From: Andrew McNab Date: Sun, 20 Feb 2005 22:38:09 +0000 (+0000) Subject: Basic VOMS AC support X-Git-Tag: gridsite-core_R_1_1_6~18 X-Git-Url: http://scientific.zcu.cz/git/?a=commitdiff_plain;h=cdbd21501cd34fe0493b238b072687140d67c066;p=jra1mw.git Basic VOMS AC support --- diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index 304408a..375f8e1 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,8 @@ +* Sun Feb 20 2005 Andrew McNab +- Add basic VOMS support (signature checking not yet + in) for X.509 Attribute Certificates. +* Tue Feb 8 2005 Andrew McNab +- ==== GridSite version 1.1.6 ==== * Tue Feb 8 2005 Andrew McNab - Include GRSTx509MakeProxyFileName() and GRSTx509StringToChain() (code to used hashes in cached diff --git a/org.gridsite.core/VERSION b/org.gridsite.core/VERSION index 87062a2..b51a96c 100644 --- a/org.gridsite.core/VERSION +++ b/org.gridsite.core/VERSION @@ -1,4 +1,4 @@ MAJOR_VERSION=1 MINOR_VERSION=1.1 -PATCH_VERSION=1.1.5 +PATCH_VERSION=1.1.6 VERSION=$(PATCH_VERSION) diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index c2d7729..a88a316 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -63,12 +63,6 @@ /// No such file or directory #define GRST_RET_NO_SUCH_FILE 1003 -#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222" -#define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.1" -#define GRST_VOMS_DIR "/etc/grid-security/vomsdir" - - - typedef struct { char *name; char *value; void *next; } GRSTgaclNamevalue; @@ -117,6 +111,19 @@ typedef struct { GRSTgaclCred *firstcred; #define GRST_DN_LISTS "/etc/grid-security/dn-lists" #define GRST_RECURS_LIMIT 9 +#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222" +#define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5" +#define GRST_VOMS_DIR "/etc/grid-security/vomsdir" + +#define GRST_ASN1_MAXCOORDLEN 50 +#define GRST_ASN1_MAXTAGS 500 + +struct GRSTasn1TagList { char treecoords[GRST_ASN1_MAXCOORDLEN+1]; + int start; + int headerlength; + int length; + int tag; } ; + int GRSTgaclInit(void); /* #define GACLnewCred(x) GRSTgaclCredNew((x)) */ @@ -239,7 +246,6 @@ int GRSTx509NameCmp(char *, char *); int GRSTx509KnownCriticalExts(X509 *); -time_t GRSTasn1TimeToTimeT(char *); int GRSTx509IsCA(X509 *); int GRSTx509CheckChain(int *, X509_STORE_CTX *); int GRSTx509VerifyCallback(int, X509_STORE_CTX *); @@ -273,3 +279,8 @@ int GRSThttpCopy(GRSThttpBody *, char *); void GRSThttpWriteOut(GRSThttpBody *); int GRSThttpPrintHeaderFooter(GRSThttpBody *, char *, char *); char *GRSThttpGetCGI(char *); + +time_t GRSTasn1TimeToTimeT(char *); +int GRSTasn1SearchTaglist(struct GRSTasn1TagList taglist[], int *, char *); +int GRSTasn1ParseDump(BIO *, unsigned char *, long, + struct GRSTasn1TagList taglist[], int, int *); diff --git a/org.gridsite.core/project/version.properties b/org.gridsite.core/project/version.properties index dd123bc..dc4bf37 100644 --- a/org.gridsite.core/project/version.properties +++ b/org.gridsite.core/project/version.properties @@ -1,2 +1,4 @@ -module.version=1.1.5 -module.age=1 +#Thu Jan 13 03:09:57 CET 2005 +module.version=1.1.6 +module.build=134 +module.age=3 diff --git a/org.gridsite.core/src/Makefile b/org.gridsite.core/src/Makefile index 680a1f3..cc6fa11 100644 --- a/org.gridsite.core/src/Makefile +++ b/org.gridsite.core/src/Makefile @@ -64,38 +64,43 @@ build: libgridsite_globus.so.