From edbf3169bb39242b2935537f51a449939de50d32 Mon Sep 17 00:00:00 2001 From: Andrew McNab Date: Sun, 29 Nov 2009 22:32:36 +0000 Subject: [PATCH] Make consistent RFC proxy style chains --- org.gridsite.core/CHANGES | 7 +++++++ org.gridsite.core/interface/gridsite.h | 3 ++- org.gridsite.core/src/grst_x509.c | 31 ++++++++++++++++++++++++++++--- org.gridsite.core/src/make-gridsite-spec | 2 +- org.gridsite.core/src/mod_gridsite.c | 16 ++++++++++++++++ org.gridsite.core/src/showx509exts.c | 3 ++- 6 files changed, 56 insertions(+), 6 deletions(-) diff --git a/org.gridsite.core/CHANGES b/org.gridsite.core/CHANGES index bb102a2..1da5da3 100644 --- a/org.gridsite.core/CHANGES +++ b/org.gridsite.core/CHANGES @@ -1,3 +1,10 @@ +* Fri Nov 27 2009 Andrew McNab +- GRSTx509MakeProxyCert() now creates RFC 3280 + proxies if any earlier proxies are RFC style +* Tue Nov 10 2009 Andrew McNab +- Discard X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + errors in GRST_callback_SSLVerify_wrapper(), needed + for newer OpenSSL * Mon Oct 19 2009 Andrew McNab - Discard X509_V_ERR_INVALID_PURPOSE errors in GRST_callback_SSLVerify_wrapper(), needed by diff --git a/org.gridsite.core/interface/gridsite.h b/org.gridsite.core/interface/gridsite.h index eceda53..dc2a249 100644 --- a/org.gridsite.core/interface/gridsite.h +++ b/org.gridsite.core/interface/gridsite.h @@ -153,7 +153,8 @@ typedef struct { GRSTgaclCred *firstcred; char *dnlists; } GRSTgaclUser; #define GRST_DN_LISTS "/etc/grid-security/dn-lists" #define GRST_RECURS_LIMIT 9 -#define GRST_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222" +#define GRST_PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222" +#define GRST_PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14" #define GRST_VOMS_OID "1.3.6.1.4.1.8005.100.100.5" #define GRST_VOMS_DIR "/etc/grid-security/vomsdir" diff --git a/org.gridsite.core/src/grst_x509.c b/org.gridsite.core/src/grst_x509.c index a5df3ec..e20ca44 100644 --- a/org.gridsite.core/src/grst_x509.c +++ b/org.gridsite.core/src/grst_x509.c @@ -135,7 +135,9 @@ int GRSTx509KnownCriticalExts(X509 *cert) { OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ex), 1); - if (strcmp(s, GRST_PROXYCERTINFO_OID) != 0) return GRST_RET_FAILED; + if ((strcmp(s, GRST_PROXYCERTINFO_OID) != 0) && + (strcmp(s, GRST_PROXYCERTINFO_OLD_OID) != 0)) + return GRST_RET_FAILED; } } @@ -1606,7 +1608,7 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /// the given number of minutes starting from the current time. { char *ptr, *certchain; - int i, ncerts; + int i, ncerts, any_rfc_proxies = 0; long serial = 1234, ptrlen; EVP_PKEY *pkey, *CApkey; const EVP_MD *digest; @@ -1614,6 +1616,8 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, X509_REQ *req; X509_NAME *name, *CAsubject, *newsubject; X509_NAME_ENTRY *ent; + ASN1_OBJECT *pcinfo_obj = NULL; + X509_EXTENSION *ex; FILE *fp; BIO *reqmem, *certmem; time_t notAfter; @@ -1803,10 +1807,14 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, /* go through chain making sure this proxy is not longer lived */ + pcinfo_obj = OBJ_txt2obj(GRST_PROXYCERTINFO_OID, 0); +fprintf(stderr, "Make pcinfo_obj\n"); + notAfter = GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[0])), 0); - + for (i=1; i < ncerts; ++i) + { if (notAfter > GRSTasn1TimeToTimeT(ASN1_STRING_data(X509_get_notAfter(certs[i])), 0)) @@ -1817,6 +1825,23 @@ int GRSTx509MakeProxyCert(char **proxychain, FILE *debugfp, ASN1_UTCTIME_set(X509_get_notAfter(certs[0]), notAfter); } + + if (X509_get_ext_by_OBJ(certs[i], pcinfo_obj, -1) > 0) + any_rfc_proxies = 1; + } + + /* if any earlier proxies are RFC 3820, then new proxy must be + an RFC 3820 proxy too with the required extension */ + if (any_rfc_proxies) + { + ex = X509_EXTENSION_new(); + + X509_EXTENSION_set_object(ex, pcinfo_obj); + X509_EXTENSION_set_critical(ex, 1); + + X509_add_ext(certs[0], ex, -1); + } + else free(pcinfo_obj); /* sign the certificate with the signing private key */ if (EVP_PKEY_type(CApkey->type) == EVP_PKEY_RSA) diff --git a/org.gridsite.core/src/make-gridsite-spec b/org.gridsite.core/src/make-gridsite-spec index 7a950c3..0b41da8 100755 --- a/org.gridsite.core/src/make-gridsite-spec +++ b/org.gridsite.core/src/make-gridsite-spec @@ -31,7 +31,7 @@ cat <gridsite.spec Name: gridsite Version: ${PATCH_VERSION:-1.x.x} # This next piece of .spec/sed magic puts the build OS version in the release -Release: %(if [ "$RELEASE_VERSION" ] ; then echo $RELEASE_VERSION ; else sed 's/^\([A-Z]\)[^ ]* \([A-Z]\)[^0-9]*\([0-9][^ ]*\).*/1\1\2\3/g' /etc/redhat-release | sed 's/[^A-Z,a-z,0-9]//g' ; fi) +Release: %(if [ "$RELEASE_VERSION" ] ; then echo $RELEASE_VERSION ; else sed 's/^\([A-Z,a-z]\)[^ ]* \([A-Z,a-z]\)[^0-9]*\([0-9][^ ]*\).*/1\1\2\3/g' /etc/redhat-release | sed 's/[^A-Z,a-z,0-9]//g' ; fi) Summary: GridSite License: Modified BSD Group: System Environment/Daemons diff --git a/org.gridsite.core/src/mod_gridsite.c b/org.gridsite.core/src/mod_gridsite.c index 547e6a3..58eb06d 100644 --- a/org.gridsite.core/src/mod_gridsite.c +++ b/org.gridsite.core/src/mod_gridsite.c @@ -3846,6 +3846,22 @@ int GRST_callback_SSLVerify_wrapper(int ok, X509_STORE_CTX *ctx) X509_STORE_CTX_set_error(ctx, errnum); } +#ifdef X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + /* + * Skip X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED, since they are! + */ + if (errnum == X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED) + { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, + "Skip Proxy Certificates Not Allowed error"); + + sslconn->verify_error = NULL; + ok = TRUE; + errnum = X509_V_OK; + X509_STORE_CTX_set_error(ctx, errnum); + } +#endif + /* * New style GSI Proxy handling, with critical ProxyCertInfo * extension: we use GRSTx509KnownCriticalExts() to check this diff --git a/org.gridsite.core/src/showx509exts.c b/org.gridsite.core/src/showx509exts.c index 86f0290..35fa810 100644 --- a/org.gridsite.core/src/showx509exts.c +++ b/org.gridsite.core/src/showx509exts.c @@ -91,7 +91,8 @@ main() // dn = X509_NAME_oneline(xname,NULL,0); - printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1)); + if (obj != NULL) printf("n=%d dn=%s obj2txt=%s\n", n, dn, OBJ_obj2txt(NULL,0,obj,1)); + else printf("n=%d dn=%s obj2txt=NULL\n", n, dn); GRSTasn1GetX509Name(buf, 99, "-1-1-1-1-2-1-1-1-1-%d-1-%d", p1, taglist, lasttag); -- 1.8.2.3