From b70cc2409550767bd6f19f31eee0639070e721fe Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Sun, 6 Nov 2016 23:44:05 +0100 Subject: [PATCH 01/16] Porting to OpenSSL 1.1 This commit ports VOMS to OpenSSL 1.1. More details in openssl11.md. --- configure.ac | 5 +- m4/acinclude.m4 | 11 + openssl11.md | 455 ++++++++++++++++++++++ spec/voms-all.spec | 5 +- src/ac/attributes.h | 21 +- src/ac/extensions.c | 353 ++--------------- src/ac/init.c | 10 +- src/ac/mystack.c | 26 +- src/ac/newformat.c | 614 +++++------------------------ src/ac/validate.cc | 85 ++-- src/ac/write.c | 200 ++++++++-- src/api/ccapi/api_util.cc | 12 +- src/api/ccapi/voms_api.cc | 2 +- src/api/ccapi/voms_api.h | 3 + src/client/vomsclient.cc | 11 +- src/common/normalize.c | 23 -- src/common/xmlcc.cc | 2 +- src/include/Makefile.am | 2 +- src/include/acstack.h | 54 ++- src/include/newformat.h | 106 ++--- src/include/proxycertinfo.h | 84 ++++ src/include/proxypolicy.h | 87 +++++ src/include/ssl_compat.h | 74 ++++ src/include/sslutils.h | 2 +- src/include/vomsxml.h | 2 +- src/log/fs.c | 3 +- src/server/Makefile.am | 4 +- src/server/vomsd.cc | 27 +- src/socklib/Client.cpp | 2 - src/socklib/Server.cpp | 81 +++- src/sslutils/Makefile.am | 5 +- src/sslutils/myproxycertinfo.c | 510 ++++++++++++++++++++++++ src/sslutils/namespaces.c | 13 - src/sslutils/proxy.c | 274 +++++++------ src/sslutils/proxycertinfo.c | 692 +++++++++++++-------------------- src/sslutils/proxypolicy.c | 88 +++++ src/sslutils/signing_policy.c | 11 - src/sslutils/ssl_compat.c | 363 +++++++++++++++++ src/sslutils/sslutils.c | 460 ++++++++++------------ src/sslutils/voms_cert_type.c | 3 +- src/utils/voms_proxy_info.cc | 6 +- src/utils/voms_verify.cc | 13 +- src/utils/vomsfake.cc | 2 +- 43 files changed, 2855 insertions(+), 1951 deletions(-) create mode 100644 openssl11.md create mode 100644 src/include/proxycertinfo.h create mode 100644 src/include/proxypolicy.h create mode 100644 src/include/ssl_compat.h create mode 100644 src/sslutils/myproxycertinfo.c create mode 100644 src/sslutils/proxypolicy.c create mode 100644 src/sslutils/ssl_compat.c diff --git a/configure.ac b/configure.ac index 7780c99f..4e3da01c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([VOMS], [2.0.14]) +AC_INIT([VOMS], [2.1.0]) AC_PREREQ(2.57) AC_CONFIG_AUX_DIR([./aux]) AM_INIT_AUTOMAKE @@ -31,7 +31,8 @@ AC_PROG_YACC AC_PROG_LEX AC_COMPILER -PKG_CHECK_MODULES([OPENSSL], [openssl]) +#PKG_CHECK_MODULES([OPENSSL], [openssl]) +AC_OPENSSL PKG_CHECK_MODULES([GSOAP],[gsoap >= 2.7]) PKG_CHECK_MODULES([GSOAP_PP],[gsoap++ >= 2.7]) diff --git a/m4/acinclude.m4 b/m4/acinclude.m4 index 2dbc71ab..f78f2752 100644 --- a/m4/acinclude.m4 +++ b/m4/acinclude.m4 @@ -195,6 +195,17 @@ AC_DEFUN([AC_COMPILER], CXXFLAGS="-g -O0" fi + AC_ARG_WITH(profile, + [ --with-profile Compiles and links with collection of profile information activated], + [ac_with_profile="yes"], + [ac_with_profile="no"]) + + if test "x$ac_with_profile" = "xyes" ; then + CFLAGS="$CFLAGS -pg" + CXXFLAGS="$CXXFLAGS -pg" + LDFLAGS="$LDFLAGS -pg" + fi + AC_ARG_WITH(warnings, [ --with-warnings Compiles with maximum warnings], [ac_with_warnings="yes"], diff --git a/openssl11.md b/openssl11.md new file mode 100644 index 00000000..40b4b0fe --- /dev/null +++ b/openssl11.md @@ -0,0 +1,455 @@ +# Notes on the migration of the VOMS code base to OpenSSL 1.1 + +This document summarizes the changes needed to migrate the VOMS code base from +OpenSSL 1.0.x to OpenSSL 1.1.y. + +The changes are as focused as possible and address only the migration, with very +limited exceptions. + +## Opaque data structures + +One of the most important changes in the API introduced by OpenSSL 1.1 is the +introduction of opaque data types for many of the data structures. + + typedef struct x509_object_st X509_OBJECT; + typedef struct X509_name_st X509_NAME; + typedef struct X509_name_entry_st X509_NAME_ENTRY; + typedef struct asn1_string_st ASN1_STRING; + typedef struct evp_pkey_st EVP_PKEY; + typedef struct X509_st X509; + typedef struct X509_req_st X509_REQ; + +Opaque data structures are incomplete types, with two major consequences: + +1. they cannot be allocated on the stack +1. pointers to objects of those types cannot be dereferenced, e.g. to access +their fields + +For what concerns the first point, the solution is to always manage explicitly +their lifetime, allocating an object on the heap and later freeing it. + +For example code such as + + X509_OBJECT obj; + +has to be replaced with + + X509_OBJECT* obj = X509_OBJECT_new(); + ... + X509_OBJECT_free(obj); + +The second point -- accessing the fields of the data structure -- requires the +use of getter and setter functions. The actual transformation needed for the +VOMS code are presented in the following sections. + +### X509_OBJECT + +Given an `X509_OBJECT* obj` that stores a CRL, in order to access the +CRL, code such as + + X509_CRL* crl = obj->data.crl; + +has to be replaced with + + X509_CRL* crl = X509_OBJECT_get0_X509_CRL(obj); + +### X509_NAME, X509_NAME_ENTRY, ASN1_STRING + +Given `X509_NAME* name`, code such as + + int n = sk_X509_NAME_ENTRY_num(name->entries) + X509_NAME_ENTRY* entry = sk_X509_NAME_ENTRY_value(name->entries, i); + ASN1_STRING* str = entry->value; + unsigned char const* data = entry->value->data; + int l = entry->value->length; + ASN1_OBJECT* obj = entry->object; + +has to be replaced with + + int n = X509_NAME_entry_count(name); + X509_NAME_ENTRY* entry = X509_NAME_get_entry(name, i); + ASN1_STRING* str = X509_NAME_ENTRY_get_data(entry); + unsigned char const* data = ASN1_STRING_get0_data(str); + int l = ASN1_STRING_length(str); + ASN1_OBJECT* obj = X509_NAME_ENTRY_get_object(entry); + + +### EVP_PKEY + +Given `EVP_PKEY* key`, code such as + + RSA* rsa = key->pkey.rsa; + +has to be replaced with + + RSA* rsa = EVP_PKEY_get0_RSA(key) + +Code such as + + int type = key->type; + if (type == EVP_PKEY_RSA) { + +has to be replaced with + + RSA* rsa = EVP_PKEY_get0_RSA(key) + if (RSA) { + +### X509, X509_REQ + +Given `X509* cert`, to access the Message Digest + + EVP_MD const* md = EVP_get_digestbyobj(cert->sig_alg->algorithm); + +has to be replaced with + + EVP_MD const* md = EVP_get_digestbynid(X509_get_signature_nid(cert)); + +Similarly for an `X509_REQ* req`. + +Moreover there is no way to retrieve the internal X509_CINF, so code such as + + X509_CINF* cinf = cert->cert_info; + +has been removed and replaced with appropriate getters and setters for the +fields of an `X509_CINF`. + +Given `ASN1_INTEGER* num`, code such as + + ASN1_INTEGER_free(cert->cert_info->serialNumber); + cert->cert_info->serialNumber = num; + +has been replaced with + + X509_set_serialNumber(cert, num); + ASN1_INTEGER_free(num); + +Note how the responsibility to manage the object lifetime has +changed. `X509_set_serialNumber` in fact stores a _copy_ of `num` and +takes care of the deallocation of the previous `serialNumber`. + +When the serial number is obtained from the Message Digest, the code changes +from + + unsigned char md[SHA_DIGEST_LENGTH]; + unsigned int len; + ASN1_digest(..., md, &len); + cert->cert_info->serialNumber = ASN1_INTEGER_new(); + cert->cert_info->serialNumber = ASN1_INTEGER_new(); + cert->cert_info->serialNumber->length = len; + cert->cert_info->serialNumber->data = malloc(len); + memcpy(cert->cert_info->serialNumber->data, md, SHA_DIGEST_LENGTH); + +to + + unsigned char md[SHA_DIGEST_LENGTH + 1]; + unsigned int len; + ASN1_digest(..., md, &len); + md[len] = '\0'; + BIGNUM* bn = NULL; + if (BN_hex2bn(&bn, (char*)md) != 0) { + ASN1_INTEGER* num = BN_to_ASN1_INTEGER(bn, NULL); + BN_free(bn); + X509_set_serialNumber(cert, num); + ASN1_INTEGER_free(num); + } + +When the serial number is copied from another certificate, the code changes from + + ASN1_INTEGER* num = ASN1_INTEGER_dup(X509_get_serialNumber(other_cert)); + ASN1_INTEGER_free(cert->cert_info->serialNumber); + cert->cert_info->serialNumber = num; + +to + + ASN1_INTEGER* num = ASN1_INTEGER_dup(X509_get0_serialNumber(other_cert)); + X509_set_serialNumber(*new_cert, num); + ASN1_INTEGER_free(num); + +The call to ASN1\_INTEGER\_dup is needed because `X509_get0_serialNumber` +returns an `ASN1_INTEGER const*` but `X509_set_serialNumber` takes a (non-const) +`ASN1_INTEGER*`, although internally it doesn't modify +it. `X509_get_serialNumber`, which returns a non-const `ASN1_INTEGER*`, could be +used, but respecting const-correctness is preferable. + +To copy the _notAfter_ attribute of a certificate from another certificate, code +such as + + X509_set_notAfter(cert, other_cert->cert_info->validity->notAfter); + +has to be replaced with + + int ret = X509_set1_notAfter(cert, X509_get0_notAfter(other_cert)); + +`X509_set1_notAfter` doesn't take ownership of the argument; but +`X509_get0_notAfter` returns a non-mutable view of the internal field and +doesn't require a subsequent free. + +To transfer the public key from a request to a certificate, code such as + + X509_PUBKEY_free(cert_info->key); + cert_info->key = req->req_info->pubkey; + req->req_info->pubkey = NULL; + +has been replaced with + + EVP_PKEY* pub_key = X509_REQ_get_pubkey(req); + X509_set_pubkey(cert, pub_key); + EVP_PKEY_free(pub_key); + +The former code was a "move" of the public key from the request to the +certificate, without any decoding. Although a function still exists to retrieve +the key material (`X509_get_X509_PUBKEY`), there is no corresponding setter. + +OpenSSL 1.1 has introduced another function to retrieve the public key +from the request: `X509_REQ_get0_pubkey`. The difference between +`X509_REQ_get_pubkey` and `X509_REQ_get0_pubkey` is that the former +increments a reference count, requiring the returned `EVP_KEY` to be +subsequently freed, whereas the latter returns a "view" of the +internal public key and doesn't need to be freed. For compatibility +with OpenSSL < 1.1 however `X509_REQ_get_pubkey` is used. + +The code to extract the public key from a certificate + + X509_PUBKEY *key = X509_get_X509_PUBKEY(ucert); + EVP_PKEY* ucertpkey = X509_PUBKEY_get(key); + +has been replaced with + + EVP_PKEY* ucertpkey = X509_get_pubkey(ucert); + +Also in this case OpenSSL 1.1 has introduced another function to +extract the key without the need to later free it: `X509_get0_pubkey`, +but it has not been used for compatibility reasons with previous +versions of OpenSSL. + +To set various attributes of the certificate, code such as + + ASN1_INTEGER_set(cert->cert_info->version, 2); + cert->ex_flags |= EXFLAG_PROXY; + cert->ex_pcpathlen = 0; + +has to be replaced with + + X509_set_version(cert, 2L); + X509_set_proxy_flag(cert); + X509_set_proxy_pathlen(cert, 0); + +Given `STACK_OF(X509_EXTENSION)* extensions`, to add the extensions to a +certificate, code such as + + cert->cert_info->extensions = sk_X509_EXTENSION_new_null(); + for (i = 0; i < sk_X509_EXTENSION_num(extensions); ++i) { + X509_EXTENSION* extension = X509_EXTENSION_dup(sk_X509_EXTENSION_value(extensions, i)); + sk_X509_EXTENSION_push(cert->cert_info->extensions, extension); + } + +has to be replace with + + for (i = 0; i < sk_X509_EXTENSION_num(extensions); ++i) { + X509_EXTENSION* extension = X509_EXTENSION_dup(sk_X509_EXTENSION_value(extensions, i)); + X509_add_ext(cert, extension, -1); + } + +Given `X509_STORE* store`, `X509_STORE_CTX* ctx` and `int +proxy_check_issued(X509_STORE_CTX*, X509*, X509*)`, code such as + + X509_STORE_CTX_init(ctx, store, ...) + ctx->check_issued = proxy_check_issued; + +has to be replaced with + + X509_STORE_set_check_issued(store, proxy_check_issued); + X509_STORE_CTX_init(ctx, store, cert, cert_chain) + +i.e. `check_issued` has to be set for the `store`, whose contents are then used +for the initialization of `ctx`. + +Similarly for X505\_REQ\_INFO, code such as + + X509_REQ_INFO* req_info = req->req_info; + +has been removed. + +Code such as + + X509_ALGOR* alg1 = cert->cert_info->signature; + X509_ALGOR* alg2 = cert->sig_alg; + +has been replaced with + + X509_ALGOR const* alg1 = X509_get0_tbs_sigalg(cert) + X509_ALGOR const* alg2; + X509_get0_signature(NULL, &alg2, cert); + +Code such as + + ASN1_BIT_STRING* issuerUID = issuerc->cert_info->issuerUID + +has been replaced with + + ASN1_BIT_STRING const* issuerUID; + X509_get0_uids(issuerc, &issuerUID, NULL); + + + + + +### SSL_CTX + +Given `SSL_CTX* ctx`, code such as + + ctx->cert_store + +has to be replaced with + + SSL_CTX_get_cert_store(ctx) + +### BIO + +BIO has become an opaque data structure. The following lines are not +allowed any more. + + writeb = bio->method->bwrite; + readb = bio->method->bread; + bio->method->bwrite = globusf_write; + bio->method->bread = globusf_read; + +`writeb` and `readb` are global variables that are then used inside +`globus_write` and `globus_read` which wrap them in order to implement +the GSI protocol. + +`bio` is created with + + bio = BIO_new_socket(newsock, BIO_NOCLOSE); + (void)BIO_set_nbio(bio, 1); + +The above code is replaced with an explicit construction of a +BIO_METHOD object, which is then properly modified and used to +construct the final BIO. + + int const biom_type = BIO_get_new_index(); + static char const* const biom_name = "VOMS I/O"; + BIO_METHOD* voms_biom = BIO_meth_new(biom_type|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR, biom_name); + + BIO_METHOD const* sock_biom = BIO_s_socket(); + + writeb = BIO_meth_get_write(const_cast(sock_biom)); + ret = BIO_meth_set_write(voms_biom, globusf_write); + + readb = BIO_meth_get_read(const_cast(sock_biom)); + ret = BIO_meth_set_read(voms_biom, globusf_read); + + BIO_meth_set_puts(voms_biom, BIO_meth_get_puts(const_cast(sock_biom))); + // and so on for all the other fields + +The `const_cast` is needed because the BIO API (and not only that one, +in fact) is not consistently const-correct. + +## Stack management + +The way to declare/define a new stack of user-defined types and corresponding access functions has changed. + +With OpenSSL before v. 1.1 it is necessary to declare and then define +all the functions to access a stack of a user-defined type. In VOMS +there are a couple of macros to ease the job: `DECL_STACK` is used in +a single header file to produce the declarations, `IMPL_STACK` is used +in a single source file to produce the definitions. + +OpenSSL 1.1 instead offers the DEFINE_STACK_OF macro, that, given a type, +generates the data structure and all the access functions, implemented +`static inline`. This means that the macro can be used in a header +file, which can then be included whenever needed. + +In order to have a common code base, the DECL_STACK and IMPL_STACK macros are always used, but when OpenSSL 1.1 is used, they are implemented as: + + #define DECL_STACK(type) DEFINE_STACK_OF(type) + #define IMPL_STACK(type) + +## Removal of macros + +The macro + + #define M_ASN1_INTEGER_cmp(a,b) ASN1_STRING_cmp(\ + (const ASN1_STRING *)a,(const ASN1_STRING *)b) + +doesn't exist any more. Its use has been replaced with `ASN1_INTEGER_cmp`, not +with `ASN1_STRING_cmp`, because the name is more meaningful even if they are not +completely equivalent. For example + + if (M_ASN1_INTEGER_cmp((key->serial), + (X509_get0_serialNumber(iss)))) + +becomes + + if (ASN1_INTEGER_cmp((key->serial), + (X509_get0_serialNumber(iss)))) + + +The macro + + #define M_ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\ + (const ASN1_STRING *)a,(const ASN1_STRING *)b) + +doesn't exist any more. Its use has been replaced by `ASN1_STRING_cmp`. + +The macro + + /* + * This is the default callbacks, but we can have others as well: this is + * needed in Win32 where the application malloc and the library malloc may + * not be the same. + */ + #define CRYPTO_malloc_init() CRYPTO_set_mem_functions(\ + malloc, realloc, free) + +doesn't exist any more and it doesn't seem terribly useful. Removed. + +The macro + + #define SSLeay_add_all_algorithms() OpenSSL_add_all_algorithms() + +doesn't exist any more. Its use has been replaced by the use of +`OpenSSL_add_all_algorithms`. + +The use of the macro + + # define X509_STORE_set_verify_cb_func(ctx,func) \ + X509_STORE_set_verify_cb((ctx),(func)) + +has been replaced by the direct call to `X509_STORE_set_verify_cb`. Moreover, +since the function returns `void`, checking the return value makes no sense. +Consequently code such as + + if (!X509_STORE_set_verify_cb_func(store, proxy_verify_callback)){ + internal_error("Error setting context store certificate verify callback"); + } + +becomes + + X509_STORE_set_verify_cb(store, proxy_verify_callback); + +## Encoding/decoding to/from ASN.1 + +The functions responsible for the encoding/decoding of user-defined +types, named `i2d_`, `d2i_`, `_new` and +`_free`, were implemented in terms of the macros `M_ASN1_I2D_*` +and `M_ASN1_D2I_*`, defined in ``. That header +doesn't exist any more, so those functions have been generated with +the macros `DECLARE_ASN1_FUNCTIONS`, `IMPLEMENT_ASN1_FUNCTIONS`, +`ASN1_SEQUENCE`, `ASN1_SIMPLE`, `ASN1_SEQUENCE_OF`, etc., defined in +``. + +The encoding/decoding of standard (RFC3820) Proxy Certificates is actually +available directly from OpenSSL. The encoding/decoding of pre-standard +(draft) Proxy Certificates has been adapted from the Globus code. + +The encoding/decoding of Attribute Certificates and the VOMS +extensions has been re-implemented from scratch. + +## Compatibility with OpenSSL 1.0.x + +Many of the changes listed above involve function calls that are not +available in previous versions of OpenSSL. In order to have the same +codebase, those functions have been copied (with some adaptation) into +the VOMS code base and are conditionally enabled (see files +`ssl-compat.h` and `ssl-compat.c`). diff --git a/spec/voms-all.spec b/spec/voms-all.spec index 44e9f9cb..ccb3e239 100644 --- a/spec/voms-all.spec +++ b/spec/voms-all.spec @@ -1,5 +1,5 @@ Name: voms -Version: 2.0.14 +Version: 2.1.0 Release: 1%{?dist} Summary: The Virtual Organisation Membership Service C++ APIs @@ -290,6 +290,9 @@ fi %{_mandir}/man8/voms.8* %changelog +* Tue Aug 23 2016 Andrea Ceccanti - 2.1.0-0 +- Packaging for 2.1.0 + * Tue Aug 23 2016 Andrea Ceccanti - 2.0.14-0 - Packaging for 2.0.14 diff --git a/src/ac/attributes.h b/src/ac/attributes.h index 5459b534..5ae9b93b 100644 --- a/src/ac/attributes.h +++ b/src/ac/attributes.h @@ -29,7 +29,6 @@ #include #include -#include #include #include #include @@ -50,8 +49,8 @@ typedef struct ACATTRIBUTE { ASN1_OCTET_STRING *name; - ASN1_OCTET_STRING *qualifier; ASN1_OCTET_STRING *value; + ASN1_OCTET_STRING *qualifier; } AC_ATTRIBUTE; typedef struct ACATTHOLDER { @@ -67,18 +66,6 @@ DECL_STACK(AC_ATTRIBUTE); DECL_STACK(AC_ATT_HOLDER); DECL_STACK(AC_FULL_ATTRIBUTES); -extern int i2d_AC_ATTRIBUTE(AC_ATTRIBUTE *, unsigned char **); -extern int i2d_AC_ATT_HOLDER(AC_ATT_HOLDER *, unsigned char **); -extern int i2d_AC_FULL_ATTRIBUTES(AC_FULL_ATTRIBUTES *, unsigned char **); - -extern AC_ATTRIBUTE *d2i_AC_ATTRIBUTE(AC_ATTRIBUTE **, VOMS_MAYBECONST unsigned char **, long); -extern AC_ATT_HOLDER *d2i_AC_ATT_HOLDER(AC_ATT_HOLDER **, VOMS_MAYBECONST unsigned char **, long); -extern AC_FULL_ATTRIBUTES *d2i_AC_FULL_ATTRIBUTES(AC_FULL_ATTRIBUTES **, VOMS_MAYBECONST unsigned char **, long); - -extern AC_ATTRIBUTE *AC_ATTRIBUTE_new(); -extern AC_ATT_HOLDER *AC_ATT_HOLDER_new(); -extern AC_FULL_ATTRIBUTES *AC_FULL_ATTRIBUTES_new(); - -extern void AC_ATTRIBUTE_free(AC_ATTRIBUTE *); -extern void AC_ATT_HOLDER_free(AC_ATT_HOLDER *); -extern void AC_FULL_ATTRIBUTES_free(AC_FULL_ATTRIBUTES *); +DECLARE_ASN1_FUNCTIONS(AC_ATTRIBUTE) +DECLARE_ASN1_FUNCTIONS(AC_ATT_HOLDER) +DECLARE_ASN1_FUNCTIONS(AC_FULL_ATTRIBUTES) diff --git a/src/ac/extensions.c b/src/ac/extensions.c index 73c892bc..d482293b 100644 --- a/src/ac/extensions.c +++ b/src/ac/extensions.c @@ -27,7 +27,6 @@ #include #include -#include #include #include #include @@ -41,6 +40,7 @@ #include "acerrors.h" #include "attributes.h" #include +#include #ifndef VOMS_MAYBECONST #if defined(D2I_OF) @@ -50,312 +50,6 @@ #endif #endif -int i2d_AC_SEQ(AC_SEQ *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); -#ifdef TYPEDEF_I2D_OF - M_ASN1_I2D_len_SEQUENCE(a->acs, (i2d_of_void*)i2d_AC); -#else - M_ASN1_I2D_len_SEQUENCE(a->acs, i2d_AC); -#endif - M_ASN1_I2D_seq_total(); -#ifdef TYPEDEF_I2D_OF - M_ASN1_I2D_put_SEQUENCE(a->acs, (i2d_of_void*)i2d_AC); -#else - M_ASN1_I2D_put_SEQUENCE(a->acs, i2d_AC); -#endif - M_ASN1_I2D_finish(); -} - -AC_SEQ *d2i_AC_SEQ(AC_SEQ **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_SEQ *, AC_SEQ_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_seq(ret->acs, d2i_AC, AC_free); - M_ASN1_D2I_Finish(a, AC_SEQ_free, ASN1_F_D2I_AC_SEQ); -} - -AC_SEQ *AC_SEQ_new() -{ - AC_SEQ *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_SEQ); - M_ASN1_New(ret->acs, sk_AC_new_null); - return ret; - M_ASN1_New_Error(AC_F_AC_SEQ_new); -} - -void AC_SEQ_free(AC_SEQ *a) -{ - if (a==NULL) return; - - sk_AC_pop_free(a->acs, AC_free); - OPENSSL_free(a); -} - -int i2d_AC_TARGETS(AC_TARGETS *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len_SEQUENCE(a->targets, i2d_AC_TARGET); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put_SEQUENCE(a->targets, i2d_AC_TARGET); - M_ASN1_I2D_finish(); -} -AC_TARGETS *d2i_AC_TARGETS(AC_TARGETS **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_TARGETS *, AC_TARGETS_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_seq(ret->targets, d2i_AC_TARGET, AC_TARGET_free); - M_ASN1_D2I_Finish(a, AC_TARGETS_free, ASN1_F_D2I_AC_TARGETS); -} -AC_TARGETS *AC_TARGETS_new() -{ - AC_TARGETS *ret=NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_TARGETS); - M_ASN1_New(ret->targets, sk_AC_TARGET_new_null); - return ret; - M_ASN1_New_Error(AC_F_AC_TARGETS_New); -} - -void AC_TARGETS_free(AC_TARGETS *a) -{ - if (a==NULL) return; - - sk_AC_TARGET_pop_free(a->targets, AC_TARGET_free); - OPENSSL_free(a); -} - -int i2d_AC_TARGET(AC_TARGET *a, unsigned char **pp) -{ - int v1=0, v2=0, v3=0; - - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len_EXP_opt(a->name, i2d_GENERAL_NAME, 0, v1); - M_ASN1_I2D_len_EXP_opt(a->group, i2d_GENERAL_NAME, 1, v2); - M_ASN1_I2D_len_EXP_opt(a->cert, i2d_AC_IS, 2, v3); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put_EXP_opt(a->name, i2d_GENERAL_NAME, 0, v1); - M_ASN1_I2D_put_EXP_opt(a->group, i2d_GENERAL_NAME, 1, v2); - M_ASN1_I2D_put_EXP_opt(a->cert, i2d_AC_IS, 2, v3); - M_ASN1_I2D_finish(); -} - -AC_TARGET *d2i_AC_TARGET(AC_TARGET **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_TARGET *, AC_TARGET_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_EXP_opt(ret->name, d2i_GENERAL_NAME, 