$(VERSION) libgridsite_globus.a # First, normal versions using system OpenSSL rather than Globus OpenSSL -libgridsite.so.$(VERSION): grst_x509.o grst_gacl.o grst_http.o +libgridsite.so.$(VERSION): grst_x509.o grst_gacl.o grst_http.o grst_asn1.o gcc -shared -Wl,-soname,libgridsite.so.$(MINOR_VERSION) \ - -o libgridsite.so.$(PATCH_VERSION) grst_x509.o grst_gacl.o grst_http.o + -o libgridsite.so.$(PATCH_VERSION) grst_x509.o grst_gacl.o grst_http.o grst_asn1.o -libgridsite.a: grst_x509.o grst_gacl.o grst_http.o - ar src libgridsite.a grst_x509.o grst_gacl.o grst_http.o +libgridsite.a: grst_x509.o grst_gacl.o grst_http.o grst_asn1.o + ar src libgridsite.a grst_x509.o grst_gacl.o grst_http.o grst_asn1.o grst_x509.o: grst_x509.c ../interface/gridsite.h - gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \ + gcc $(MYCFLAGS) \ -I/usr/kerberos/include -c grst_x509.c grst_gacl.o: grst_gacl.c ../interface/gridsite.h - gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \ + gcc $(MYCFLAGS) \ -I/usr/kerberos/include `xml2-config --cflags` -c grst_gacl.c grst_http.o: grst_http.c ../interface/gridsite.h - gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \ + gcc $(MYCFLAGS) \ -I/usr/kerberos/include -c grst_http.c +grst_asn1.o: grst_asn1.c ../interface/gridsite.h + gcc $(MYCFLAGS) \ + -I/usr/kerberos/include -c grst_asn1.c + # Then build versions using Globus OpenSSL if configured ifdef OPENSSL_GLOBUS_LIBS libgridsite_globus.so.$(VERSION): \ - grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o + grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o \ + grst_asn1_globus.o gcc -shared -Wl,-soname,libgridsite_globus.so.$(MINOR_VERSION) \ -o libgridsite_globus.so.$(PATCH_VERSION) \ - grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o + grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o -libgridsite_globus.a: grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o +libgridsite_globus.a: grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o ar src libgridsite_globus.a \ - grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o + grst_x509_globus.o grst_gacl_globus.o grst_http_globus.o grst_asn1_globus.o grst_x509_globus.o: grst_x509.c ../interface/gridsite.h gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \ @@ -112,6 +117,11 @@ grst_http_globus.o: grst_http.c ../interface/gridsite.h -I/usr/kerberos/include -c grst_http.c \ -o grst_http_globus.o +grst_asn1_globus.o: grst_asn1.c ../interface/gridsite.h + gcc $(MYCFLAGS) $(OPENSSL_GLOBUS_FLAGS) \ + -I/usr/kerberos/include -c grst_asn1.c \ + -o grst_asn1_globus.o + else libgridsite_globus.so.$(VERSION): libgridsite.so.$(VERSION) @@ -125,7 +135,7 @@ endif urlencode: urlencode.c libgridsite.a gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) \ -o urlencode urlencode.c -L. \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite + -I/usr/kerberos/include -lgridsite htcp: htcp.c gcc -DVERSION=\"$(PATCH_VERSION)\" -I. -o htcp htcp.c \ @@ -133,7 +143,7 @@ htcp: htcp.c mod_gridsite.so: mod_gridsite.c mod_ssl-private.h libgridsite.a gcc $(MYCFLAGS) -shared -Wl,-soname=gridsite_module \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \ + -I/usr/kerberos/include \ -I/usr/include/libxml2 \ -DVERSION=\"$(VERSION)\" -o mod_gridsite.so \ mod_gridsite.c $(MYLDFLAGS) -lxml2 -lm -lz -lgridsite @@ -144,22 +154,29 @@ real-gridsite-admin.cgi: grst_admin_main.c grst_admin_gacl.c \ grst_admin_main.c \ grst_admin_gacl.c \ grst_admin_file.c \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \ - -DVERSION=\"$(VERSION)\" $(OPENSSL_GLOBUS_LIBS) -lgridsite -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm + -I/usr/kerberos/include \ + -DVERSION=\"$(VERSION)\" -lgridsite -lssl -lcrypto -lxml2 -lz -lm findproxyfile: findproxyfile.c libgridsite.a gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) $(MYLDFLAGS) \ -o findproxyfile findproxyfile.c -L. \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite \ - $(OPENSSL_GLOBUS_LIBS) -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm + -I/usr/kerberos/include -lgridsite \ + -lssl -lcrypto -lxml2 -lz -lm +showx509exts: showx509exts.c libgridsite.a + gcc -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) $(MYLDFLAGS) \ + -o showx509exts showx509exts.c -L. \ + -I/usr/kerberos/include \ + -lgridsite \ + -lssl -lcrypto + apidoc: doxygen Doxyfile gaclexample: gaclexample.c libgridsite.a gcc -o gaclexample gaclexample.c -I. -L. \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -lgridsite \ - -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lz -lm + -I/usr/kerberos/include -lgridsite \ + -lssl -lcrypto -lxml2 -lz -lm # # Delegation machinery, including SOAP delegation portType. To build this @@ -183,30 +200,30 @@ gridsite-delegation.cgi: grst-delegation.c delegation.h delegation.wsdl \ soapC.c soapServer.c gcc $(MYCFLAGS) $(MYLDFLAGS) -o gridsite-delegation.cgi \ grst-delegation.c \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include -I$(GSOAPDIR)/include \ + -I/usr/kerberos/include -I$(GSOAPDIR)/include \ -DVERSION=\"$(VERSION)\" -L$(GSOAPDIR)/lib \ soapC.c soapServer.c -lgsoap \ - -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm + -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm htproxyput: htproxyput.c delegation.h delegation.wsdl \ soapC.c soapServer.c gcc $(MYCFLAGS) $(MYLDFLAGS) -o htproxyput \ htproxyput.c \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \ + -I/usr/kerberos/include \ -g -DVERSION=\"$(VERSION)\" \ -I$(GSOAPDIR)/include -DWITH_OPENSSL -L$(GSOAPDIR)/lib \ soapC.c soapClient.c -lgsoap \ - -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm + -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm proxyput-example: proxyput-example.c delegation.h delegation.wsdl \ soapC.c soapServer.c libstdsoap2.a gcc $(MYCFLAGS) $(MYLDFLAGS) -o proxyput-example \ proxyput-example.c \ - $(OPENSSL_GLOBUS_FLAGS) -I/usr/kerberos/include \ + -I/usr/kerberos/include \ -g -DVERSION=\"$(VERSION)\" \ -I$(GSOAPDIR) -DWITH_OPENSSL \ soapC.c soapClient.c libstdsoap2.a \ - -lgridsite -lcurl -lz -lssl$(FLAVOR_GLOBUS_EXT) -lcrypto$(FLAVOR_GLOBUS_EXT) -lxml2 -lm + -lgridsite -lcurl -lz -lssl -lcrypto -lxml2 -lm clean: @@ -309,8 +326,6 @@ rpm: dist gridsite.spec $(MYRPMDIR)/SRPMS $(MYRPMDIR)/RPMS/i386 $(MYRPMDIR)/BUILDROOT cp -f ../gridsite-$(PATCH_VERSION).src.tar.gz $(MYRPMDIR)/SOURCES cp -f gridsite.spec $(MYRPMDIR)/SPECS - export OPENSSL_GLOBUS_FLAGS=$(OPENSSL_GLOBUS_FLAGS) ; export OPENSSL_GLOBUS_LIBS=$(OPENSSL_GLOBUS_LIBS) ; export FLAVOR_GLOBUS_EXT=$(FLAVOR_GLOBUS_EXT) ; \ - export GSOAPDIR=$(GSOAPDIR) ; \ export MYPREFIX=/usr ; export MYVERSION=$(PATCH_VERSION) ; \ $(RPMCMD) --define "_topdir $(MYRPMDIR)" \ -ba --buildroot $(MYRPMDIR)/BUILDROOT gridsite.spec diff --git a/org.gridsite.core/src/grst_asn1.c