From 4f1b7b3b5c454178f26c25097f7a941001e2d26a Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Tue, 11 Oct 2005 15:18:26 +0000 Subject: [PATCH] Multiple ACs per X.509 AC extension --- org.gridsite.core/CHANGES | 3 + org.gridsite.core/src/Makefile | 2 +- org.gridsite.core/src/grst_asn1.c | 4 +- org.gridsite.core/src/grst_x509.c | 111 ++++++++++++++++++++--------------- org.gridsite.core/src/htcp | Bin 49931 -> 49931 bytes org.gridsite.core/src/mod_gridsite.c | 15 ++--- org.gridsite.core/src/showx509exts.c | 24 ++++++-- 7 files changed, 98 insertions(+), 61 deletions(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index ad7a15d..50989db 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,6 @@ +* Tue Oct 11 2005 Andrew McNab +- Modify VOMS AC parsing to handle multiple ACs inside + the same X.509 AC extension. * Mon Oct 10 2005 Andrew McNab - ==== GridSite version 1.1.13 ==== * Mon Oct 10 2005 Andrew McNab diff --git a/org.gridsite.core/src/Makefile b/org.gridsite.core/src/Makefile index 05349b2..a465cf4 100644 --- a/org.gridsite.core/src/Makefile +++ b/org.gridsite.core/src/Makefile @@ -193,7 +193,7 @@ showx509exts: showx509exts.c libgridsite.a -o showx509exts showx509exts.c -L. \ -I/usr/kerberos/include \ -lgridsite \ - -lssl -lcrypto + -lssl -lcrypto -lxml2 -lz -lm apidoc: doxygen Doxyfile diff --git a/org.gridsite.core/src/grst_asn1.c b/org.gridsite.core/src/grst_asn1.c index e47c143..87dc5b0 100644 --- a/org.gridsite.core/src/grst_asn1.c +++ b/org.gridsite.core/src/grst_asn1.c @@ -469,7 +469,7 @@ int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords, ASN1_OBJECT *obj = NULL; unsigned char coordstmp[81], *q; const unsigned char *shortname; - + for (i=1; ; ++i) { sprintf(coordstmp, coords, i, 1); @@ -502,5 +502,5 @@ int GRSTasn1GetX509Name(char *x509name, int maxlength, char *coords, x509name[len] = '\0'; - return GRST_RET_OK; + return (x509name[0] != '\0') ? GRST_RET_OK : GRST_RET_FAILED; } diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index 00caa61..a1312f4 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -374,13 +374,14 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, unsigned char *asn1string, struct GRSTasn1TagList taglist[], int lasttag, - char *vomsdir) + char *vomsdir, int acnumber) { -#define GRST_ASN1_COORDS_VOMS_DN "-1-1-1-1-3-1-1-1-%d-1-%d" -#define GRST_ASN1_COORDS_VOMS_INFO "-1-1-1-1" -#define GRST_ASN1_COORDS_VOMS_SIG "-1-1-1-3" +#define GRST_ASN1_COORDS_VOMS_DN "-1-1-%d-1-3-1-1-1-%%d-1-%%d" +#define GRST_ASN1_COORDS_VOMS_INFO "-1-1-%d-1" +#define GRST_ASN1_COORDS_VOMS_SIG "-1-1-%d-3" int ret, isig, iinfo; - char *certpath, acvomsdn[200]; + char *certpath, acvomsdn[200], dn_coords[200], + info_coords[200], sig_coords[200]; unsigned char *q; DIR *vomsDIR; struct dirent *vomsdirent; @@ -391,13 +392,20 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, time_t voms_service_time1, voms_service_time2; if ((vomsdir == NULL) || (vomsdir[0] == '\0')) return GRST_RET_FAILED; + + snprintf(dn_coords, sizeof(dn_coords), + GRST_ASN1_COORDS_VOMS_DN, acnumber); - if (GRSTasn1GetX509Name(acvomsdn, sizeof(acvomsdn), - GRST_ASN1_COORDS_VOMS_DN, + if (GRSTasn1GetX509Name(acvomsdn, sizeof(acvomsdn), dn_coords, asn1string, taglist, lasttag) != GRST_RET_OK) return GRST_RET_FAILED; - iinfo = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_VOMS_INFO); - isig = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_VOMS_SIG); + snprintf(info_coords, sizeof(info_coords), + GRST_ASN1_COORDS_VOMS_INFO, acnumber); + iinfo = GRSTasn1SearchTaglist(taglist, lasttag, info_coords); + + snprintf(sig_coords, sizeof(sig_coords), + GRST_ASN1_COORDS_VOMS_SIG, acnumber); + isig = GRSTasn1SearchTaglist(taglist, lasttag, sig_coords); if ((iinfo < 0) || (isig < 0)) return GRST_RET_FAILED; @@ -479,7 +487,8 @@ static int