From 4b3e297974290c4b39f4b05c79793f251074d8b8 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Tue, 12 Oct 2010 14:28:33 +0000 Subject: [PATCH] Sync --- org.gridsite.core/CHANGES | 3 ++ org.gridsite.core/interface/gridsite.h | 4 ++- org.gridsite.core/src/grst_x509.c | 60 ++++++++++++++++++++-------------- org.gridsite.core/src/htproxyput.c | 2 +- org.gridsite.core/src/mod_gridsite.c | 9 ++--- 5 files changed, 48 insertions(+), 30 deletions(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index c24ae45..21dd1ae 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,6 @@ +* Tue Oct 12 2010 Andrew McNab +- Cert serial number now represented as a string + rather than an int * Wed Sep 1 2010 Andrew McNab - Support hashes other than MD5 for VOMS ACs to address Bug #72185 diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index 86acfd0..192264e 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -168,6 +168,8 @@ struct GRSTasn1TagList { char treecoords[GRST_ASN1_MAXCOORDLEN+1]; int length; int tag; } ; +#define GRST_X509_SERIAL_DIGITS 49 + typedef struct { int type; /* CA, user, proxy, VOMS, ... */ int errors; /* unchecked, bad sig, bad time */ char *issuer; /* Cert CA DN, EEC of PC, or VOMS DN */ @@ -176,7 +178,7 @@ typedef struct { int type; /* CA, user, proxy, VOMS, ... */ time_t notbefore; time_t notafter; int delegation; /* relative to END of any chain */ - int serial; + char serial[GRST_X509_SERIAL_DIGITS+1]; char *ocsp; /* accessLocation field */ void *raw; /* X509 or VOMS Extension object */ void *next; } GRSTx509Cert; diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 004c006..cd87369 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -63,8 +63,6 @@ #include #include #include -#include -#include #endif #include "gridsite.h" @@ -250,12 +248,13 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, { #define GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d" #define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1" -#define GRST_ASN1_COORDS_VOMS_HASH "-1-1-%d-2-1" +#define GRST_ASN1_COORDS_VOMS_HASH "-1-1-%d-2" #define GRST_ASN1_COORDS_VOMS_SIG "-1-1-%d-3" int ret, ihash, isig, iinfo; char *certpath, *certpath2, acvomsdn[200], dn_coords[200], - info_coords[200], sig_coords[200], hash_coords[200]; - unsigned char *q, *p; + info_coords[200], sig_coords[200], hash_coords[200], + *p; + unsigned char *q; DIR *vomsDIR, *vomsDIR2; struct dirent *vomsdirent, *vomsdirent2; X509 *cert; @@ -294,15 +293,13 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, p = &asn1string[taglist[ihash].start]; - d2i_ASN1_OBJECT(&hash_obj, (const unsigned char **) &p, - (long) (taglist[ihash].length+taglist[ihash].headerlength)); - - if (hash_obj == NULL) return GRST_RET_FAILED; + d2i_ASN1_OBJECT(&hash_obj, &p, + taglist[ihash].length+taglist[ihash].headerlength); - md_type = (EVP_MD *) EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(hash_obj))); + md_type = EVP_get_digestbyname(OBJ_nid2sn(OBJ_obj2nid(hash_obj))); if (md_type == NULL) return GRST_RET_FAILED; - + vomsDIR = opendir(vomsdir); if (vomsDIR == NULL) return GRST_RET_FAILED; @@ -625,10 +622,12 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert, unsigned char *p; long asn1length; int lasttag=-1, itag, i, j, acnumber = 1, chain_errors = 0, - ivomscert, tmp_chain_errors, acissuerserial = -1; + ivomscert, tmp_chain_errors; + char *acissuerserial = NULL; struct GRSTasn1TagList taglist[MAXTAG+1]; time_t actime1 = 0, actime2 = 0, time_now, tmp_time1, tmp_time2; + ASN1_INTEGER acissuerserialASN1; asn1data = X509_EXTENSION_get_data(ex); asn1string = ASN1_STRING_data(asn1data); @@ -663,6 +662,12 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert, if (itag > -1) { + acissuserserialASN1.length = taglist[itag].length; + acissuserserialASN1.type = V_ASN1_INTEGER; + acissuserserialASN1.data = &asn1string[taglist[itag].start+taglist[itag].headerlength]; + + acissuserserial = i2s_ASN1_INTEGER(NULL, acissuerserialASN1); +/* p = &asn1string[taglist[itag].start+taglist[itag].headerlength]; if (taglist[itag].length == 2) @@ -672,9 +677,10 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert, else if (taglist[itag].length == 4) acissuerserial = p[3] + p[2] * 0x100 + p[1] * 0x10000 + p[0] * 0x1000000; +*/ } - if (acissuerserial != user_cert->serial) + if (strcmp(acissuerserial, user_cert->serial) != 0) chain_errors |= GRST_CERT_BAD_CHAIN; /* get times */ @@ -802,9 +808,6 @@ int GRSTx509ChainLoadCheck(GRSTx509Chain **chain, int depth = 0; /* Depth of cert chain */ int chain_errors = 0; /* records previous errors */ int first_non_ca; /* number of the EEC issued to user by CA */ -// char *ucuserdn = NULL; /* DN of EEC issued to user by CA */ -// char *ucissuerdn = NULL; /* DN of CA that issued EEC issued to user */ -// int ucserial = 0; /* Serial number of EEC issued to user */ size_t len,len2; /* Lengths of issuer and cert DN */ int IsCA; /* Holds whether cert is allowed to sign */ int prevIsCA; /* Holds whether previous cert in chain is @@ -960,7 +963,7 @@ int GRSTx509ChainLoadCheck(GRSTx509Chain **chain, /* NO_CERTSIGN can still be ok due to Proxy Certificates */ } - new_grst_cert->serial = (int) ASN1_INTEGER_get( + new_grst_cert->serial = i2s_ASN1_INTEGER(NULL, X509_get_serialNumber(cert)); new_grst_cert->notbefore = GRSTasn1TimeToTimeT( ASN1_STRING_data(X509_get_notBefore(cert)), 0); @@ -1285,7 +1288,7 @@ int GRSTx509VerifyCallback (int ok, X509_STORE_CTX *ctx) int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, char *creds, time_t time1_time, time_t time2_time, X509_EXTENSION *ex, - char *ucuserdn, char *ucissuerdn, int ucserial, + char *ucuserdn, char *ucissuerdn, char *ucserial, char *vomsdir) /// /// Puts any VOMS credentials found into the Compact Creds string array @@ -1303,9 +1306,11 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, time2_coords[200], serial_coords[200]; unsigned char *p; long asn1length; - int lasttag=-1, itag, i, acnumber = 1, acissuerserial = -1; + int lasttag=-1, itag, i, acnumber = 1, + char *acissuerserial = NULL; struct GRSTasn1TagList taglist[MAXTAG+1]; time_t actime1, actime2, time_now; + ASN1_INTEGER acissuerserialASN1; asn1data = X509_EXTENSION_get_data(ex); asn1string = ASN1_STRING_data(asn1data); @@ -1334,8 +1339,14 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, if (itag > -1) { + acissuserserialASN1.length = taglist[itag].length; + acissuserserialASN1.type = V_ASN1_INTEGER; + acissuserserialASN1.data = &asn1string[taglist[itag].start+taglist[itag].headerlength]; + + acissuserserial = i2s_ASN1_INTEGER(NULL, acissuerserialASN1); +/* p = &asn1string[taglist[itag].start+taglist[itag].headerlength]; - + if (taglist[itag].length == 2) acissuerserial = p[1] + p[0] * 0x100; else if (taglist[itag].length == 3) @@ -1343,9 +1354,10 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, else if (taglist[itag].length == 4) acissuerserial = p[3] + p[2] * 0x100 + p[1] * 0x10000 + p[0] * 0x1000000; +*/ } - if (acissuerserial != ucserial) continue; + if (strcmp(acissuerserial, ucserial) != 0) continue; if (GRSTx509VerifyVomsSig(&time1_time, &time2_time, asn1string, taglist, lasttag, vomsdir, acnumber) @@ -1402,8 +1414,8 @@ int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, /// Puts any VOMS credentials found into the Compact Creds string array /// starting at *creds. Always returns GRST_RET_OK. { - int i, j, ucserial; - char s[80]; + int i, j; + char s[80], *ucserial; unsigned char *ucuser, *ucissuer; X509_EXTENSION *ex; ASN1_STRING *asn1str; @@ -1418,7 +1430,7 @@ int GRSTx509GetVomsCreds(int *lastcred, int maxcreds, size_t credlen, X509_NAME_oneline(X509_get_subject_name(usercert), NULL, 0); ucissuer = X509_NAME_oneline(X509_get_issuer_name(usercert), NULL, 0); - ucserial = (int) ASN1_INTEGER_get(X509_get_serialNumber(usercert)); + ucserial = i2s_ASN1_INTEGER(X509_get_serialNumber(usercert))); for (j=sk_X509_num(certstack)-1; j >= 0; --j) { diff --git a/org.gridsite.core/src/htproxyput.c b/org.gridsite.core/src/htproxyput.c index f6368f3..dea36fd 100644 --- a/org.gridsite.core/src/htproxyput.c +++ b/org.gridsite.core/src/htproxyput.c @@ -666,7 +666,7 @@ int main(int argc, char *argv[]) } else { - printf(" Serial : %d\n", grst_cert->serial); + printf(" Serial : %s\n", grst_cert->serial); printf(" Issuer : %s\n\n", grst_cert->issuer); } } diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 2843116..453b115 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -1,5 +1,5 @@ /* - Copyright (c) 2003-9, Andrew McNab, Shiv Kaushal, Joseph Dada, + Copyright (c) 2003-10, Andrew McNab, Shiv Kaushal, Joseph Dada, and Yibiao Li, University of Manchester. All rights reserved. Redistribution and use in source and binary forms, with or @@ -3667,13 +3667,14 @@ int GRST_ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) { if (s->loglevel >= APLOG_DEBUG) { char *cp = X509_NAME_oneline(issuer, NULL, 0); - long serial = ASN1_INTEGER_get(sn); + char *serial = i2s_ASN1_INTEGER(NULL,ASN1_INTEGER_get(sn)); ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, - "Certificate with serial %ld (0x%lX) " + "Certificate with serial %s " "revoked per CRL from issuer %s", - serial, serial, cp); + serial, cp); OPENSSL_free(cp); + free(serial); } X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); -- 1.8.2.3