b/org.gridsite.core/src/grst_asn1.c new file mode 100644 index 0000000..7634c14 --- /dev/null +++ b/org.gridsite.core/src/grst_asn1.c @@ -0,0 +1,443 @@ + +#include +#include +#include +#include + +#include +#include +#include + +#include "gridsite.h" + +/// ASN1 time string (in a char *) to time_t +/** + * (Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if + * necessary) + */ + +time_t GRSTasn1TimeToTimeT(char *asn1time) +{ + char zone; + struct tm time_tm; + + if ((sscanf(asn1time, "%02d%02d%02d%02d%02d%02d%c", + &(time_tm.tm_year), + &(time_tm.tm_mon), + &(time_tm.tm_mday), + &(time_tm.tm_hour), + &(time_tm.tm_min), + &(time_tm.tm_sec), + &zone) != 7) || (zone != 'Z')) return 0; /* dont understand */ + + /* time format fixups */ + + if (time_tm.tm_year < 90) time_tm.tm_year += 100; + --(time_tm.tm_mon); + + return timegm(&time_tm); +} + +/* this function is taken from OpenSSL without modification */ + +static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed, + int indent) + { + static const char fmt[]="%-18s"; + static const char fmt2[]="%2d %-15s"; + char str[128]; + const char *p,*p2=NULL; + + if (constructed & V_ASN1_CONSTRUCTED) + p="cons: "; + else + p="prim: "; + if (BIO_write(bp,p,6) < 6) goto err; + BIO_indent(bp,indent,128); + + p=str; + if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE) + sprintf(str,"priv [ %d ] ",tag); + else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC) + sprintf(str,"cont [ %d ]",tag); + else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION) + sprintf(str,"appl [ %d ]",tag); + else p = ASN1_tag2str(tag); + + if (p2 != NULL) + { + if (BIO_printf(bp,fmt2,tag,p2) <= 0) goto err; + } + else + { + if (BIO_printf(bp,fmt,p) <= 0) goto err; + } + return(1); +err: + return(0); + } + +static void GRSTasn1AddToTaglist(struct GRSTasn1TagList taglist[], + int maxtag, int *lasttag, + char *treecoords, int start, int headerlength, + int length, int tag) +{ + if ((strlen(treecoords) > GRST_ASN1_MAXCOORDLEN) || + (*lasttag + 1 > maxtag)) return; + + ++(*lasttag); + + strncpy(taglist[*lasttag].treecoords, treecoords, GRST_ASN1_MAXCOORDLEN+1); + taglist[*lasttag].start = start; + taglist[*lasttag].headerlength = headerlength; + taglist[*lasttag].length = length; + taglist[*lasttag].tag = tag; +} + +int GRSTasn1SearchTaglist(struct GRSTasn1TagList taglist[], + int *lasttag, char *treecoords) +{ + int i; + + for (i=0; i <= *lasttag; ++i) + { + if (strcmp(treecoords, taglist[i].treecoords) == 0) return i; + } + + return -1; +} + +static int GRSTasn1Parse2(BIO *bp, unsigned char **pp, long length, int offset, + int depth, int indent, int dump, char *treecoords, + struct GRSTasn1TagList taglist[], int maxtag, int *lasttag) + { + int sibling = 0; + char sibtreecoords[512]; + + unsigned char *p,*ep,*tot,*op,*opp; + long len; + int tag,xclass,ret=0; + int nl,hl,j,r; + ASN1_OBJECT *o=NULL; + ASN1_OCTET_STRING *os=NULL; + int dump_indent; + + + dump_indent = 6; /* Because we know BIO_dump_indent() */ + p= *pp; + tot=p+length; + op=p-1; + while ((p < tot) && (op < p)) + { + op=p; + j=ASN1_get_object(&p,&len,&tag,&xclass,length); + + if (j & 0x80) + { + if ((bp != NULL) && + (BIO_write(bp,"Error in encoding\n",18) <= 0)) + goto end; + ret=0; + goto end; + } + hl=(p-op); + length-=hl; + + ++sibling; + sprintf(sibtreecoords, "%s-%d", treecoords, sibling); + + GRSTasn1AddToTaglist(taglist, maxtag, lasttag, sibtreecoords, + (int)offset+(int)(op - *pp), + (int) hl, len, tag); + + if (bp != NULL) + BIO_printf(bp, " %s %ld %ld %d %d\n", sibtreecoords, + (long)offset+(long)(op - *pp), hl, len, tag); + + + /* if j == 0x21 it is a constructed indefinite length object */ + if ((bp != NULL) && + (BIO_printf(bp,"%5ld:",(long)offset+(long)(op- *pp)) + <= 0)) goto end; + + if (j != (V_ASN1_CONSTRUCTED | 1)) + { + if ((bp != NULL) && + (BIO_printf(bp,"d=%-2d hl=%ld l=%4ld ", + depth,(long)hl,len) <= 0)) + goto end; + } + else + { + if ((bp != NULL) && + (BIO_printf(bp,"d=%-2d hl=%ld l=inf ", + depth,(long)hl) <= 0)) + goto end; + } + if ((bp != NULL) && + !asn1_print_info(bp,tag,xclass,j,(indent)?depth:0)) + goto end; + if (j & V_ASN1_CONSTRUCTED) + { + ep=p+len; + if ((bp != NULL) && + (BIO_write(bp,"\n",1) <= 0)) goto end; + if (len > length) + { + if (bp != NULL) BIO_printf(bp, + "length is greater than %ld\n",length); + ret=0; + goto end; + } + if ((j == 0x21) && (len == 0)) + { + for (;;) + { + r=GRSTasn1Parse2(bp,&p,(long)(tot-p), + offset+(p - *pp),depth+1, + indent,dump,sibtreecoords, + taglist, maxtag, lasttag); + if (r == 0) { ret=0; goto end; } + if ((r == 2) || (p >= tot)) break; + } + } + else + while (p < ep) + { + r=GRSTasn1Parse2(bp,&p,(long)len, + offset+(p - *pp),depth+1, + indent,dump,sibtreecoords, + taglist, maxtag, lasttag); + if (r == 0) { ret=0; goto end; } + } + } + else if (xclass != 0) + { + p+=len; + if ((bp != NULL) && + (BIO_write(bp,"\n",1) <= 0)) goto end; + } + else + { + nl=0; + if ( (tag == V_ASN1_PRINTABLESTRING) || + (tag == V_ASN1_T61STRING) || + (tag == V_ASN1_IA5STRING) || + (tag == V_ASN1_VISIBLESTRING) || + (tag == V_ASN1_UTCTIME) || + (tag == V_ASN1_GENERALIZEDTIME)) + { + if ((bp != NULL) && + (BIO_write(bp,":",1) <= 0)) goto end; + if ((len > 0) && (bp != NULL) && + BIO_write(bp,(char *)p,(int)len) + != (int)len) + goto end; + } + else if (tag == V_ASN1_OBJECT) + { + opp=op; + if (d2i_ASN1_OBJECT(&o,&opp,len+hl) != NULL) + { + if (bp != NULL) + { + if (BIO_write(bp,":",1) <= 0) goto end; + i2a_ASN1_OBJECT(bp,o); + } + } + else + { + if ((bp != NULL) && + (BIO_write(bp,":BAD OBJECT",11) <= 0)) + goto end; + } + } + else if (tag == V_ASN1_BOOLEAN) + { + int ii; + + opp=op; + ii=d2i_ASN1_BOOLEAN(NULL,&opp,len+hl); + if (ii < 0) + { + if ((bp != NULL) && + (BIO_write(bp,"Bad boolean\n",12))) + goto end; + } + if (bp != NULL) BIO_printf(bp,":%d",ii); + } + else if (tag == V_ASN1_BMPSTRING) + { + /* do the BMP thang */ + } + else if (tag == V_ASN1_OCTET_STRING) + { + int i,printable=1; + + opp=op; + os=d2i_ASN1_OCTET_STRING(NULL,&opp,len+hl); + if (os != NULL) + { + opp=os->data; + for (i=0; ilength; i++) + { + if (( (opp[i] < ' ') && + (opp[i] != '\n') && + (opp[i] != '\r') && + (opp[i] != '\t')) || + (opp[i] > '~')) + { + printable=0; + break; + } + } + if (printable && (os->length > 0)) + { + if ((bp != NULL) && + (BIO_write(bp,":",1) <= 0)) + goto end; + if ((bp != NULL) && + (BIO_write(bp,(char *)opp, + os->length) <= 0)) + goto end; + } + if (!printable && (os->length > 0) + && dump) + { + if (!nl) + { + if ((bp != NULL) && + (BIO_write(bp,"\n",1) <= 0)) + goto end; + } + if ((bp != NULL) && + (BIO_dump_indent(bp,(char *)opp, + ((dump == -1 || dump > os->length)?os->length:dump), + dump_indent) <= 0)) + goto end; + nl=1; + } + M_ASN1_OCTET_STRING_free(os); + os=NULL; + } + } + else