From: Daniel KouĊ™il Date: Wed, 22 Jun 2011 15:31:46 +0000 (+0000) Subject: Don't rely on hard-coded positions of certificates in the ACs (fix for #82023) X-Git-Tag: gridsite-core_R_1_7_14~7 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=0f7d43a54d3b3a32df294a79c04de8395699c75a;p=jra1mw.git Don't rely on hard-coded positions of certificates in the ACs (fix for #82023) --- diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index 192264e..a3f6cb9 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -156,6 +156,7 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser; #define GRST_PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222" #define GRST_PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14" #define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5" +#define GRST_VOMS_PK_CERT_LIST_OID "1.3.6.1.4.1.8005.100.100.10" #define GRST_VOMS_DIR "/etc/grid-security/vomsdir" #define GRST_KEYUSAGE_OID "2.5.29.15" diff --git a/org.gridsite.core/src/grst_asn1.c b/org.gridsite.core/src/grst_asn1.c index 66b3eff..3f0920e 100644 --- a/org.gridsite.core/src/grst_asn1.c +++ b/org.gridsite.core/src/grst_asn1.c @@ -463,32 +463,57 @@ int GRSTasn1ParseDump(BIO *bp, unsigned char *pp, long len, taglist, maxtag, lasttag)); } +int +GRSTasn1GetField(int index, char *coords, char *asn1string, + struct GRSTasn1TagList taglist[], int lasttag, + ASN1_OBJECT **field_obj, int *field_index) +{ + char coordstmp[81]; + const unsigned char *q; + ASN1_OBJECT *obj = NULL; + int iobj, ival; + + snprintf(coordstmp, sizeof(coordstmp), coords, index, 1); + iobj = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp); + if (iobj < 0) + return GRST_RET_FAILED; + + snprintf(coordstmp, sizeof(coordstmp), coords, index, 2); + ival = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp); + if (ival < 0) + return GRST_RET_FAILED; + + q = (unsigned char *) &asn1string[taglist[iobj].start]; + obj = d2i_ASN1_OBJECT(NULL, &q, + taglist[iobj].length + taglist[iobj].headerlength); + if (obj == NULL) + return GRST_RET_FAILED; + + *field_obj = obj; + *field_index = ival; + + return GRST_RET_OK; +} + int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords, char *asn1string, struct GRSTasn1TagList taglist[], int lasttag) { - int i, iobj, istr, n, len = 0; + int i, istr, n, len = 0; ASN1_OBJECT *obj = NULL; - unsigned char coordstmp[81], *q; - const unsigned char *shortname; + const char *shortname; + int ret; for (i=1; ; ++i) { - snprintf(coordstmp, sizeof(coordstmp), coords, i, 1); - iobj = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp); - if (iobj < 0) break; - - snprintf(coordstmp, sizeof(coordstmp), coords, i, 2); - istr = GRSTasn1SearchTaglist(taglist, lasttag, coordstmp); - if (istr < 0) break; - - q = &asn1string[taglist[iobj].start]; - d2i_ASN1_OBJECT(&obj, &q, taglist[iobj].length + - taglist[iobj].headerlength); + ret = GRSTasn1GetField(i, coords, asn1string, taglist, lasttag, &obj, &istr); + if (ret) + break; n = OBJ_obj2nid(obj); -// free obj now? shortname = OBJ_nid2sn(n); + ASN1_OBJECT_free(obj); + obj = NULL; if (len + 2 + strlen(shortname) + taglist[istr].length >= maxlength) { @@ -506,3 +531,35 @@ int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords, return (x509name[0] != '\0') ? GRST_RET_OK : GRST_RET_FAILED; } + +int +GRSTasn1FindField(const char *oid, char *coords, + char *asn1string, + struct GRSTasn1TagList taglist[], int lasttag, + int *result) +{ + int i, ret; + char buf[128]; + ASN1_OBJECT *obj = NULL; + int index; + + i = 0; + while (1) { + i++; + ret = GRSTasn1GetField(i, coords, asn1string, taglist, lasttag, &obj, &index); + if (ret) + break; + + OBJ_obj2txt(buf, sizeof(buf), obj, 1); + ASN1_OBJECT_free(obj); + obj = NULL; + + if (strcmp(oid, buf) == 0) { + *result = index; + ret = 0; + break; + } + }; + + return ret; +} diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 7e09f2f..644327b 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -657,16 +657,16 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert, #define GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d" #define GRST_ASN1_COORDS_TIME1 "-1-1-%d-1-6-1" #define GRST_ASN1_COORDS_TIME2 "-1-1-%d-1-6-2" -#define GRST_ASN1_COORDS_VOMSCERT "-1-1-%d-1-8-4-2" +#define GRST_ASN1_COORDS_VOMSCERT "-1-1-%d-1-8-%%d-%%d" + ASN1_OCTET_STRING *asn1data; char *asn1string, acissuerdn[200], acvomsdn[200], dn_coords[200], fqan_coords[200], time1_coords[200], time2_coords[200], vomscert_coords[200], *voname = NULL, serial_coords[200]; - unsigned char *p; long asn1length; int lasttag=-1, itag, i, j, acnumber = 1, chain_errors = 0, - ivomscert, tmp_chain_errors; + ivomscert, tmp_chain_errors, ret; char *acissuerserial = NULL; struct GRSTasn1TagList taglist[MAXTAG+1]; time_t actime1 = 0, actime2 = 0, time_now, @@ -773,8 +773,9 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert, snprintf(vomscert_coords, sizeof(vomscert_coords), GRST_ASN1_COORDS_VOMSCERT, acnumber); - ivomscert = GRSTasn1SearchTaglist(taglist, lasttag, vomscert_coords); - + ret = GRSTasn1FindField(GRST_VOMS_PK_CERT_LIST_OID, vomscert_coords, asn1string, + taglist, lasttag, &ivomscert); + /* try using internal VOMS issuer cert */ tmp_chain_errors = GRST_CERT_BAD_SIG; tmp_time1 = time1_time;