From: Marcel Poul Date: Wed, 29 Feb 2012 15:10:39 +0000 (+0000) Subject: prepare delegation sample to be built X-Git-Tag: glite-lb-harvester_R_1_2_2_1~3 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=b758eb08b468ab3145dbe6df862d91b2c1a16f58;p=jra1mw.git prepare delegation sample to be built --- diff --git a/emi.canl.canl-c/Makefile b/emi.canl.canl-c/Makefile index 54a7bb4..ee2a428 100644 --- a/emi.canl.canl-c/Makefile +++ b/emi.canl.canl-c/Makefile @@ -31,6 +31,9 @@ LFLAGS_SER=-L. -lcanl_c CFLAGS_PRX=-Wall -g -I${top_srcdir}/src -I. LFLAGS_PRX=-L. -lcanl_c +CFLAGS_DEL=-Wall -g -I${top_srcdir}/src -I. +LFLAGS_DEL=-L. -lcanl_c + HEAD_CANL=canl.h canl_locl.h canl_err.h canl_cred.h canl_ssl.h canl_mech_ssl.h SRC_CLI=canl_sample_client.c @@ -45,6 +48,10 @@ SRC_PRX=grid-proxy-init.c HEAD_PRX=canl.h canl_cred.h OBJ_PRX=canl_proxy_init.lo +SRC_DEL=delegation.c +HEAD_DEL=canl.h canl_cred.h +OBJ_DEL=canl_delegation.lo + CFLAGS:=-Wall -g -I${top_srcdir}/src/proxy -I. ${CFLAGS} LIBCANL=libcanl_c.la @@ -63,7 +70,7 @@ version_info:=-version-info ${shell \ major:=${shell \ perl -e '$$,=":"; @F=split "\\.","${module.version}"; print $$F[0]+$$F[1]+${offset}' } -all: ${LIBCANL} server client proxy +all: ${LIBCANL} server client proxy ${LIBCANL}:\ canl.lo canl_err.lo canl_dns.lo canl_ssl.lo canl_cert.lo canl_cred.lo \ @@ -103,6 +110,11 @@ proxy: ${OBJ_PRX} ${OBJ_PRX}: ${SRC_PRX} ${HEAD_PRX} ${LIBCANL} ${COMPILE} -c ${top_srcdir}/examples/${SRC_PRX} ${CFLAGS_PRX} -o $@ +delegation: ${OBJ_DEL} + ${LINK} $< ${LFLAGS_DEL} -o $@ + +${OBJ_DEL}: ${SRC_DEL} ${HEAD_DEL} ${LIBCANL} + ${COMPILE} -c ${top_srcdir}/examples/${SRC_DEL} ${CFLAGS_DEL} -o $@ canl_err.h: canl_error_codes ${top_srcdir}/src/gen_err_codes.pl < $^ > $@ @@ -120,6 +132,8 @@ install: all ${INSTALL} -m 755 client ${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-client ${INSTALL} -m 755 proxy \ ${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-proxy-init + ${INSTALL} -m 755 delegation \ + ${DESTDIR}${PREFIX}${prefix}/bin/emi-canl-delegation ${INSTALL} -m 755 ${LIBCANL} ${DESTDIR}${PREFIX}${prefix}/${libdir} ${INSTALL} -m 644 ${top_srcdir}/src/canl.h \ ${top_srcdir}/src/canl_ssl.h canl_err.h \ @@ -129,7 +143,7 @@ stage: all $(MAKE) install PREFIX=${stagedir} clean: - rm -rfv *.o *.lo ${LIBCANL} .libs client server \ + rm -rfv *.o *.lo ${LIBCANL} .libs client server proxy delegation \ ${top_srcdir}/*.c ${top_srcdir}/*.h lex.backup stage distclean: diff --git a/emi.canl.canl-c/examples/delegation.c b/emi.canl.canl-c/examples/delegation.c index c452572..d05c08d 100644 --- a/emi.canl.canl-c/examples/delegation.c +++ b/emi.canl.canl-c/examples/delegation.c @@ -1,44 +1,164 @@ +#include +#include #include #include +#define BITS 1024 +#define LIFETIME 43200 /*12 hours*/ +#define OUTPUT "/tmp/x509_u99999" + int main(int argc, char *argv[]) { canl_cred signer = NULL; canl_cred proxy = NULL; canl_cred proxy_cert = NULL; - canl_x509_req proxy_req = NULL; + canl_cred proxy_bob = NULL; X509_REQ *req = NULL; X509 *x509_cert = NULL; STACK_OF(X509) *x509_chain= NULL; canl_ctx ctx = NULL; canl_err_code ret; + char *user_cert = NULL; + char *output = NULL; + char *user_key = NULL; + long int lifetime = 0; + unsigned int bits = 0; + int opt = 0; + + while ((opt = getopt(argc, argv, "hc:k:l:b:o:")) != -1) { + switch (opt) { + case 'h': + fprintf(stderr, "Usage: %s [-c certificate]" + " [-k private key] [-h] [-l lifetime] [-b bits]" + " [-o output]" + "\n", argv[0]); + exit(0); + case 'c': + user_cert = optarg; + break; + case 'k': + user_key = optarg; + break; + case 'l': + lifetime = atoi(optarg); + break; + case 'b': + bits = atoi(optarg); + break; + case 'o': + output = optarg; + break; + default: /* '?' */ + fprintf(stderr, "Usage: %s [-c certificate]" + " [-k private key] [-h] [-l lifetime] [-b bits]" + " [-o