef GRST_VOMS_SUPPORT
-#include <glite/security/voms/voms_apic.h>
-#endif
-
#include "gridsite.h"
#define GRST_KEYSIZE 512
#endif
}
+#if 0
/// ASN1 time string (in a char *) to time_t
/**
* (Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if
return timegm(&time_tm);
}
+#endif
/// Check if certificate can be used as a CA to sign standard X509 certs
/*
// else return GRST_RET_FAILED;
}
-/// Get the VOMS attributes in the extensions to the given cert
+/// Get the VOMS attributes in the given extension
/*
* Puts any VOMS credentials found into the Compact Creds string array
* starting at *creds. Always returns GRST_RET_OK.
*/
-int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen,
- char *creds, X509 *cert, STACK_OF(X509) *certstack,
- char *vomsdir)
+int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen,
+ char *creds, time_t *time1_time, time_t *time2_time,
+ X509_EXTENSION *ex, char *ucuser, char *vomsdir)
{
-#ifndef GRST_VOMS_SUPPORT
- return GRST_RET_OK;
-}
-#else
-
-/*
- int j;
- unsigned int siglen=-1, datalength=-1, dataoffset = -1;
- char s[80];
- unsigned char *charstr, *p, *time1 = NULL, *time2 = NULL, *vo = NULL,
- *uri = NULL, *user = NULL, *group = "NULL", *role = "NULL",
- *cap = "NULL", *server = NULL, *ucuser, *signature = NULL,
- *data = NULL, *datalen = NULL;
- X509_EXTENSION *ex;
- ASN1_STRING *asn1str;
- time_t now, time1_time = 0, time2_time = 0,
- uctime1_time, uctime2_time;
-*/
-
-
- struct vomsdata *vd;
- int i, j, vomserror;
-
- vd = VOMS_Init(NULL, NULL);
+#define MAXTAG 500
+#define FQAN_COORDS "-1-1-1-1-7-1-2-1-2-%d"
+ ASN1_OCTET_STRING *asn1data;
+ char *asn1string, s[81];
+ long asn1length;
+ int lasttag=-1, itag, i;
+ struct GRSTasn1TagList taglist[MAXTAG+1];
+
+ asn1data = X509_EXTENSION_get_data(ex);
+ asn1string = ASN1_STRING_data(asn1data);
+ asn1length = ASN1_STRING_length(asn1data);
+
+ GRSTasn1ParseDump(NULL, asn1string, asn1length, taglist, MAXTAG, &lasttag);
+
+ for (i=1; ; ++i)
+ {
+// should find signature and check it here, first
+
+ sprintf(s, FQAN_COORDS, i);
+ itag = GRSTasn1SearchTaglist(taglist, &lasttag, s);
- if (VOMS_Retrieve(cert, certstack, RECURSE_CHAIN, vd, &vomserror) &&
- (vd->data != NULL))
- {
- for (i = 0; vd->data[i] != NULL; ++i)
+ if (itag > -1)
{
- if (vd->data[i]->fqan != NULL)
- for (j = 0; vd->data[i]->fqan[j] != NULL; ++j)
- {
- if (*lastcred >= maxcreds - 1)
- {
- VOMS_Destroy(vd);
- return GRST_RET_OK;
- }
-
- ++(*lastcred);
-
- snprintf(&creds[*lastcred * (credlen + 1)],
- credlen+1,
- "VOMS %010lu %010lu 0 %s",
- GRSTasn1TimeToTimeT(vd->data[i]->date1),
- GRSTasn1TimeToTimeT(vd->data[i]->date2),
- vd->data[i]->fqan[j]);
- }
+ if (*lastcred < maxcreds - 1)
+ {
+ ++(*lastcred);
+
+ snprintf(&creds[*lastcred * (credlen + 1)], credlen+1,
+ "VOMS %010lu %010lu 0 %.*s",
+ *time1_time, *time2_time,
+ taglist[itag].length,
+ &asn1string[taglist[itag].start+
+ taglist[itag].headerlength]);
+ }
}
- }
- else
- {
- FILE *fp = fopen("/tmp/getvoms.log", "w");
- fprintf(fp, "%d\n", vomserror);
- fclose(fp);
- }
-
- VOMS_Destroy(vd);
+ else break;
+ }
+
return GRST_RET_OK;
}
-#if 0
+/// Get the VOMS attributes in the extensions to the given cert stack
+/*
+ * Puts any VOMS credentials found into the Compact Creds string array
+ * starting at *creds. Always returns GRST_RET_OK.