GRSTx509VerifyVomsSig(time_t *time1_time, time_t *time2_time, /// Get the VOMS attributes in the given extension /* * Puts any VOMS credentials found into the Compact Creds string array - * starting at *creds. Always returns GRST_RET_OK. + * starting at *creds. Always returns GRST_RET_OK - even for invalid + * credentials, which are just ignored. */ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, @@ -487,14 +496,16 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, X509_EXTENSION *ex, char *ucuserdn, char *vomsdir) { #define MAXTAG 500 -#define GRST_ASN1_COORDS_FQAN "-1-1-1-1-7-1-2-1-2-%d" -#define GRST_ASN1_COORDS_USER_DN "-1-1-1-1-2-1-1-1-1-%d-1-%d" -#define GRST_ASN1_COORDS_TIME1 "-1-1-1-1-6-1" -#define GRST_ASN1_COORDS_TIME2 "-1-1-1-1-6-2" +#define GRST_ASN1_COORDS_FQAN "-1-1-%d-1-7-1-2-1-2-%d" +#define GRST_ASN1_COORDS_USER_DN "-1-1-%d-1-2-1-1-1-1-%%d-1-%%d" +#define GRST_ASN1_COORDS_TIME1 "-1-1-%d-1-6-1" +#define GRST_ASN1_COORDS_TIME2 "-1-1-%d-1-6-2" ASN1_OCTET_STRING *asn1data; - char *asn1string, s[81], acuserdn[200], acvomsdn[200]; + char *asn1string, acuserdn[200], acvomsdn[200], + dn_coords[200], fqan_coords[200], time1_coords[200], + time2_coords[200]; long asn1length; - int lasttag=-1, itag, i; + int lasttag=-1, itag, i, acnumber = 1; struct GRSTasn1TagList taglist[MAXTAG+1]; time_t actime1, actime2, time_now; @@ -504,52 +515,58 @@ int GRSTx509ParseVomsExt(int *lastcred, int maxcreds, size_t credlen, GRSTasn1ParseDump(NULL, asn1string, asn1length, taglist, MAXTAG, &lasttag); - GRSTasn1GetX509Name(acuserdn, sizeof(acuserdn), GRST_ASN1_COORDS_USER_DN, - asn1string, taglist, lasttag); - if (GRSTx509NameCmp(ucuserdn, acuserdn) != 0) return GRST_RET_FAILED; + for (acnumber = 1; ; ++acnumber) /* go through ACs one by one */ + { + snprintf(dn_coords, sizeof(dn_coords), GRST_ASN1_COORDS_USER_DN, acnumber); + if (GRSTasn1GetX509Name(acuserdn, sizeof(acuserdn), dn_coords, + asn1string, taglist, lasttag) != GRST_RET_OK) break; - if (GRSTx509VerifyVomsSig(&time1_time, &time2_time, - asn1string, taglist, lasttag, vomsdir) - != GRST_RET_OK) return GRST_RET_FAILED; + if (GRSTx509NameCmp(ucuserdn, acuserdn) != 0) continue; - itag = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_TIME1); - actime1 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+ - taglist[itag].headerlength], - taglist[itag].length); - if (actime1 > time1_time) time1_time = actime1; + if (GRSTx509VerifyVomsSig(&time1_time, &time2_time, + asn1string, taglist, lasttag, vomsdir, acnumber) + != GRST_RET_OK) continue; - itag = GRSTasn1SearchTaglist(taglist, lasttag, GRST_ASN1_COORDS_TIME2); - actime2 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+ + snprintf(time1_coords, sizeof(time1_coords), GRST_ASN1_COORDS_TIME1, acnumber); + itag = GRSTasn1SearchTaglist(taglist, lasttag, time1_coords); + actime1 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+ taglist[itag].headerlength], taglist[itag].length); - if (actime2 < time2_time) time2_time = actime2; + if (actime1 > time1_time) time1_time = actime1; - time(&time_now); - if ((time1_time > time_now) || (time2_time < time_now)) - return GRST_RET_OK; /* expiration isnt invalidity ...? */ + snprintf(time2_coords, sizeof(time2_coords), GRST_ASN1_COORDS_TIME2, acnumber); + itag = GRSTasn1SearchTaglist(taglist, lasttag, time2_coords); + actime2 = GRSTasn1TimeToTimeT(&asn1string[taglist[itag].start+ + taglist[itag].headerlength], + taglist[itag].length); + if (actime2 < time2_time) time2_time = actime2; - for (i=1; ; ++i) - { - sprintf(s, GRST_ASN1_COORDS_FQAN, i); - itag = GRSTasn1SearchTaglist(taglist, lasttag, s); + time(&time_now); + if ((time1_time > time_now) || (time2_time < time_now)) + continue; /* expiration isnt invalidity ...? */ - if (itag > -1) - { - if (*lastcred < maxcreds - 1) - { - ++(*lastcred); + for (i=1; ; ++i) + { + snprintf(fqan_coords, sizeof(fqan_coords), GRST_ASN1_COORDS_FQAN, acnumber, i); + itag = GRSTasn1SearchTaglist(taglist, lasttag, fqan_coords); - snprintf(&creds[*lastcred * (credlen + 1)], credlen+1, + if (itag > -1) + { + if (*lastcred < maxcreds - 1) + { + ++(*lastcred); + snprintf(&creds[*lastcred * (credlen + 1)], credlen+1, "VOMS %010lu %010lu 0 %.