Improved cert type detection and error reporting

This commit introduces stronger certificate type detection inspired by Globus Toolkit gsi-cert-utilities libraries and improved error reporting for certificate validation errors. Issue: VOMS_744
italiangrid · Aug 26, 2016 · 27d5715 · 27d5715
1 parent 67eab8a
commit 27d5715
Show file tree

Hide file tree

Showing 13 changed files with 981 additions and 448 deletions.
diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([VOMS], [2.0.13])
+AC_INIT([VOMS], [2.0.14])
 AC_PREREQ(2.57)
 AC_CONFIG_AUX_DIR([./aux])
 AM_INIT_AUTOMAKE

diff --git a/do-configure.sh b/do-configure.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -ex
+
+./configure --with-debug \
+    --program-prefix= \
+    --prefix=/usr \
+    --exec-prefix=/usr \
+    --bindir=/usr/bin \
+    --sbindir=/usr/sbin \
+    --sysconfdir=/etc \
+    --datadir=/usr/share \
+    --includedir=/usr/include \
+    --libdir=/usr/lib64 \
+    --libexecdir=/usr/libexec \
+    --localstatedir=/var \
+    --sharedstatedir=/var/lib \
+    --mandir=/usr/share/man \
+    --infodir=/usr/share/info
diff --git a/spec/voms-all.spec b/spec/voms-all.spec
@@ -1,6 +1,6 @@
 Name: voms
-Version: 2.0.13
-Release: 1%{?dist}
+Version: 2.0.14
+Release: 0%{?dist}
 Summary: The Virtual Organisation Membership Service C++ APIs
 
 Group:          System Environment/Libraries
@@ -289,6 +289,9 @@ fi
 %{_mandir}/man8/voms.8*
 
 %changelog
+* Tue Aug 23 2016 Andrea Ceccanti <andrea.ceccanti at cnaf.infn.it> - 2.0.14-0
+- Packaging for 2.0.14
+
 * Mon Nov 9 2015 Andrea Ceccanti <andrea.ceccanti at cnaf.infn.it> - 2.0.13-0
 - Packaging for 2.0.13
 

diff --git a/src/common/credentials.c b/src/common/credentials.c
@@ -38,6 +38,7 @@
 
 #include "credentials.h"
 #include "sslutils.h"
+#include "voms_cert_type.h"
 
 int
 globus(int version)
@@ -68,15 +69,32 @@ get_real_cert(X509 *base, STACK_OF(X509) *stk)
   X509 *cert = NULL;
   int i;
 
-  if (!proxy_check_proxy_name(base))
+  voms_cert_type_t cert_type;
+
+
+  if (voms_get_cert_type(base, &cert_type)){
+    // FIXME: This is just for backward compatibility, where error in the
+    // proxy_check_proxy_name call weren't handled
+    return base;
+  }
+
+  if (!VOMS_IS_PROXY(cert_type)){
     return base;
 
+  }
   int num_certs = sk_X509_num(stk);
 
   /* Determine id data */
   for (i = 0; i < num_certs; i++) {
     cert = sk_X509_value(stk, i);
-    if (!proxy_check_proxy_name(cert)) {
+
+    if (voms_get_cert_type(cert, &cert_type)){
+    // FIXME: This is just for backward compatibility, where error in the
+    // proxy_check_proxy_name call weren't handled
+      return cert;
+    }
+
+    if (!VOMS_IS_PROXY(cert_type)){
       return cert;
     }
   }

diff --git a/src/include/Server.h b/src/include/Server.h
@@ -49,6 +49,7 @@
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 
+#include <vector>
 #include <string>
 
 #include <sys/types.h>
@@ -108,6 +109,8 @@ class GSISocketServer
   void SetError(const std::string &g);
   void SetErrorOpenSSL(const std::string &message);
 
+  const std::vector<std::string>& GetOpenSSLErrors(); 
+
 public:
   std::string    own_subject;
   std::string    own_ca;
@@ -127,6 +130,7 @@ class GSISocketServer
   char           *cacertdir;
   EVP_PKEY       *upkey;
   X509           *ucert;
+
   std::string error;
 
 public:
@@ -139,6 +143,10 @@ class GSISocketServer
   bool newopened;
   bool mustclose;
   void *logh;
+
+private:
+  std::vector<std::string> openssl_errors; 
+
 };
 
 #endif

diff --git a/src/include/sslutils.h b/src/include/sslutils.h
@@ -217,8 +217,9 @@ ERR_set_continue_needed(void);
 #define PRXYERR_F_CB_NO_PW                     PRXYERR_F_BASE + 7
 #define PRXYERR_F_GET_CA_SIGN_PATH             PRXYERR_F_BASE + 8
 #define PRXYERR_F_PROXY_SIGN_EXT               PRXYERR_F_BASE + 9
-#define PRXYERR_F_PROXY_CHECK_SUBJECT_NAME     PRXYERR_F_BASE + 10
+#define PRXYERR_F_PROXY_VERIFY_NAME            PRXYERR_F_BASE + 10
 #define PRXYERR_F_PROXY_CONSTRUCT_NAME         PRXYERR_F_BASE + 11
+#define PRXYERR_F_VOMS_GET_CERT_TYPE           PRXYERR_F_BASE + 12
 