+ */
- time(&now);
+int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen,
+ char *creds, X509 *usercert, STACK_OF(X509) *certstack,
+ char *vomsdir)
+{
+ int i, j, vomsfound=0;
+ char s[80];
+ unsigned char *ucuser;
+ X509_EXTENSION *ex;
+ ASN1_STRING *asn1str;
+ X509 *cert;
+ time_t time1_time = 0, time2_time = 0, uctime1_time, uctime2_time;
uctime1_time =
GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notBefore(usercert)));
ucuser =
X509_NAME_oneline(X509_get_subject_name(usercert), NULL, 0);
- for (i = 0; i < X509_get_ext_count(cert); ++i)
- {
- ex = X509_get_ext(cert, i);
-
- OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);
+ for (j=sk_X509_num(certstack)-1; j >= 0; --j)
+ {
+ cert = sk_X509_value(certstack, j);
- if (strcmp(s, GRST_VOMS_OID) == 0) /* a VOMS extension */
- {
- asn1str = X509_EXTENSION_get_data(ex);
+ time1_time =
+ GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notBefore(cert)));
+ uctime1_time = (time1_time > uctime1_time) ? time1_time:uctime1_time;
+
+ time2_time =
+ GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(cert)));
+ uctime2_time = (time2_time < uctime2_time) ? time2_time:uctime2_time;
+
+ for (i=0; i < X509_get_ext_count(cert); ++i)
+ {
+ ex = X509_get_ext(cert, i);
+ OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);
+
+ if (strcmp(s, GRST_VOMS_OID) == 0) /* a VOMS extension */
+ {
+ vomsfound=1;
+ GRSTx509ParseVomsExt(lastcred, maxcreds, credlen, creds,
+ &uctime1_time, &uctime2_time,
+ ex, ucuser, vomsdir);
+ }
+ }
+
+ if (vomsfound) return GRST_RET_OK;
+ }
+
+ return GRST_RET_OK;
+}
+#if 0
charstr = (char *) malloc(ASN1_STRING_length(asn1str) + 1);
memcpy(charstr, ASN1_STRING_data(asn1str),
ASN1_STRING_length(asn1str));
}
#endif
-#endif
-
/// Turn a Compact Cred line into a GRSTgaclCred object
/**
* Returns pointer to created GRSTgaclCred or NULL or failure.
{
++(*lastcred);
strcpy(&creds[*lastcred * (credlen + 1)], credtemp);
-
+
GRSTx509GetVomsCreds(lastcred, maxcreds, credlen, creds,
- gsiproxycert, certstack, vomsdir);
+ usercert, certstack, vomsdir);
+
}
return GRST_RET_OK;
--- /dev/null
+
+#include <stdio.h>
+#include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include <openssl/buffer.h>
+#include <openssl/objects.h>
+#include <openssl/asn1.h>
+#include <openssl/evp.h>
+#include <openssl/bio.h>
+
+#include "gridsite.h"
+
+#define MAXTAG 500
+
+main()
+{
+ X509 *cert, *tmpcert;
+ STACK_OF(X509) *certstack = sk_X509_new_null();
+ FILE *fp;
+ struct vomsdata *vd;
+ int i, j, vomserror, i1, i2, j1, j2, lastobject;
+ X509_EXTENSION *ex;
+ ASN1_OBJECT *asnobject;
+ char s[80], *t;
+ ASN1_OCTET_STRING *asndata;
+ BIO *out;
+ unsigned char *p, *op, *tot, *p1, *p2, *q, *oq;
+ long len1, length1, len2, length2;
+ int tag,xclass,ret=0;
+ struct GRSTasn1TagList taglist[MAXTAG+1];
+ int lasttag=-1, itag;
+
+
+ OpenSSL_add_all_algorithms();
+ ERR_load_crypto_strings();
+// seed_prng();
+
+// fp = fopen("proxy-with-voms", "r");
+ fp = fopen("/tmp/x509up_u300", "r");
+
+ cert = PEM_read_X509(fp, NULL, NULL, NULL);
+
+ fclose(fp);
+
+ out=BIO_new(BIO_s_file());
+ BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+
+ for (i = 0; i < X509_get_ext_count(cert); ++i)
+ {
+ lasttag=-1;
+
+ ex = X509_get_ext(cert, i);
+
+ OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);
+ printf("%d OID=%s\n", i, s);
+
+ asnobject = X509_EXTENSION_get_object(ex);
+ asndata = X509_EXTENSION_get_data(ex);
+
+ p1 = ASN1_STRING_data(asndata);
+ p = p1;
+ length1 = ASN1_STRING_length(asndata);
+
+ GRSTasn1ParseDump(out, p1, length1, taglist, MAXTAG, &lasttag);
+/*
+ itag = GRSTasn1SearchTaglist(taglist, &lasttag,
+ "1-1-1-1-1-7-1-2-1-2-1");
+
+ printf("tag=%d %s %d %.*s\n",
+ itag, taglist[itag].treecoords, taglist[itag].tag,
+ taglist[itag].length,
+ &p[taglist[itag].start+taglist[itag].headerlength]);
+*/
+ }
+}
git://scientific.zcu.cz / jra1mw.git / commitdiff