output]" + "\n", argv[0]); + exit(-1); + } + } + ctx = canl_create_ctx(); + if (ctx == NULL) { + fprintf(stderr, "[DELEGATION] Failed to create library context\n"); + return 1; + } -/* Bob - after Alice has asked to delegate her credentials */ - ret = canl_req_new(ctx, &proxy_req); - ret = canl_req_gen_key(ctx, proxy_req, 1024); - ret = canl_req_get_req(ctx, proxy_req, &req); + /* Bob - after Alice has asked to delegate her credentials */ + ret = canl_cred_new(ctx, &proxy_bob); + if (ret){ + fprintf(stderr, "[DELEGATION] Proxy context cannot be created" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + if (!bits) + bits = BITS; + ret = canl_cred_new_req(ctx, &proxy_bob, bits); + if (ret) { + fprintf(stderr, "[DELEGATION] Failed to create certificate " + "request container: %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_save_req(ctx, proxy_bob, &req); + if (ret) { + fprintf(stderr, "[DELEGATION] Failed to get certificate " + "request container: %s\n", canl_get_error_message(ctx)); + goto end; + } /* serialize 'req' and send it to Alice */ /* Alice - after receiving the CSR from Bob. (The private key stays with Bob.) */ { - ret = canl_cred_new(ctx, &signer); - ret = canl_cred_load_cert_file(ctx, signer, "$HOME/.globus/usercert.pem"); - ret = canl_cred_load_priv_key_file(ctx, signer, "$HOME/.globus/userkey.pem", - NULL, NULL); - - /* deserialize 'req' from Bob */ - ret = canl_cred_new(ctx, &proxy_cert); - ret = canl_cred_load_req(ctx, proxy_cert, req); - ret = canl_cred_set_lifetime(ctx, proxy_cert, 60*10); - ret = canl_cred_set_cert_type(ctx, proxy_cert, CANL_RFC); - ret = canl_cred_sign_proxy(ctx, signer, proxy_cert); - - ret = canl_cred_save_cert(ctx, proxy_cert, &x509_cert); + ret = canl_cred_new(ctx, &signer); + if (ret){ + fprintf(stderr, "[DELEGATION] Proxy context cannot be created" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + ret = canl_cred_load_cert_file(ctx, signer, user_cert); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot load signer's certificate" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_load_priv_key_file(ctx, signer, user_key, NULL, NULL); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot access signer's key" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + /* deserialize 'req' from Bob */ + ret = canl_cred_new(ctx, &proxy_cert); + if (ret){ + fprintf(stderr, "[DELEGATION] Proxy context cannot be created" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_load_req(ctx, proxy_cert, req); + if (ret) { + fprintf(stderr, "[DELEGATION] Failed to load certificate " + "request container: %s\n", canl_get_error_message(ctx)); + goto end; + } + + + if (!lifetime) + lifetime = LIFETIME; + ret = canl_cred_set_lifetime(ctx, proxy_cert, lifetime); + if (ret) + fprintf(stderr, "[DELEGATION] Failed set new cert lifetime" + ": %s\n", canl_get_error_message(ctx)); + + ret = canl_cred_set_cert_type(ctx, proxy_cert, CANL_RFC); + if (ret) + fprintf(stderr, "[DELEGATION] Failed set new cert type" + ": %s\n", canl_get_error_message(ctx)); + + ret = canl_cred_sign_proxy(ctx, signer, proxy_cert); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot sign new proxy" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + ret = canl_cred_save_cert(ctx, proxy_cert, &x509_cert); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot save new cert file" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_save_chain(ctx, proxy_cert, &x509_chain); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot save cert chain" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } /* serialize the new proxy cert and chain and send it back to Bob */ } @@ -46,23 +166,60 @@ main(int argc, char *argv[]) /* deserialize the new proxy cert and chain from Alice */ ret = canl_cred_new(ctx, &proxy); - ret = canl_cred_load_req(ctx, proxy, proxy_req); + if (ret){ + fprintf(stderr, "[DELEGATION] Proxy context cannot be created" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + ret = canl_cred_load_req(ctx, proxy, proxy_bob); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot load cert. request container" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_load_cert(ctx, proxy, x509_cert); + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot load certificate" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = canl_cred_load_chain(ctx, proxy, x509_chain); - ret = canl_cred_save_proxyfile(ctx, proxy, "/tmp/x509up_u11930"); - + if (ret){ + fprintf(stderr, "[DELEGATION] Cannot load cert. chain" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + + if (!output) + output = OUTPUT; + ret = canl_cred_save_proxyfile(ctx, proxy, output); + if (ret){ + fprintf(stderr, "[PROXY-INIT] Cannot save new proxy" + ": %s\n", canl_get_error_message(ctx)); + goto end; + } + ret = 0; - +end: if (signer) canl_cred_free(ctx, signer); if (proxy) canl_cred_free(ctx, proxy); if (proxy_cert) canl_cred_free(ctx, proxy_cert); - if (proxy_req) - canl_req_free(ctx, proxy_req); + if (proxy_bob) + canl_cred_free(ctx, proxy_bob); if (req) X509_REQ_free(req); + if (x509_cert) + X509_free(x509_cert); +/* TODO free stack + * if (x509_chain) + X509_free(x509_cert); +*/ if (ctx) canl_free_ctx(ctx); diff --git a/emi.canl.canl-c/examples/grid-proxy-init.c b/emi.canl.canl-c/examples/grid-proxy-init.c index 32133d3..c4a9a35 100644 --- a/emi.canl.canl-c/examples/grid-proxy-init.c +++ b/emi.canl.canl-c/examples/grid-proxy-init.c @@ -1,7 +1,7 @@ -#include -#include #include #include +#include +#include #define BITS 1024 #define LIFETIME 43200 /*12 hours*/ diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c index 082fe9c..97b24a2 100644 --- a/emi.canl.canl-c/src/canl_cred.c +++ b/emi.canl.canl-c/src/canl_cred.c @@ -510,7 +510,7 @@ canl_cred_new_req(canl_ctx ctx, canl_cred ret_req, unsigned int bits) } canl_err_code CANL_CALLCONV -canl_req_get_req(canl_ctx ctx, canl_cred req_in, X509_REQ ** req_ret) +canl_cred_save_req(canl_ctx ctx, canl_cred req_in, X509_REQ ** req_ret) { glb_ctx *cc = (glb_ctx*) ctx; creds *req = (creds*) req_in; @@ -526,12 +526,39 @@ canl_req_get_req(canl_ctx ctx, canl_cred req_in, X509_REQ ** req_ret) /*TODO free REQ if req_ret full*/ *req_ret = X509_REQ_dup(req->c_req); - if (*req_ret) + if (!(*req_ret)) return set_error(cc, ENOMEM, POSIX_ERROR, "Cannot copy" " X509 request handler" ); //TODO check ret val return 0; } +canl_err_code CANL_CALLCONV +canl_cred_load_req(canl_ctx ctx, canl_cred cred_out, const X509_REQ *req_in) +{ + glb_ctx *cc = (glb_ctx*) ctx; + creds *req = (creds*) cred_out; + + if (!ctx) + return EINVAL; + if (!req) + return set_error(cc, EINVAL, POSIX_ERROR, "Request handler" + " not initialized" ); + if (!req_in) + return set_error(cc, EINVAL, POSIX_ERROR, "Request handler" + " not initialized" ); + if (req->c_req) { + X509_REQ_free(req->c_req); + req->c_req = NULL; + } + + req->c_req = X509_REQ_dup(req_in); + if (!req->c_req) + return set_error(cc, ENOMEM, POSIX_ERROR, "Cannot copy" + " X509 request handler" ); //TODO check ret val + return 0; +} + + #if 0 canl_err_code CANL_CALLCONV canl_req_get_pair(canl_ctx, canl_x509_req, EVP_PKEY **) diff --git a/emi.canl.canl-c/src/canl_cred.h b/emi.canl.canl-c/src/canl_cred.h index 271af51..fd17c9b 100644 --- a/emi.canl.canl-c/src/canl_cred.h +++ b/emi.canl.canl-c/src/canl_cred.h @@ -88,7 +88,10 @@ canl_err_code CANL_CALLCONV canl_cred_new_req(canl_ctx, canl_cred, unsigned int); canl_err_code CANL_CALLCONV -canl_req_get_req(canl_ctx, canl_cred, X509_REQ **); +canl_cred_save_req(canl_ctx, canl_cred, X509_REQ **); + +canl_err_code CANL_CALLCONV +canl_cred_load_req(canl_ctx, canl_cred, const X509_REQ *); #if 0 canl_err_code CANL_CALLCONV