From 2011b3d13f3236e53fa41b714758dbeb96d81fa0 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Mon, 30 Nov 2009 01:12:29 +0000 Subject: [PATCH] SYnc --- org.gridsite.core/CHANGES | 7 +++++ org.gridsite.core/interface/gridsite.h | 3 ++- org.gridsite.core/src/grst_x509.c | 48 +++++++++++++++++++++++++++++----- org.gridsite.core/src/mod_gridsite.c | 16 ++++++++++++ 4 files changed, 66 insertions(+), 8 deletions(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index c65aa4f..80cb856 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,10 @@ +* Sun Nov 29 2009 Andrew McNab +- Back port fixes from 1.7.x branch: +- GRSTx509MakeProxyCert() now creates RFC 3280 + proxies if any earlier proxies are RFC style +- Discard X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + errors in GRST_callback_SSLVerify_wrapper(), + needed for newer OpenSSL * Mon Oct 19 2009 Andrew McNab - Discard X509_V_ERR_INVALID_PURPOSE errors in GRST_callback_SSLVerify_wrapper(), needed by diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index 52cf285..772eeeb 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -141,7 +141,8 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser; #define GRST_DN_LISTS "/etc/grid-security/dn-lists" #define GRST_RECURS_LIMIT 9 -#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222" +#define GRST_PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222" +#define GRST_PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14" #define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5" #define GRST_VOMS_DIR "/etc/grid-security/vomsdir" diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 401b8e6..f2d856a 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -135,7 +135,9 @@ int GRSTx509KnownCriticalExts(X509 *cert) { OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); - if (strcmp(s, GRST_PROXYCERTINFO_OID) != 0) return GRST_RET_FAILED; + if ((strcmp(s, GRST_PROXYCERTINFO_OID) != 0) && + (strcmp(s, GRST_PROXYCERTINFO_OLD_OID) != 0)) + return GRST_RET_FAILED; } } @@ -1606,7 +1608,7 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /// the given number of minutes starting from the current time. { char *ptr, *certchain; - int i, ncerts; + int i, ncerts, any_rfc_proxies = 0; long serial = 1234, ptrlen; EVP_PKEY *pkey, *CApkey; const EVP_MD *digest; @@ -1614,6 +1616,8 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, X509_REQ *req; X509_NAME *name, *CAsubject, *newsubject; X509_NAME_ENTRY *ent; + ASN1_OBJECT *pcinfo_obj = NULL; + X509_EXTENSION *ex; FILE *fp; BIO *reqmem, *certmem; time_t notAfter; @@ -1719,8 +1723,11 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, } /* set version number for the certificate (X509v3) and the serial number - need 3 = v4 for GSI proxy?? */ - if (X509_set_version(certs[0], 3L) != 1) + + We now use 2 = v3 for the GSI proxy, rather than the old Globus + behaviour of 3 = v4. See Savannah Bug #53721 */ + + if (X509_set_version(certs[0], 2L) != 1) { mpcerror(debugfp, "GRSTx509MakeProxyCert(): error setting certificate version\n"); @@ -1800,10 +1807,13 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /* go through chain making sure this proxy is not longer lived */ + pcinfo_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0); + notAfter = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[0])), 0); - + for (i=1; i < ncerts; ++i) + { if (notAfter > GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[i])), 0)) @@ -1814,6 +1824,23 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, ASN1_UTCTIME_set(X509_get_notAfter(certs[0]), notAfter); } + + if (X509_get_ext_by_OBJ(certs[i], pcinfo_obj, -1) > 0) + any_rfc_proxies = 1; + } + + /* if any earlier proxies are RFC 3820, then new proxy must be + an RFC 3820 proxy too with the required extension */ + if (any_rfc_proxies) + { + ex = X509_EXTENSION_new(); + + X509_EXTENSION_set_object(ex, pcinfo_obj); + X509_EXTENSION_set_critical(ex, 1); + + X509_add_ext(certs[0], ex, -1); + } + else free(pcinfo_obj); /* sign the certificate with the signing private key */ if (EVP_PKEY_type(CApkey->type) == EVP_PKEY_RSA) @@ -2065,9 +2092,16 @@ int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir, } if ((keypair = RSA_generate_key(GRST_KEYSIZE, 65537, NULL, NULL)) == NULL) - return 1; + { + free(prvkeyfile); + return 1; + } - if ((fp = fopen(prvkeyfile, "w")) == NULL) return 2; + if ((fp = fopen(prvkeyfile, "w")) == NULL) + { + free(prvkeyfile); + return 2; + } chmod(prvkeyfile, S_IRUSR | S_IWUSR); free(prvkeyfile); diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 1cd6b1d..a68638c 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -3797,6 +3797,22 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) X509_STORE_CTX_set_error(ctx, errnum); } +#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + /* + * Skip X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, since they are! + */ + if (errnum == X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Skip Proxy Certificates Not Allowed error"); + + sslconn->verify_error = NULL; + ok = TRUE; + errnum = X509_V_OK; + X509_STORE_CTX_set_error(ctx, errnum); + } +#endif + /* * New style GSI Proxy handling, with critical ProxyCertInfo * extension: we use GRSTx509KnownCriticalExts() to check this -- 1.8.2.3