From 41da69d2d1c102fa2fcdca6ce2033c1c2d556ec6 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Thu, 23 Aug 2012 22:31:09 +0000 Subject: [PATCH] use canl in GRSTx509CreateProxyRequest --- org.gridsite.core/src/grst_canl_x509.c | 144 +++++++++++++++++---------------- 1 file changed, 75 insertions(+), 69 deletions(-) diff --git a/org.gridsite.core/src/grst_canl_x509.c b/org.gridsite.core/src/grst_canl_x509.c index 41f0597..3fbba0f 100644 --- a/org.gridsite.core/src/grst_canl_x509.c +++ b/org.gridsite.core/src/grst_canl_x509.c @@ -2105,71 +2105,84 @@ int GRSTx509CreateProxyRequest(char **reqtxt, char **keytxt, char *ocspurl) /// Returns GRST_RET_OK on success, non-zero otherwise. Request string /// and private key are PEM encoded strings { - int i; - char *ptr; - size_t ptrlen; - RSA *keypair; - X509_NAME *subject; - X509_NAME_ENTRY *ent; - EVP_PKEY *pkey; - X509_REQ *certreq; - BIO *reqmem, *keymem; - const EVP_MD *digest; - struct stat statbuf; - - /* create key pair and put it in a PEM string */ - - if ((keypair = RSA_generate_key(GRST_KEYSIZE, 65537, NULL, NULL)) == NULL) - return 1; + int i = 0; + char *ptr = 0; + size_t ptrlen = 0; + EVP_PKEY *pkey = NULL; + X509_REQ *req = NULL; + BIO *reqmem = NULL, *keymem = NULL; + canl_cred proxy_bob = NULL; + int retval = 0; + canl_ctx c_ctx = NULL; + int ret = 0; - keymem = BIO_new(BIO_s_mem()); - if (!PEM_write_bio_RSAPrivateKey(keymem, keypair, NULL, NULL, 0, NULL, NULL)) - { - BIO_free(keymem); - return 3; + /*Make new canl_ctx, TODO MP how to initialize it only once?*/ + c_ctx = canl_create_ctx(); + if (c_ctx == NULL) { + return 10; /* TODO MP we can use caNl error codes now */ } - ptrlen = BIO_get_mem_data(keymem, &ptr); - - *keytxt = malloc(ptrlen + 1); - memcpy(*keytxt, ptr, ptrlen); - (*keytxt)[ptrlen] = '\0'; + ret = canl_cred_new(c_ctx, &proxy_bob); + if (ret){ + retval = 11; + goto end; + } - BIO_free(keymem); - - /* now create the certificate request */ + /*use caNl to generate a X509 request*/ + ret = canl_cred_new_req(c_ctx, proxy_bob, GRST_KEYSIZE); + if (ret) { + retval = 12; + goto end; + } - certreq = X509_REQ_new(); + ret = canl_cred_save_req(c_ctx, proxy_bob, &req); + if (ret) { + retval = 13; + goto end; + } - OpenSSL_add_all_algorithms(); + /*Convert request into a string*/ + reqmem = BIO_new(BIO_s_mem()); + PEM_write_bio_X509_REQ(reqmem, req); + ptrlen = BIO_get_mem_data(reqmem, &ptr); - pkey = EVP_PKEY_new(); - EVP_PKEY_assign_RSA(pkey, keypair); + *reqtxt = malloc(ptrlen + 1); + memcpy(*reqtxt, ptr, ptrlen); + (*reqtxt)[ptrlen] = '\0'; - X509_REQ_set_pubkey(certreq, pkey); - - subject = X509_NAME_new(); - ent = X509_NAME_ENTRY_create_by_NID(NULL, OBJ_txt2nid("organizationName"), - MBSTRING_ASC, "Dummy", -1); - X509_NAME_add_entry (subject, ent, -1, 0); - X509_REQ_set_subject_name (certreq, subject); - - digest = EVP_md5(); - X509_REQ_sign(certreq, pkey, digest); + /* Put keypair in a PEM string */ + ret = canl_cred_save_priv_key(c_ctx, proxy_bob, &pkey); + if (ret){ + retval = 15; + goto end; + } + keymem = BIO_new(BIO_s_mem()); + if (!PEM_write_bio_PrivateKey(keymem, pkey, NULL, NULL, 