0); - M_ASN1_D2I_get_EXP_opt(ret->group, d2i_GENERAL_NAME, 1); - M_ASN1_D2I_get_EXP_opt(ret->cert, d2i_AC_IS, 2); - M_ASN1_D2I_Finish(a, AC_TARGET_free, ASN1_F_D2I_AC_TARGET); -} - -AC_TARGET *AC_TARGET_new(void) -{ - AC_TARGET *ret=NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_TARGET); - ret->name = ret->group = NULL; - ret->cert = NULL; - return ret; - M_ASN1_New_Error(AC_F_AC_TARGET_New); -} - -void AC_TARGET_free(AC_TARGET *a) -{ - if (a==NULL) return; - GENERAL_NAME_free(a->name); - GENERAL_NAME_free(a->group); - AC_IS_free(a->cert); - OPENSSL_free(a); -} - -int i2d_AC_CERTS(AC_CERTS *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len_SEQUENCE(a->stackcert, i2d_X509); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put_SEQUENCE(a->stackcert, i2d_X509); - M_ASN1_I2D_finish(); -} - -AC_CERTS *d2i_AC_CERTS(AC_CERTS **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_CERTS *, AC_CERTS_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_seq(ret->stackcert, d2i_X509, X509_free); - M_ASN1_D2I_Finish(a, AC_CERTS_free, ASN1_F_D2I_AC_CERTS); -} - -AC_CERTS *AC_CERTS_new() -{ - AC_CERTS *ret=NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_CERTS); - M_ASN1_New(ret->stackcert, sk_X509_new_null); - return ret; - M_ASN1_New_Error(AC_F_X509_New); -} - -void AC_CERTS_free(AC_CERTS *a) -{ - if (a==NULL) return; - - sk_X509_pop_free(a->stackcert, X509_free); - OPENSSL_free(a); -} - -int i2d_AC_ATTRIBUTE(AC_ATTRIBUTE *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->name, i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_len(a->value, i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_len(a->qualifier, i2d_ASN1_OCTET_STRING); - - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->name, i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_put(a->value, i2d_ASN1_OCTET_STRING); - M_ASN1_I2D_put(a->qualifier, i2d_ASN1_OCTET_STRING); - - M_ASN1_I2D_finish(); -} - -AC_ATTRIBUTE *d2i_AC_ATTRIBUTE(AC_ATTRIBUTE **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_ATTRIBUTE *, AC_ATTRIBUTE_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->name, d2i_ASN1_OCTET_STRING); - M_ASN1_D2I_get(ret->value, d2i_ASN1_OCTET_STRING); - M_ASN1_D2I_get(ret->qualifier, d2i_ASN1_OCTET_STRING); - - M_ASN1_D2I_Finish(a, AC_ATTRIBUTE_free, AC_F_D2I_AC_ATTRIBUTE); -} - -AC_ATTRIBUTE *AC_ATTRIBUTE_new() -{ - AC_ATTRIBUTE *ret = NULL; - ASN1_CTX c; - M_ASN1_New_Malloc(ret, AC_ATTRIBUTE); - M_ASN1_New(ret->name, ASN1_OCTET_STRING_new); - M_ASN1_New(ret->value, ASN1_OCTET_STRING_new); - M_ASN1_New(ret->qualifier, ASN1_OCTET_STRING_new); - - return ret; - M_ASN1_New_Error(AC_F_ATTRIBUTE_New); -} - -void AC_ATTRIBUTE_free(AC_ATTRIBUTE *a) -{ - if (a == NULL) return; - - ASN1_OCTET_STRING_free(a->name); - ASN1_OCTET_STRING_free(a->value); - ASN1_OCTET_STRING_free(a->qualifier); - - OPENSSL_free(a); -} - -int i2d_AC_ATT_HOLDER(AC_ATT_HOLDER *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->grantor, i2d_GENERAL_NAMES); - M_ASN1_I2D_len_SEQUENCE(a->attributes, i2d_AC_ATTRIBUTE); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->grantor, i2d_GENERAL_NAMES); - M_ASN1_I2D_put_SEQUENCE(a->attributes, i2d_AC_ATTRIBUTE); - M_ASN1_I2D_finish(); -} - - -AC_ATT_HOLDER *d2i_AC_ATT_HOLDER(AC_ATT_HOLDER **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_ATT_HOLDER *, AC_ATT_HOLDER_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->grantor, d2i_GENERAL_NAMES); - M_ASN1_D2I_get_seq(ret->attributes, d2i_AC_ATTRIBUTE, AC_ATTRIBUTE_free); - M_ASN1_D2I_Finish(a, AC_ATT_HOLDER_free, ASN1_F_D2I_AC_ATT_HOLDER); -} - -AC_ATT_HOLDER *AC_ATT_HOLDER_new() -{ - AC_ATT_HOLDER *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_ATT_HOLDER); - M_ASN1_New(ret->grantor, sk_GENERAL_NAME_new_null); - M_ASN1_New(ret->attributes, sk_AC_ATTRIBUTE_new_null); - return ret; - - M_ASN1_New_Error(AC_F_AC_ATT_HOLDER_New); -} - -void AC_ATT_HOLDER_free(AC_ATT_HOLDER *a) -{ - if (a == NULL) return; - - sk_GENERAL_NAME_pop_free(a->grantor, GENERAL_NAME_free); - sk_AC_ATTRIBUTE_pop_free(a->attributes, AC_ATTRIBUTE_free); - OPENSSL_free(a); -} - -int i2d_AC_FULL_ATTRIBUTES(AC_FULL_ATTRIBUTES *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len_SEQUENCE(a->providers, i2d_AC_ATT_HOLDER); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put_SEQUENCE(a->providers, i2d_AC_ATT_HOLDER); - M_ASN1_I2D_finish(); -} - -AC_FULL_ATTRIBUTES *d2i_AC_FULL_ATTRIBUTES(AC_FULL_ATTRIBUTES **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_FULL_ATTRIBUTES *, AC_FULL_ATTRIBUTES_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_seq(ret->providers, d2i_AC_ATT_HOLDER, AC_ATT_HOLDER_free); - M_ASN1_D2I_Finish(a, AC_FULL_ATTRIBUTES_free, ASN1_F_D2I_AC_FULL_ATTRIBUTES); -} - -AC_FULL_ATTRIBUTES *AC_FULL_ATTRIBUTES_new() -{ - AC_FULL_ATTRIBUTES *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_FULL_ATTRIBUTES); - M_ASN1_New(ret->providers, sk_AC_ATT_HOLDER_new_null); - return ret; - M_ASN1_New_Error(AC_F_AC_FULL_ATTRIBUTES_New); -} - -void AC_FULL_ATTRIBUTES_free(AC_FULL_ATTRIBUTES *a) -{ - if (a == NULL) return; - - sk_AC_ATT_HOLDER_pop_free(a->providers, AC_ATT_HOLDER_free); - OPENSSL_free(a); -} - static char *norep() { static char *buffer = 0; @@ -487,9 +181,9 @@ void *attributes_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ /* a->providers = sk_AC_ATT_HOLDER_dup(stack); */ for (i = 0; i < sk_AC_ATT_HOLDER_num(stack); i++) sk_AC_ATT_HOLDER_push(a->providers, - (AC_ATT_HOLDER *)ASN1_dup((int (*)())i2d_AC_ATT_HOLDER, - (char * (*)())d2i_AC_ATT_HOLDER, - (char *)(sk_AC_ATT_HOLDER_value(stack, i)))); + (AC_ATT_HOLDER *)ASN1_dup((i2d_of_void*)i2d_AC_ATT_HOLDER, + (d2i_of_void*)d2i_AC_ATT_HOLDER, + sk_AC_ATT_HOLDER_value(stack, i))); return a; @@ -516,9 +210,13 @@ void *authkey_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ctx AUTHORITY_KEYID *keyid = AUTHORITY_KEYID_new(); if (str && keyid) { - SHA1(cert->cert_info->key->public_key->data, - cert->cert_info->key->public_key->length, - digest); + X509_PUBKEY* pk = X509_get_X509_PUBKEY(cert); + assert(pk != NULL && "X509_get_X509_PUBKEY failed"); + unsigned char const* data; + int len; + int e = X509_PUBKEY_get0_param(NULL, &data, &len, NULL, pk); + assert(e == 1 && "X509_PUBKEY_get0_param failed"); + SHA1(data, len, digest); ASN1_OCTET_STRING_set(str, digest, 20); ASN1_OCTET_STRING_free(keyid->keyid); keyid->keyid = str; @@ -557,8 +255,11 @@ int initEx(void) return 0; } +#ifndef VOMS_USE_OPENSSL_EXT_CODE memset(auth, 0, sizeof(*auth)); - auth->ext_nid = OBJ_txt2nid("authKeyId"); + + auth->ext_nid = OBJ_txt2nid("authorityKeyIdentifier"); + auth->ext_flags = 0; auth->ext_new = (X509V3_EXT_NEW) AUTHORITY_KEYID_new; auth->ext_free = (X509V3_EXT_FREE)AUTHORITY_KEYID_free; @@ -571,22 +272,26 @@ int initEx(void) auth->i2v = (X509V3_EXT_I2V) NULL; auth->i2r = (X509V3_EXT_I2R) NULL; + X509V3_EXT_add(auth); + memset(avail, 0, sizeof(*avail)); - avail->ext_nid = OBJ_txt2nid("idcenoRevAvail"); + avail->ext_nid = OBJ_txt2nid("noRevAvail"); avail->ext_flags = 0; avail->ext_new = (X509V3_EXT_NEW) ASN1_NULL_new; avail->ext_free = (X509V3_EXT_FREE)ASN1_NULL_free; avail->d2i = (X509V3_EXT_D2I) d2i_ASN1_NULL; avail->i2d = (X509V3_EXT_I2D) i2d_ASN1_NULL; - avail->i2s = (X509V3_EXT_I2S) null_i2s; - avail->s2i = (X509V3_EXT_S2I) null_s2i; + avail->i2s = (X509V3_EXT_I2S) NULL; + avail->s2i = (X509V3_EXT_S2I) NULL; avail->v2i = (X509V3_EXT_V2I) NULL; avail->r2i = (X509V3_EXT_R2I) NULL; avail->i2v = (X509V3_EXT_I2V) NULL; avail->i2r = (X509V3_EXT_I2R) NULL; + X509V3_EXT_add(avail); + memset(targets, 0, sizeof(*targets)); - targets->ext_nid = OBJ_txt2nid("idceTargets"); + targets->ext_nid = OBJ_txt2nid("targetInformation"); targets->ext_flags = 0; targets->ext_new = (X509V3_EXT_NEW) AC_TARGETS_new; targets->ext_free = (X509V3_EXT_FREE)AC_TARGETS_free; @@ -598,6 +303,9 @@ int initEx(void) targets->v2i = (X509V3_EXT_V2I) NULL; targets->r2i = (X509V3_EXT_R2I) NULL; targets->i2r = (X509V3_EXT_I2R) NULL; +#endif + + X509V3_EXT_add(targets); memset(acseq, 0, sizeof(*acseq)); acseq->ext_nid = OBJ_txt2nid("acseq"); @@ -613,6 +321,8 @@ int initEx(void) acseq->r2i = (X509V3_EXT_R2I) NULL; acseq->i2r = (X509V3_EXT_I2R) NULL; + X509V3_EXT_add(acseq); + memset(certseq, 0, sizeof(*certseq)); certseq->ext_nid = OBJ_txt2nid("certseq"); certseq->ext_flags = 0; @@ -627,6 +337,8 @@ int initEx(void) certseq->r2i = (X509V3_EXT_R2I) NULL; certseq->i2r = (X509V3_EXT_I2R) NULL; + X509V3_EXT_add(certseq); + memset(attribs, 0, sizeof(*attribs)); attribs->ext_nid = OBJ_txt2nid("attributes"); attribs->ext_flags = 0; @@ -641,11 +353,6 @@ int initEx(void) attribs->r2i = (X509V3_EXT_R2I) NULL; attribs->i2r = (X509V3_EXT_I2R) NULL; - X509V3_EXT_add(avail); - X509V3_EXT_add(targets); - X509V3_EXT_add(auth); - X509V3_EXT_add(acseq); - X509V3_EXT_add(certseq); X509V3_EXT_add(attribs); return 1; diff --git a/src/ac/init.c b/src/ac/init.c index 8d0c2d6a..442184c3 100644 --- a/src/ac/init.c +++ b/src/ac/init.c @@ -66,12 +66,16 @@ void declareOIDs(void) return; done=1; + OBJC(idatcap,"idatcap"); - /* //// test */ + OBJC(attributes,"attributes"); + + /* OBJC(idcenoRevAvail, "noRevAvail"); - OBJC(idceauthKeyIdentifier, "authKeyId"); - OBJC(idceTargets, "idceTargets"); + OBJC(idceTargets, "targetInformation"); + */ + OBJC(acseq, "acseq"); OBJC(order, "order"); OBJC(voms, "voms"); diff --git a/src/ac/mystack.c b/src/ac/mystack.c index 8937c672..ee45116d 100644 --- a/src/ac/mystack.c +++ b/src/ac/mystack.c @@ -31,23 +31,17 @@ IMPL_STACK(AC_IETFATTR) IMPL_STACK(AC_IETFATTRVAL) IMPL_STACK(AC_ATTR) -IMPL_STACK(AC); -/* -IMPL_STACK(AC_INFO); -IMPL_STACK(AC_VAL); -IMPL_STACK(AC_HOLDER); -IMPL_STACK(AC_ACI); -IMPL_STACK(AC_FORM); -IMPL_STACK(AC_IS); -IMPL_STACK(AC_DIGEST); -IMPL_STACK(AC_TARGETS); -*/ -IMPL_STACK(AC_TARGET); -/* +IMPL_STACK(AC) +IMPL_STACK(AC_INFO) +IMPL_STACK(AC_VAL) +IMPL_STACK(AC_HOLDER) +IMPL_STACK(AC_ACI) +IMPL_STACK(AC_FORM) +IMPL_STACK(AC_IS) +IMPL_STACK(AC_DIGEST) +IMPL_STACK(AC_TARGETS) +IMPL_STACK(AC_TARGET) IMPL_STACK(AC_CERTS); -*/ IMPL_STACK(AC_ATTRIBUTE) IMPL_STACK(AC_ATT_HOLDER) -/* IMPL_STACK(AC_FULL_ATTRIBUTES) -*/ diff --git a/src/ac/newformat.c b/src/ac/newformat.c index 1085f082..078cbff1 100644 --- a/src/ac/newformat.c +++ b/src/ac/newformat.c @@ -28,11 +28,10 @@ #include #include -#include #include #include #include -#include +#include #include #include #include "newformat.h" @@ -47,552 +46,149 @@ #endif #endif -int i2d_AC_ATTR(AC_ATTR *a, unsigned char **pp) -{ - char text[1000]; - - M_ASN1_I2D_vars(a); - - if (!i2t_ASN1_OBJECT(text,999,a->type)) - return 0; - else if (!