if (tag == V_ASN1_INTEGER) + { + ASN1_INTEGER *bs; + int i; + + opp=op; + bs=d2i_ASN1_INTEGER(NULL,&opp,len+hl); + if (bs != NULL) + { + if ((bp != NULL) && + (BIO_write(bp,":",1) <= 0)) goto end; + if (bs->type == V_ASN1_NEG_INTEGER) + if ((bp != NULL) && + (BIO_write(bp,"-",1) <= 0)) + goto end; + for (i=0; ilength; i++) + { + if ((bp != NULL) && + (BIO_printf(bp,"%02X", + bs->data[i]) <= 0)) + goto end; + } + if (bs->length == 0) + { + if ((bp != NULL) && + (BIO_write(bp,"00",2) <= 0)) + goto end; + } + } + else + { + if ((bp != NULL) && + (BIO_write(bp,"BAD INTEGER",11) <= 0)) + goto end; + } + M_ASN1_INTEGER_free(bs); + } + else if (tag == V_ASN1_ENUMERATED) + { + ASN1_ENUMERATED *bs; + int i; + + opp=op; + bs=d2i_ASN1_ENUMERATED(NULL,&opp,len+hl); + if (bs != NULL) + { + if ((bp != NULL) && + (BIO_write(bp,":",1) <= 0)) goto end; + if (bs->type == V_ASN1_NEG_ENUMERATED) + if ((bp != NULL) && + (BIO_write(bp,"-",1) <= 0)) + goto end; + for (i=0; ilength; i++) + { + if ((bp != NULL) && + (BIO_printf(bp,"%02X", + bs->data[i]) <= 0)) + goto end; + } + if (bs->length == 0) + { + if ((bp != NULL) && + (BIO_write(bp,"00",2) <= 0)) + goto end; + } + } + else + { + if ((bp != NULL) && + (BIO_write(bp,"BAD ENUMERATED",11) <= 0)) + goto end; + } + M_ASN1_ENUMERATED_free(bs); + } + else if (len > 0 && dump) + { + if (!nl) + { + if ((bp != NULL) && + (BIO_write(bp,"\n",1) <= 0)) + goto end; + } + if ((bp != NULL) && + (BIO_dump_indent(bp,(char *)p, + ((dump == -1 || dump > len)?len:dump), + dump_indent) <= 0)) + goto end; + nl=1; + } + + if (!nl) + { + if ((bp != NULL) && + (BIO_write(bp,"\n",1) <= 0)) goto end; + } + p+=len; + if ((tag == V_ASN1_EOC) && (xclass == 0)) + { + ret=2; /* End of sequence */ + goto end; + } + } + + length-=len; + } + ret=1; +end: + if (o != NULL) ASN1_OBJECT_free(o); + if (os != NULL) M_ASN1_OCTET_STRING_free(os); + *pp=p; + return(ret); + } + +int GRSTasn1ParseDump(BIO *bp, unsigned char *pp, long len, + struct GRSTasn1TagList taglist[], + int maxtag, int *lasttag) + { + return(GRSTasn1Parse2(bp,&pp,len,0,0,0,0,"", + taglist, maxtag, lasttag)); + } diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 75376dc..2195145 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -62,10 +62,6 @@ #include #include -#ifdef GRST_VOMS_SUPPORT -#include -#endif - #include "gridsite.h" #define GRST_KEYSIZE 512 @@ -145,6 +141,7 @@ int GRSTx509KnownCriticalExts(X509 *cert) #endif } +#if 0 /// ASN1 time string (in a char *) to time_t /** * (Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if @@ -172,6 +169,7 @@ time_t GRSTasn1TimeToTimeT(char *asn1time) return timegm(&time_tm); } +#endif /// Check if certificate can be used as a CA to sign standard X509 certs /* @@ -397,80 +395,74 @@ int GRSTx509VerifyCallback (int ok, X509_STORE_CTX *ctx) // else return GRST_RET_FAILED; } -/// Get the VOMS attributes in the extensions to the given cert +/// Get the VOMS attributes in the given extension /* * Puts any VOMS credentials found into the Compact Creds string array * starting at *creds. Always returns GRST_RET_OK. */ -int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, - char *creds, X509 *cert, STACK_OF(X509) *certstack, - char *vomsdir) +int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, + char *creds, time_t *time1_time, time_t *time2_time, + X509_EXTENSION *ex, char *ucuser, char *vomsdir) { -#ifndef GRST_VOMS_SUPPORT - return GRST_RET_OK; -} -#else - -/* - int j; - unsigned int siglen=-1, datalength=-1, dataoffset = -1; - char s[80]; - unsigned char *charstr, *p, *time1 = NULL, *time2 = NULL, *vo = NULL, - *uri = NULL, *user = NULL, *group = "NULL", *role = "NULL", - *cap = "NULL", *server = NULL, *ucuser, *signature = NULL, - *data = NULL, *datalen = NULL; - X509_EXTENSION *ex; - ASN1_STRING *asn1str; - time_t now, time1_time = 0, time2_time = 0, - uctime1_time, uctime2_time; -*/ - - - struct vomsdata *vd; - int i, j, vomserror; - - vd = VOMS_Init(NULL, NULL); +#define MAXTAG 500 +#define FQAN_COORDS "-1-1-1-1-7-1-2-1-2-%d" + ASN1_OCTET_STRING *asn1data; + char *asn1string, s[81]; + long asn1length; + int lasttag=-1, itag, i; + struct GRSTasn1TagList taglist[MAXTAG+1]; + + asn1data = X509_EXTENSION_get_data(ex); + asn1string = ASN1_STRING_data(asn1data); + asn1length = ASN1_STRING_length(asn1data); + + GRSTasn1ParseDump(NULL, asn1string, asn1length, taglist, MAXTAG, &lasttag); + + for (i=1; ; ++i) + { +// should find signature and check it here, first + + sprintf(s, FQAN_COORDS, i); + itag = GRSTasn1SearchTaglist(taglist, &lasttag, s); - if (VOMS_Retrieve(cert, certstack, RECURSE_CHAIN, vd, &vomserror) && - (vd->data != NULL)) - { - for (i = 0; vd->data[i] != NULL; ++i) + if (itag > -1) { - if (vd->data[i]->fqan != NULL) - for (j = 0; vd->data[i]->fqan[j] != NULL; ++j) - { - if (*lastcred >= maxcreds - 1) - { - VOMS_Destroy(vd); - return GRST_RET_OK; - } - - ++(*lastcred); - - snprintf(&creds[*lastcred * (credlen + 1)], - credlen+1, - "VOMS %010lu %010lu 0 %s", - GRSTasn1TimeToTimeT(vd->data[i]->date1), - GRSTasn1TimeToTimeT(vd->data[i]->date2), - vd->data[i]->fqan[j]); - } + if (*lastcred < maxcreds - 1) + { + ++(*lastcred); + + snprintf(&creds[*lastcred * (credlen + 1)], credlen+1, + "VOMS %010lu %010lu 0 %.*s", + *time1_time, *time2_time, + taglist[itag].length, + &asn1string[taglist[itag].start+ + taglist[itag].headerlength]); + } } - } - else - { - FILE *fp = fopen("/tmp/getvoms.log", "w"); - fprintf(fp, "%d\n", vomserror); - fclose(fp); - } - - VOMS_Destroy(vd); + else break; + } + return GRST_RET_OK; } -#if 0 +/// Get the VOMS attributes in the extensions to the given cert stack +/* + * Puts any VOMS credentials found into the Compact Creds string array + * starting at *creds. Always returns GRST_RET_OK. + */ - time(&now); +int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, + char *creds, X509 *usercert, STACK_OF(X509) *certstack, + char *vomsdir) +{ + int i, j, vomsfound=0; + char s[80]; + unsigned char *ucuser; + X509_EXTENSION *ex; + ASN1_STRING *asn1str; + X509 *cert; + time_t time1_time = 0, time2_time = 0, uctime1_time, uctime2_time; uctime1_time = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notBefore(usercert))); @@ -479,15 +471,38 @@ int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, ucuser = X509_NAME_oneline(X509_get_subject_name(usercert), NULL, 0); - for (i = 0; i < X509_get_ext_count(cert); ++i) - { - ex = X509_get_ext(cert, i); - - OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); + for (j=sk_X509_num(certstack)-1; j >= 0; --j) + { + cert = sk_X509_value(certstack, j); - if (strcmp(s, GRST_VOMS_OID) == 0) /* a VOMS extension */ - { - asn1str = X509_EXTENSION_get_data(ex); + time1_time = + GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notBefore(cert))); + uctime1_time = (time1_time > uctime1_time) ? time1_time:uctime1_time; + + time2_time = + GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(cert))); + uctime2_time = (time2_time < uctime2_time) ? time2_time:uctime2_time; + + for (i=0; i < X509_get_ext_count(cert); ++i) + { + ex = X509_get_ext(cert, i); + OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); + + if (strcmp(s, GRST_VOMS_OID) == 0) /* a VOMS extension */ + { + vomsfound=1; + GRSTx509ParseVomsExt(lastcred, maxcreds, credlen, creds, + &uctime1_time, &uctime2_time, + ex, ucuser, vomsdir); + } + } + + if (vomsfound) return GRST_RET_OK; + } + + return GRST_RET_OK; +} +#if 0 charstr = (char *) malloc(ASN1_STRING_length(asn1str) + 1); memcpy(charstr, ASN1_STRING_data(asn1str), ASN1_STRING_length(asn1str)); @@ -700,8 +715,6 @@ int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, } #endif -#endif - /// Turn a Compact Cred line into a GRSTgaclCred object /** * Returns pointer to created GRSTgaclCred or NULL or failure. @@ -825,9 +838,10 @@ int GRSTx509CompactCreds(int *lastcred, int maxcreds, size_t credlen, { ++(*lastcred); strcpy(&creds[*lastcred * (credlen + 1)], credtemp); - + GRSTx509GetVomsCreds(lastcred, maxcreds, credlen, creds, - gsiproxycert, certstack, vomsdir); + usercert, certstack, vomsdir); + } return GRST_RET_OK; diff --git a/org.gridsite.core/src/real-gridsite-admin.cgi b/org.gridsite.core/src/real-gridsite-admin.cgi index aa3f9e1..0e1e8ed 100644 Binary files a/org.gridsite.core/src/real-gridsite-admin.cgi and b/org.gridsite.core/src/real-gridsite-admin.cgi differ diff --git a/org.gridsite.core/src/showx509exts.c b/org.gridsite.core/src/showx509exts.c new file mode 100644 index 0000000..23c3560 --- /dev/null +++ b/org.gridsite.core/src/showx509exts.c @@ -0,0 +1,78 @@ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#include "gridsite.h" + +#define MAXTAG 500 + +main() +{ + X509 *cert, *tmpcert; + STACK_OF(X509) *certstack = sk_X509_new_null(); + FILE *fp; + struct vomsdata *vd; + int i, j, vomserror, i1, i2, j1, j2, lastobject; + X509_EXTENSION *ex; + ASN1_OBJECT *asnobject; + char s[80], *t; + ASN1_OCTET_STRING *asndata; + BIO *out; + unsigned char *p, *op, *tot, *p1, *p2, *q, *oq; + long len1, length1, len2, length2; + int tag,xclass,ret=0; + struct GRSTasn1TagList taglist[MAXTAG+1]; + int lasttag=-1, itag; + + + OpenSSL_add_all_algorithms(); + ERR_load_crypto_strings(); +// seed_prng(); + +// fp = fopen("proxy-with-voms", "r"); + fp = fopen("/tmp/x509up_u300", "r"); + + cert = PEM_read_X509(fp, NULL, NULL, NULL); + + fclose(fp); + + out=BIO_new(BIO_s_file()); + BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); + + for (i = 0; i < X509_get_ext_count(cert); ++i) + { + lasttag=-1; + + ex = X509_get_ext(cert, i); + + OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); + printf("%d OID=%s\n", i, s); + + asnobject = X509_EXTENSION_get_object(ex); + asndata = X509_EXTENSION_get_data(ex); + + p1 = ASN1_STRING_data(asndata); + p = p1; + length1 = ASN1_STRING_length(asndata); + + GRSTasn1ParseDump(out, p1, length1, taglist, MAXTAG, &lasttag); +/* + itag = GRSTasn1SearchTaglist(taglist, &lasttag, + "1-1-1-1-1-7-1-2-1-2-1"); + + printf("tag=%d %s %d %.*s\n", + itag, taglist[itag].treecoords, taglist[itag].tag, + taglist[itag].length, + &p[taglist[itag].start+taglist[itag].headerlength]); +*/ + } +}