+* Fri Nov 27 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- GRSTx509MakeProxyCert() now creates RFC 3280
+ proxies if any earlier proxies are RFC style
+* Tue Nov 10 2009 Andrew McNab <Andrew.McNab@cern.ch>
+- Discard X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+ errors in GRST_callback_SSLVerify_wrapper(), needed
+ for newer OpenSSL
* Mon Oct 19 2009 Andrew McNab <Andrew.McNab@cern.ch>
- Discard X509_V_ERR_INVALID_PURPOSE errors in
GRST_callback_SSLVerify_wrapper(), needed by
#define GRST_DN_LISTS "/etc/grid-security/dn-lists"
#define GRST_RECURS_LIMIT 9
-#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
+#define GRST_PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222"
+#define GRST_PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14"
#define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5"
#define GRST_VOMS_DIR "/etc/grid-security/vomsdir"
{
OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1);
- if (strcmp(s, GRST_PROXYCERTINFO_OID) != 0) return GRST_RET_FAILED;
+ if ((strcmp(s, GRST_PROXYCERTINFO_OID) != 0) &&
+ (strcmp(s, GRST_PROXYCERTINFO_OLD_OID) != 0))
+ return GRST_RET_FAILED;
}
}
/// the given number of minutes starting from the current time.
{
char *ptr, *certchain;
- int i, ncerts;
+ int i, ncerts, any_rfc_proxies = 0;
long serial = 1234, ptrlen;
EVP_PKEY *pkey, *CApkey;
const EVP_MD *digest;
X509_REQ *req;
X509_NAME *name, *CAsubject, *newsubject;
X509_NAME_ENTRY *ent;
+ ASN1_OBJECT *pcinfo_obj = NULL;
+ X509_EXTENSION *ex;
FILE *fp;
BIO *reqmem, *certmem;
time_t notAfter;
/* go through chain making sure this proxy is not longer lived */
+ pcinfo_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0);
+fprintf(stderr, "Make pcinfo_obj\n");
+
notAfter =
GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[0])), 0);
-
+
for (i=1; i < ncerts; ++i)
+ {
if (notAfter >
GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[i])),
0))
ASN1_UTCTIME_set(X509_get_notAfter(certs[0]), notAfter);
}
+
+ if (X509_get_ext_by_OBJ(certs[i], pcinfo_obj, -1) > 0)
+ any_rfc_proxies = 1;
+ }
+
+ /* if any earlier proxies are RFC 3820, then new proxy must be
+ an RFC 3820 proxy too with the required extension */
+ if (any_rfc_proxies)
+ {
+ ex = X509_EXTENSION_new();
+
+ X509_EXTENSION_set_object(ex, pcinfo_obj);
+ X509_EXTENSION_set_critical(ex, 1);
+
+ X509_add_ext(certs[0], ex, -1);
+ }
+ else free(pcinfo_obj);
/* sign the certificate with the signing private key */
if (EVP_PKEY_type(CApkey->type) == EVP_PKEY_RSA)
Name: gridsite
Version: ${PATCH_VERSION:-1.x.x}
# This next piece of .spec/sed magic puts the build OS version in the release
-Release: %(if [ "$RELEASE_VERSION" ] ; then echo $RELEASE_VERSION ; else sed 's/^\([A-Z]\)[^ ]* \([A-Z]\)[^0-9]*\([0-9][^ ]*\).*/1\1\2\3/g' /etc/redhat-release | sed 's/[^A-Z,a-z,0-9]//g' ; fi)
+Release: %(if [ "$RELEASE_VERSION" ] ; then echo $RELEASE_VERSION ; else sed 's/^\([A-Z,a-z]\)[^ ]* \([A-Z,a-z]\)[^0-9]*\([0-9][^ ]*\).*/1\1\2\3/g' /etc/redhat-release | sed 's/[^A-Z,a-z,0-9]//g' ; fi)
Summary: GridSite
License: Modified BSD
Group: System Environment/Daemons
X509_STORE_CTX_set_error(ctx, errnum);
}
+#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED
+ /*
+ * Skip X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, since they are!
+ */
+ if (errnum == X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED)
+ {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "Skip Proxy Certificates Not Allowed error");
+
+ sslconn->verify_error = NULL;
+ ok = TRUE;
+ errnum = X509_V_OK;
+ X509_STORE_CTX_set_error(ctx, errnum);
+ }
+#endif
+
/*
* New style GSI Proxy handling, with critical ProxyCertInfo
* extension: we use GRSTx509KnownCriticalExts() to check this
// dn = X509_NAME_oneline(xname,NULL,0);
- printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1));
+ if (obj != NULL) printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1));
+ else printf("n=%d dn=%s obj2txt=NULL\n", n, dn);
GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d",
p1, taglist, lasttag);
git://scientific.zcu.cz / jra1mw.git / commitdiff