 /* 
  * defines for reasons 
@@ -293,6 +294,15 @@ ERR_set_continue_needed(void);
 #define PRXYERR_R_BAD_ARGUMENT                 PRXYERR_R_BASE + 61
 #define PRXYERR_R_BAD_MAGIC                    PRXYERR_R_BASE + 62
 #define PRXYERR_R_UNKNOWN_CRIT_EXT             PRXYERR_R_BASE + 63
+
+#define PRXYERR_R_NON_COMPLIANT_PROXY                   PRXYERR_R_BASE + 64
+#define PRXYERR_R_ERROR_GETTING_NAME_ENTRY_OF_SUBJECT   PRXYERR_R_BASE + 65
+#define PRXYERR_R_ERROR_COPYING_SUBJECT                 PRXYERR_R_BASE + 66
+#define PRXYERR_R_ERROR_GETTING_CN_ENTRY                PRXYERR_R_BASE + 67
+#define PRXYERR_R_ERROR_BUILDING_SUBJECT                 PRXYERR_R_BASE + 68
+
+
+
 /* NOTE: Don't go over 1500 here or will conflict with errors in scutils.h */
 
 
@@ -337,6 +347,9 @@ struct proxy_verify_desc_struct {
 int
 ERR_load_prxyerr_strings(int i);
 
+int
+ERR_load_proxy_error_strings();
+
 int proxy_load_user_cert_and_key_pkcs12(const char *user_cert,
                                         X509 **cert,
                                         STACK_OF(X509) **stack,

diff --git a/src/server/main.cc b/src/server/main.cc
@@ -29,6 +29,7 @@
 
 #include "VOMSServer.h"
 #include "dbwrap.h"
+#include "sslutils.h"
 #include <cstdlib>
 
 extern "C" {
@@ -37,8 +38,9 @@ extern "C" {
 
 int main(int argc, char *argv[])
 {
-  OpenSSL_add_ssl_algorithms();
 
+  ERR_load_proxy_error_strings();
+  OpenSSL_add_ssl_algorithms();
   SSL_library_init();
 
   try

diff --git a/src/server/vomsd.cc b/src/server/vomsd.cc
@@ -785,8 +785,16 @@ void VOMSServer::Run()
 
           if (!sock.AcceptGSIAuthentication()){
 
-            LOGM(VARP, logh, LEV_INFO, T_PRE, "Failed to authenticate peer.");
-            LOGM(VARP, logh, LEV_INFO, T_PRE, "Error: %s", sock.error.c_str());
+            LOGM(VARP, logh, LEV_INFO, T_PRE, "Peer authentication error");
+
+            for (std::vector<std::string>::const_iterator err_it = sock.GetOpenSSLErrors().begin();
+                err_it != sock.GetOpenSSLErrors().end();
+                ++err_it){
+
+              std::string err_string = *err_it;
+              LOGM(VARP, logh, LEV_INFO, T_PRE, err_string.c_str());
+
+            }
 
             sock.CleanSocket();
             sock.Close();

diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp
@@ -178,7 +178,7 @@ GSISocketServer::GSISocketServer(int p, void *l, int b, bool m) :
   ssl(NULL), ctx(NULL), conn(NULL), pvd(NULL), cacertdir(NULL),
   upkey(NULL), ucert(NULL), error(""),
   port(p), opened(false), sck(-1), backlog(b), newsock(-1), timeout(30),
-  newopened(false), mustclose(m), logh(l)
+  newopened(false), mustclose(m), logh(l), openssl_errors()
 {
   if (OBJ_txt2nid("UID") == NID_undef)
     OBJ_create("0.9.2342.19200300.100.1.1","USERID","userId");
@@ -259,6 +259,8 @@ GSISocketServer::Close()
   own_cert = peer_cert = NULL;
 
   opened=false;
+  error.clear();
+  openssl_errors.clear();
 }
 
 void GSISocketServer::CloseListener(void)
@@ -644,11 +646,52 @@ void GSISocketServer::SetError(const std::string &g)
 
 void GSISocketServer::SetErrorOpenSSL(const std::string &preamble)
 {
-  error = preamble;
+  openssl_errors.clear();
+
+  bool first = true;
 
   while( ERR_peek_error() ){
-    long error_code = ERR_get_error();
-    const char * error_message = ERR_error_string(error_code, NULL);
-    error += error_message;
+
+    char error_msg_buf[512];
+
+    const char *filename;
+    int lineno;
+    const char* data;
+    int flags;
+
+    long error_code = ERR_get_error_line_data(&filename, &lineno, &data, &flags);
+
+    const char *lib = ERR_lib_error_string(error_code);
+    const char *func = ERR_func_error_string(error_code);
+    const char *error_reason = ERR_reason_error_string(error_code);
+
+    if (lib == NULL) {
+
+      int lib_no = ERR_GET_LIB(error_code);
+
+      if (lib_no == ERR_USER_LIB_PRXYERR_NUMBER){
+        lib = "VOMS proxy routines";
+      }
+    }
+
+    if (!first){
+      error.append(",");
+    }
+
+    sprintf(error_msg_buf,
+        "%s %s [err:%lu,lib:%s,func:%s(file: %s+%d)]",
+        (error_reason) ? error_reason : "",
+        (data) ? data : "",
+        error_code,lib,func,filename,lineno);
+
+    openssl_errors.push_back(error_msg_buf);
+
+    first = false;
   }
 }
+
+const std::vector<std::string>&
+GSISocketServer::GetOpenSSLErrors(){
+
+  return openssl_errors;
+}
diff --git a/src/sslutils/Makefile.am b/src/sslutils/Makefile.am
@@ -9,7 +9,7 @@ noinst_LTLIBRARIES = libssl_utils_nog.la
 
 SOURCES= scutils.c scutils.h sslutils.c proxycertinfo.c \
 	signing_policy.c lex.signing.c namespaces.c lex.namespaces.c \
-	evaluate.c proxy.c vomsproxy.h 
+	evaluate.c proxy.c vomsproxy.h voms_cert_type.h  voms_cert_type.c
 
 
 EXTRA_DIST = 	namespaces.l namespaces.y namespaces.h \