*s", time1_time, time2_time, taglist[itag].length, &asn1string[taglist[itag].start+ taglist[itag].headerlength]); - } - } - else break; + } + } + else break; + } } - + return GRST_RET_OK; } diff --git a/org.gridsite.core/src/htcp b/org.gridsite.core/src/htcp index 1b8ab8a30b20ab85b9832024d85919c789a90807..a2950e137dd84a7dee2849ee1e971b851e934ed7 100644 GIT binary patch delta 16 XcmeBfWA1Ka-taq}(RlNpbpB`nJADT4 delta 16 XcmeBfWA1Ka-taq}(P;CZbpB`nJ9h@| diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 1d77bc3..2d0a47b 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -2139,7 +2139,7 @@ static int mod_gridsite_perm_handler(request_rec *r) */ { int retcode = DECLINED, i, n, file_is_acl = 0, - destination_is_acl = 0; + destination_is_acl = 0, proxylevel; char *dn, *p, envname[14], *grst_cred_0 = NULL, *dir_path, *remotehost, s[99], *grst_cred_i, *cookies, *file, *gridauthonetime = NULL, *cookiefile, oneline[1025], *key_i, @@ -2186,18 +2186,19 @@ static int mod_gridsite_perm_handler(request_rec *r) GRST_creds_to_conn(r->connection, certstack, peercert); } + proxylevel = ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit + 1; + if ((user == NULL) && (r->connection->notes != NULL) && ((grst_cred_0 = (char *) - apr_table_get(r->connection->notes, "GRST_CRED_0")) != NULL)) + apr_table_get(r->connection->notes, "GRST_CRED_0")) != NULL) && + (sscanf(grst_cred_0, "X509USER %*d %*d %d ", &proxylevel) == 1) && + (proxylevel <= ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit)) { - if (((mod_gridsite_dir_cfg *) cfg)->envs) - apr_table_setn(env, "GRST_CRED_0", grst_cred_0); + apr_table_setn(env, "GRST_CRED_0", grst_cred_0); cred_0 = GRSTx509CompactToCred(grst_cred_0); - if ((cred_0 != NULL) && - (GRSTgaclCredGetDelegation(cred_0) - <= ((mod_gridsite_dir_cfg *) cfg)->gsiproxylimit)) + if (cred_0 != NULL) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "Using identity %s from SSL/TLS", grst_cred_0); diff --git a/org.gridsite.core/src/showx509exts.c b/org.gridsite.core/src/showx509exts.c index d37dff4..86f0290 100644 --- a/org.gridsite.core/src/showx509exts.c +++ b/org.gridsite.core/src/showx509exts.c @@ -53,7 +53,7 @@ main() lasttag=-1; ex = X509_get_ext(cert, i); - + OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); printf("%d OID=%s\n", i, s); @@ -73,8 +73,10 @@ main() ASN1_OBJECT *obj = NULL; const EVP_MD *m; EVP_MD_CTX ctx; + char creds[501][101]; + int lastcred = -1; - itag = GRSTasn1SearchTaglist(taglist, &lasttag, + itag = GRSTasn1SearchTaglist(taglist, lasttag, "-1-1-1-1-2-1-1-1-1-1-1-1"); X509_NAME *xname; @@ -91,10 +93,24 @@ main() printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1)); - GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d", p1, taglist, &lasttag); + GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d", + p1, taglist, lasttag); printf("%s\n", buf); - GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-3-1-1-1-%d-1-%d", p1, taglist, &lasttag); + GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-3-1-1-1-%d-1-%d", + p1, taglist, lasttag); printf("%s\n", buf); + + lastcred = -1; + ret = GRSTx509ParseVomsExt(&lastcred, 500, 100, creds, 0, 2000040861, + ex, + "/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab", + "/etc/grid-security/vomsdir"); + + + printf("GRSTx509ParseVomsExt() returns %d, %d\n", ret, lastcred); + + for (j=0; j <= lastcred; ++j) + printf("cred=%d %s\n", j, creds[j]); /* m = EVP_md5(); -- 1.8.2.3