0, NULL, NULL)) + { + BIO_free(keymem); + return 3; + } - reqmem = BIO_new(BIO_s_mem()); - PEM_write_bio_X509_REQ(reqmem, certreq); - ptrlen = BIO_get_mem_data(reqmem, &ptr); - - *reqtxt = malloc(ptrlen + 1); - memcpy(*reqtxt, ptr, ptrlen); - (*reqtxt)[ptrlen] = '\0'; + ptrlen = BIO_get_mem_data(keymem, &ptr); + *keytxt = malloc(ptrlen + 1); + memcpy(*keytxt, ptr, ptrlen); + (*keytxt)[ptrlen] = '\0'; - BIO_free(reqmem); +end: + if (proxy_bob) + canl_cred_free(c_ctx, proxy_bob); + if (pkey) + EVP_PKEY_free(pkey); + if (reqmem) + BIO_free(reqmem); + if (keymem) + BIO_free(keymem); + if (req) + X509_REQ_free(req); + if (c_ctx) + canl_free_ctx(c_ctx); - X509_REQ_free(certreq); - - return 0; + return retval; } /// Make and store a X.509 request for a GSI proxy @@ -2184,12 +2197,13 @@ int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir, char *docroot = NULL, *prvkeyfile = NULL, *ptr = NULL, *user_dn_enc = NULL; size_t ptrlen = 0; FILE *fp = NULL; - RSA *keypair = NULL; + EVP_PKEY *pkey = NULL; BIO *reqmem = NULL; canl_ctx c_ctx = NULL; canl_cred proxy_bob = NULL; X509_REQ *req = NULL; int retval = GRST_RET_OK; + int ret = 0; if (strcmp(user_dn, "cache") == 0) return GRST_RET_FAILED; @@ -2254,13 +2268,13 @@ int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir, free(user_dn_enc); user_dn_enc = NULL; - keypair = canl_cred_get_keypair(); - if (!keypair) { + ret = canl_cred_save_priv_key(c_ctx, proxy_bob, &pkey); + if (ret) { retval = 15; goto end; } - if (!PEM_write_RSAPrivateKey(fp, keypair, NULL, NULL, 0, NULL, NULL)) { + if (!PEM_write_PrivateKey(fp, pkey, NULL, NULL, 0, NULL, NULL)) { retval = 3; goto end; } @@ -2286,7 +2300,7 @@ int GRSTx509MakeProxyRequest(char **reqtxt, char *proxydir, (*reqtxt)[ptrlen] = '\0'; end: if (proxy_bob) - canl_cred_free(ctx, proxy_bob); + canl_cred_free(c_ctx, proxy_bob); if (reqmem) BIO_free(reqmem); if (req) @@ -2574,7 +2588,6 @@ int GRSTx509CacheProxy(char *proxydir, char *delegation_id, int retval = GRST_RET_FAILED; char *user_dn_enc, *prvkeyfile, *proxyfile; STACK_OF(X509) *certstack; - FILE *ifp = NULL; canl_ctx c_ctx = NULL; canl_cred proxy_bob = NULL; @@ -2620,17 +2633,12 @@ int GRSTx509CacheProxy(char *proxydir, char *delegation_id, prvkeyfile = GRSTx509CachedProxyKeyFind(proxydir, delegation_id, user_dn); if (prvkeyfile == NULL) goto end; - if ((ifp = fopen(prvkeyfile, "r")) == NULL) - goto end; /* insert proxy private key into canl structure, read from private key file */ - ret = canl_cred_load_priv_key_file(c_ctx, proxy_bob, ifp); + ret = canl_cred_load_priv_key_file(c_ctx, proxy_bob, prvkeyfile, NULL, NULL); if (ret) goto end; - if (fclose(ifp) !=0) - goto end; - ifp = NULL; unlink(prvkeyfile); free(prvkeyfile); prvkeyfile = NULL; @@ -2645,7 +2653,7 @@ end: if (proxyfile) free(proxyfile); if (proxy_bob) - canl_cred_free(ctx, proxy_bob); + canl_cred_free(c_ctx, proxy_bob); if (certstack) sk_X509_free(certstack); if (prvkeyfile) @@ -2654,8 +2662,6 @@ end: free(user_dn_enc); if (c_ctx) canl_free_ctx(c_ctx); - if (ifp) - fclose(ifp); return retval; } -- 1.8.2.3