From c9787288847f0ebe0babbdc43584f70eb719b72b Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Mon, 30 Nov 2009 03:56:51 +0000 Subject: [PATCH] Sync --- org.gridsite.core/interface/gridsite.h | 3 +- org.gridsite.core/src/grst_x509.c | 97 +++++++++++++++++++++++----------- 2 files changed, 67 insertions(+), 33 deletions(-) diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index 772eeeb..8b60bd7 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -145,7 +145,8 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser; #define GRST_PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14" #define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5" #define GRST_VOMS_DIR "/etc/grid-security/vomsdir" - +#define GRST_KEYUSAGE_OID "2.5.29.15" + #define GRST_ASN1_MAXCOORDLEN 50 #define GRST_ASN1_MAXTAGS 500 diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index f2d856a..351cd23 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -1607,7 +1607,14 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /// errors are output to that file pointer. The proxy will expired in /// the given number of minutes starting from the current time. { - char *ptr, *certchain; + char *ptr, *certchain, s[41]; + static unsigned char pci_str[] = { 0x30, 0x0c, 0x30, 0x0a, 0x06, 0x08, + 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x15, 0x01, 0 }, + kyu_str[] = { 0x03, 0x02, 0x03, + X509v3_KU_DIGITAL_SIGNATURE | + X509v3_KU_KEY_ENCIPHERMENT | + X509v3_KU_KEY_AGREEMENT, + 0 }; int i, ncerts, any_rfc_proxies = 0; long serial = 1234, ptrlen; EVP_PKEY *pkey, *CApkey; @@ -1616,8 +1623,9 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, X509_REQ *req; X509_NAME *name, *CAsubject, *newsubject; X509_NAME_ENTRY *ent; - ASN1_OBJECT *pcinfo_obj = NULL; - X509_EXTENSION *ex; + ASN1_OBJECT *pci_obj = NULL, *kyu_obj; + ASN1_OCTET_STRING *pci_oct, *kyu_oct; + X509_EXTENSION *pci_ex, *kyu_ex; FILE *fp; BIO *reqmem, *certmem; time_t notAfter; @@ -1736,7 +1744,7 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, return GRST_RET_FAILED; } - ASN1_INTEGER_set(X509_get_serialNumber(certs[0]), serial++); + ASN1_INTEGER_set(X509_get_serialNumber(certs[0]), (long) time(NULL)); if (!(name = X509_get_subject_name(certs[1]))) { @@ -1756,26 +1764,6 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, return GRST_RET_FAILED; } - /* set issuer and subject name of the cert from the req and the CA */ - ent = X509_NAME_ENTRY_create_by_NID(NULL, OBJ_txt2nid("commonName"), - MBSTRING_ASC, "proxy", -1); - - newsubject = X509_NAME_dup(CAsubject); - - X509_NAME_add_entry(newsubject, ent, -1, 0); - - if (X509_set_subject_name(certs[0], newsubject) != 1) - { - mpcerror(debugfp, - "GRSTx509MakeProxyCert(): error setting subject name of certificate\n"); - - X509_REQ_free(req); - return GRST_RET_FAILED; - } - - X509_NAME_free(newsubject); - X509_NAME_ENTRY_free(ent); - /* set public key in the certificate */ if (X509_set_pubkey(certs[0], pkey) != 1) { @@ -1807,7 +1795,7 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /* go through chain making sure this proxy is not longer lived */ - pcinfo_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0); + pci_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0); notAfter = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[0])), 0); @@ -1825,22 +1813,67 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, ASN1_UTCTIME_set(X509_get_notAfter(certs[0]), notAfter); } - if (X509_get_ext_by_OBJ(certs[i], pcinfo_obj, -1) > 0) + if (X509_get_ext_by_OBJ(certs[i], pci_obj, -1) > 0) any_rfc_proxies = 1; } /* if any earlier proxies are RFC 3820, then new proxy must be - an RFC 3820 proxy too with the required extension */ + an RFC 3820 proxy too with the required extensions */ if (any_rfc_proxies) { - ex = X509_EXTENSION_new(); + /* key usage */ + kyu_obj = OBJ_txt2obj(GRST_KEYUSAGE_OID, 0); + kyu_ex = X509_EXTENSION_new(); + + X509_EXTENSION_set_object(kyu_ex, kyu_obj); + X509_EXTENSION_set_critical(kyu_ex, 1); + + kyu_oct = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(kyu_oct, kyu_str, strlen(kyu_str)); + X509_EXTENSION_set_data(kyu_ex, kyu_oct); + + X509_add_ext(certs[0], kyu_ex, -1); + + /* proxy certificate info */ + pci_ex = X509_EXTENSION_new(); + + X509_EXTENSION_set_object(pci_ex, pci_obj); + X509_EXTENSION_set_critical(pci_ex, 1); - X509_EXTENSION_set_object(ex, pcinfo_obj); - X509_EXTENSION_set_critical(ex, 1); + pci_oct = ASN1_OCTET_STRING_new(); + ASN1_OCTET_STRING_set(pci_oct, pci_str, strlen(pci_str)); + X509_EXTENSION_set_data(pci_ex, pci_oct); - X509_add_ext(certs[0], ex, -1); + X509_add_ext(certs[0], pci_ex, -1); } - else free(pcinfo_obj); + else free(pci_obj); + + /* set issuer and subject name of the cert from the req and the CA */ + + if (any_rfc_proxies) /* user CN=number rather than CN=proxy */ + { + snprintf(s, sizeof(s), "%ld", (long) time(NULL)); + ent = X509_NAME_ENTRY_create_by_NID(NULL, OBJ_txt2nid("commonName"), + MBSTRING_ASC, s, -1); + } + else ent = X509_NAME_ENTRY_create_by_NID(NULL, OBJ_txt2nid("commonName"), + MBSTRING_ASC, "proxy", -1); + + newsubject = X509_NAME_dup(CAsubject); + + X509_NAME_add_entry(newsubject, ent, -1, 0); + + if (X509_set_subject_name(certs[0], newsubject) != 1) + { + mpcerror(debugfp, + "GRSTx509MakeProxyCert(): error setting subject name of certificate\n"); + + X509_REQ_free(req); + return GRST_RET_FAILED; + } + + X509_NAME_free(newsubject); + X509_NAME_ENTRY_free(ent); /* sign the certificate with the signing private key */ if (EVP_PKEY_type(CApkey->type) == EVP_PKEY_RSA) -- 1.8.2.3