((strcmp(text, "idacagroup") == 0) || (strcmp(text,"idatcap") == 0))) - return 0; - - M_ASN1_I2D_len(a->type, i2d_ASN1_OBJECT); - M_ASN1_I2D_len_SET_type(AC_IETFATTR, a->ietfattr, i2d_AC_IETFATTR); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(a->type, i2d_ASN1_OBJECT); - M_ASN1_I2D_put_SET_type(AC_IETFATTR,a->ietfattr, i2d_AC_IETFATTR); - M_ASN1_I2D_finish(); -} - -AC_ATTR *d2i_AC_ATTR(AC_ATTR **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - char text[1000]; - - M_ASN1_D2I_vars(a, AC_ATTR *, AC_ATTR_new); - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->type, d2i_ASN1_OBJECT); - - if (!i2t_ASN1_OBJECT(text,999, ret->type)) { - c.error = ASN1_R_NOT_ENOUGH_DATA; - goto err; - } - - if (strcmp(text, "idatcap") == 0) - M_ASN1_D2I_get_set_type(AC_IETFATTR, ret->ietfattr, d2i_AC_IETFATTR, AC_IETFATTR_free); - M_ASN1_D2I_Finish(a, AC_ATTR_free, ASN1_F_D2I_AC_ATTR); -} - -AC_ATTR *AC_ATTR_new() -{ - AC_ATTR *ret = NULL; - ASN1_CTX c; - M_ASN1_New_Malloc(ret, AC_ATTR); - M_ASN1_New(ret->type, ASN1_OBJECT_new); - M_ASN1_New(ret->ietfattr, sk_AC_IETFATTR_new_null); - return ret; - M_ASN1_New_Error(AC_F_ATTR_New); -} - -void AC_ATTR_free(AC_ATTR *a) -{ - if (!a) - return; - - ASN1_OBJECT_free(a->type); - sk_AC_IETFATTR_pop_free(a->ietfattr, AC_IETFATTR_free); - OPENSSL_free(a); -} - -int i2d_AC_IETFATTR(AC_IETFATTR *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len_IMP_opt(a->names, i2d_GENERAL_NAMES); - M_ASN1_I2D_len_SEQUENCE(a->values, i2d_AC_IETFATTRVAL); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put_IMP_opt(a->names, i2d_GENERAL_NAMES, 0); - M_ASN1_I2D_put_SEQUENCE(a->values, i2d_AC_IETFATTRVAL); - M_ASN1_I2D_finish(); -} - -AC_IETFATTR *d2i_AC_IETFATTR(AC_IETFATTR **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_IETFATTR *, AC_IETFATTR_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_IMP_opt(ret->names, d2i_GENERAL_NAMES, 0, V_ASN1_SEQUENCE); - M_ASN1_D2I_get_seq(ret->values, d2i_AC_IETFATTRVAL, AC_IETFATTRVAL_free); - M_ASN1_D2I_Finish(a, AC_IETFATTR_free, ASN1_F_D2I_AC_IETFATTR); -} - -AC_IETFATTR *AC_IETFATTR_new() -{ - AC_IETFATTR *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_IETFATTR); - M_ASN1_New(ret->values, sk_AC_IETFATTRVAL_new_null); - M_ASN1_New(ret->names, sk_GENERAL_NAME_new_null); - return ret; - M_ASN1_New_Error(AC_F_IETFATTR_New); -} - -void AC_IETFATTR_free (AC_IETFATTR *a) -{ - if (a==NULL) return; - - sk_GENERAL_NAME_pop_free(a->names, GENERAL_NAME_free); - sk_AC_IETFATTRVAL_pop_free(a->values, AC_IETFATTRVAL_free); - OPENSSL_free(a); -} - - -int i2d_AC_IETFATTRVAL(AC_IETFATTRVAL *a, unsigned char **pp) -{ - if (a->type == V_ASN1_OCTET_STRING || a->type == V_ASN1_OBJECT || - a->type == V_ASN1_UTF8STRING) - return (i2d_ASN1_bytes((ASN1_STRING *)a, pp, a->type, V_ASN1_UNIVERSAL)); - - ASN1err(ASN1_F_I2D_AC_IETFATTRVAL,ASN1_R_WRONG_TYPE); - return -1; -} - -AC_IETFATTRVAL *d2i_AC_IETFATTRVAL(AC_IETFATTRVAL **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - unsigned char tag; - tag = **pp & ~V_ASN1_CONSTRUCTED; - if (tag == (V_ASN1_OCTET_STRING|V_ASN1_UNIVERSAL)) - return d2i_ASN1_OCTET_STRING(a, pp, length); - if (tag == (V_ASN1_OBJECT|V_ASN1_UNIVERSAL)) - return (AC_IETFATTRVAL *)d2i_ASN1_OBJECT((ASN1_OBJECT **)a, pp, length); - if (tag == (V_ASN1_UTF8STRING|V_ASN1_UNIVERSAL)) - return d2i_ASN1_UTF8STRING(a, pp, length); - ASN1err(ASN1_F_D2I_AC_IETFATTRVAL, ASN1_R_WRONG_TYPE); - return (NULL); -} - -AC_IETFATTRVAL *AC_IETFATTRVAL_new() -{ - return ASN1_STRING_type_new(V_ASN1_UTF8STRING); -} - -void AC_IETFATTRVAL_free(AC_IETFATTRVAL *a) -{ - ASN1_STRING_free(a); -} - -int i2d_AC_DIGEST(AC_DIGEST *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->type, i2d_ASN1_ENUMERATED); - M_ASN1_I2D_len(a->oid, i2d_ASN1_OBJECT); - M_ASN1_I2D_len(a->algor, i2d_X509_ALGOR); - M_ASN1_I2D_len(a->digest, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->type, i2d_ASN1_ENUMERATED); - M_ASN1_I2D_put(a->oid, i2d_ASN1_OBJECT); - M_ASN1_I2D_put(a->algor, i2d_X509_ALGOR); - M_ASN1_I2D_put(a->digest, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_finish(); -} - -AC_DIGEST *d2i_AC_DIGEST(AC_DIGEST **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_DIGEST *, AC_DIGEST_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->type, d2i_ASN1_ENUMERATED); - M_ASN1_D2I_get(ret->oid, d2i_ASN1_OBJECT); - M_ASN1_D2I_get(ret->algor, d2i_X509_ALGOR); - M_ASN1_D2I_get(ret->digest, d2i_ASN1_BIT_STRING); - M_ASN1_D2I_Finish(a, AC_DIGEST_free, AC_F_D2I_AC_DIGEST); -} - -AC_DIGEST *AC_DIGEST_new(void) -{ - AC_DIGEST *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_DIGEST); - M_ASN1_New(ret->type, M_ASN1_ENUMERATED_new); - ret->oid = NULL; - ret->algor = NULL; - M_ASN1_New(ret->algor, X509_ALGOR_new); - M_ASN1_New(ret->digest, M_ASN1_BIT_STRING_new); - return(ret); - M_ASN1_New_Error(AC_F_AC_DIGEST_New); -} - -void AC_DIGEST_free(AC_DIGEST *a) -{ - if (a==NULL) return; - - ASN1_ENUMERATED_free(a->type); - ASN1_OBJECT_free(a->oid); - X509_ALGOR_free(a->algor); - ASN1_BIT_STRING_free(a->digest); - OPENSSL_free(a); -} - -int i2d_AC_IS(AC_IS *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - M_ASN1_I2D_len(a->issuer, i2d_GENERAL_NAMES); - M_ASN1_I2D_len(a->serial, i2d_ASN1_INTEGER); - M_ASN1_I2D_len_IMP_opt(a->uid, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->issuer, i2d_GENERAL_NAMES); - M_ASN1_I2D_put(a->serial, i2d_ASN1_INTEGER); - M_ASN1_I2D_put_IMP_opt(a->uid, i2d_ASN1_BIT_STRING, V_ASN1_BIT_STRING); - M_ASN1_I2D_finish(); -} - -AC_IS *d2i_AC_IS(AC_IS **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_IS *, AC_IS_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->issuer, d2i_GENERAL_NAMES); - M_ASN1_D2I_get(ret->serial, d2i_ASN1_INTEGER); - M_ASN1_D2I_get_opt(ret->uid, d2i_ASN1_BIT_STRING, V_ASN1_BIT_STRING); - M_ASN1_D2I_Finish(a, AC_IS_free, AC_F_D2I_AC_IS); -} - -AC_IS *AC_IS_new(void) -{ - AC_IS *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_IS); - M_ASN1_New(ret->issuer, GENERAL_NAMES_new); - M_ASN1_New(ret->serial, M_ASN1_INTEGER_new); - ret->uid = NULL; - return(ret); - M_ASN1_New_Error(AC_F_AC_IS_New); -} - -void AC_IS_free(AC_IS *a) -{ - if (a==NULL) return; - - GENERAL_NAMES_free(a->issuer); - M_ASN1_INTEGER_free(a->serial); - M_ASN1_BIT_STRING_free(a->uid); - OPENSSL_free(a); -} - -int i2d_AC_FORM(AC_FORM *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - - M_ASN1_I2D_len(a->names, i2d_GENERAL_NAMES); - M_ASN1_I2D_len_IMP_opt(a->is, i2d_AC_IS); - M_ASN1_I2D_len_IMP_opt(a->digest, i2d_AC_DIGEST); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->names, i2d_GENERAL_NAMES); - M_ASN1_I2D_put_IMP_opt(a->is, i2d_AC_IS, 0); - M_ASN1_I2D_put_IMP_opt(a->digest, i2d_AC_DIGEST, 1); - M_ASN1_I2D_finish(); -} - -AC_FORM *d2i_AC_FORM(AC_FORM **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_FORM *, AC_FORM_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->names, d2i_GENERAL_NAMES); - M_ASN1_D2I_get_IMP_opt(ret->is, d2i_AC_IS, 0, V_ASN1_SEQUENCE); - M_ASN1_D2I_get_IMP_opt(ret->digest, d2i_AC_DIGEST, 1, V_ASN1_SEQUENCE); - M_ASN1_D2I_Finish(a, AC_FORM_free, ASN1_F_D2I_AC_FORM); -} - -AC_FORM *AC_FORM_new(void) -{ - AC_FORM *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_FORM); - ret->names = GENERAL_NAMES_new(); - ret->is = NULL; - ret->digest = NULL; - return(ret); - M_ASN1_New_Error(AC_F_AC_FORM_New); -} - -void AC_FORM_free(AC_FORM *a) -{ - if (a==NULL) return; - - GENERAL_NAMES_free(a->names); - AC_IS_free(a->is); - AC_DIGEST_free(a->digest); - OPENSSL_free(a); - -} - -int i2d_AC_HOLDER(AC_HOLDER *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - - M_ASN1_I2D_len_IMP_opt(a->baseid, i2d_AC_IS); - M_ASN1_I2D_len_IMP_opt(a->name, i2d_GENERAL_NAMES); - M_ASN1_I2D_len_IMP_opt(a->digest, i2d_AC_DIGEST); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put_IMP_opt(a->baseid, i2d_AC_IS, 0); - M_ASN1_I2D_put_IMP_opt(a->name, i2d_GENERAL_NAMES, 1); - M_ASN1_I2D_put_IMP_opt(a->digest, i2d_AC_DIGEST, 2); - M_ASN1_I2D_finish(); -} - -AC_HOLDER *d2i_AC_HOLDER(AC_HOLDER **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_HOLDER *, AC_HOLDER_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get_IMP_opt(ret->baseid, d2i_AC_IS, 0, V_ASN1_SEQUENCE); - M_ASN1_D2I_get_IMP_opt(ret->name, d2i_GENERAL_NAMES, 1, V_ASN1_SEQUENCE); - M_ASN1_D2I_get_IMP_opt(ret->digest, d2i_AC_DIGEST, 2, V_ASN1_SEQUENCE); - M_ASN1_D2I_Finish(a, AC_HOLDER_free, ASN1_F_D2I_AC_HOLDER); -} - -AC_HOLDER *AC_HOLDER_new(void) -{ - AC_HOLDER *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_HOLDER); - M_ASN1_New(ret->baseid, AC_IS_new); - ret->name = NULL; - ret->digest = NULL; - return(ret); - M_ASN1_New_Error(ASN1_F_AC_HOLDER_New); -} +ASN1_SEQUENCE(AC_DIGEST) = { + ASN1_SIMPLE(AC_DIGEST, type, ASN1_ENUMERATED), + ASN1_OPT(AC_DIGEST, oid, ASN1_OBJECT), + ASN1_SIMPLE(AC_DIGEST, algor, X509_ALGOR), + ASN1_SIMPLE(AC_DIGEST, digest, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(AC_DIGEST) -void AC_HOLDER_free(AC_HOLDER *a) -{ - if (!a) return; +IMPLEMENT_ASN1_FUNCTIONS(AC_DIGEST) - AC_IS_free(a->baseid); - GENERAL_NAMES_free(a->name); - AC_DIGEST_free(a->digest); - OPENSSL_free(a); -} +ASN1_SEQUENCE(AC_IS) = { + ASN1_SIMPLE(AC_IS, issuer, GENERAL_NAMES), + ASN1_SIMPLE(AC_IS, serial, ASN1_INTEGER), + ASN1_OPT(AC_IS, uid, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(AC_IS) -/* new AC_VAL functions by valerio */ +IMPLEMENT_ASN1_FUNCTIONS(AC_IS) +ASN1_SEQUENCE(AC_FORM) = { + ASN1_OPT(AC_FORM, names, GENERAL_NAMES), + ASN1_IMP_OPT(AC_FORM, is, AC_IS, 0), + ASN1_IMP_OPT(AC_FORM, digest, AC_DIGEST, 1) +} ASN1_SEQUENCE_END(AC_FORM) -AC_VAL *AC_VAL_new(void) -{ - AC_VAL *ret = NULL; - ASN1_CTX c; +IMPLEMENT_ASN1_FUNCTIONS(AC_FORM) - M_ASN1_New_Malloc(ret, AC_VAL); +ASN1_SEQUENCE(AC_ACI) = { + ASN1_SEQUENCE_OF(AC_ACI, names, GENERAL_NAME), + ASN1_SIMPLE(AC_ACI, form, AC_FORM) +} ASN1_SEQUENCE_END(AC_ACI) - ret->notBefore = NULL; - ret->notAfter = NULL; - - return(ret); - M_ASN1_New_Error(ASN1_F_AC_VAL_New); -} +IMPLEMENT_ASN1_FUNCTIONS(AC_ACI) -int i2d_AC_VAL(AC_VAL *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); +ASN1_SEQUENCE(AC_HOLDER) = { + ASN1_IMP(AC_HOLDER, baseid, AC_IS, 0), + ASN1_IMP_OPT(AC_HOLDER, name, GENERAL_NAMES, 1), + ASN1_IMP_OPT(AC_HOLDER, digest, AC_DIGEST, 2) +} ASN1_SEQUENCE_END(AC_HOLDER) - M_ASN1_I2D_len(a->notBefore, i2d_ASN1_GENERALIZEDTIME); - M_ASN1_I2D_len(a->notAfter, i2d_ASN1_GENERALIZEDTIME); +IMPLEMENT_ASN1_FUNCTIONS(AC_HOLDER) - M_ASN1_I2D_seq_total(); +ASN1_SEQUENCE(AC_VAL) = { + ASN1_SIMPLE(AC_VAL, notBefore, ASN1_GENERALIZEDTIME), + ASN1_SIMPLE(AC_VAL, notAfter, ASN1_GENERALIZEDTIME), +} ASN1_SEQUENCE_END(AC_VAL) - M_ASN1_I2D_put(a->notBefore, i2d_ASN1_GENERALIZEDTIME); - M_ASN1_I2D_put(a->notAfter, i2d_ASN1_GENERALIZEDTIME); +IMPLEMENT_ASN1_FUNCTIONS(AC_VAL) - M_ASN1_I2D_finish(); -} +ASN1_SEQUENCE(AC_IETFATTR) = { + ASN1_IMP_SEQUENCE_OF_OPT(AC_IETFATTR, names, GENERAL_NAME, 0), + ASN1_SEQUENCE_OF(AC_IETFATTR, values, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(AC_IETFATTR) -AC_VAL *d2i_AC_VAL(AC_VAL **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_VAL *, AC_VAL_new); +IMPLEMENT_ASN1_FUNCTIONS(AC_IETFATTR) - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); +ASN1_SEQUENCE(AC_TARGET) = { + ASN1_EXP(AC_TARGET, name, GENERAL_NAME, 0), + ASN1_EXP(AC_TARGET, group, GENERAL_NAME, 1), + ASN1_EXP(AC_TARGET, cert, AC_IS, 2), +} ASN1_SEQUENCE_END(AC_TARGET) - M_ASN1_D2I_get(ret->notBefore, d2i_ASN1_GENERALIZEDTIME); - M_ASN1_D2I_get(ret->notAfter, d2i_ASN1_GENERALIZEDTIME); +IMPLEMENT_ASN1_FUNCTIONS(AC_TARGET) - M_ASN1_D2I_Finish(a, AC_VAL_free, AC_F_D2I_AC); -} +ASN1_SEQUENCE(AC_TARGETS) = { + ASN1_SEQUENCE_OF(AC_TARGETS, targets, AC_TARGET) +} ASN1_SEQUENCE_END(AC_TARGETS) -void AC_VAL_free(AC_VAL *a) -{ +IMPLEMENT_ASN1_FUNCTIONS(AC_TARGETS) - if (a==NULL) return; +ASN1_SEQUENCE(AC_ATTRIBUTE) = { + ASN1_SIMPLE(AC_ATTRIBUTE, name, ASN1_OCTET_STRING), + ASN1_SIMPLE(AC_ATTRIBUTE, value, ASN1_OCTET_STRING), + ASN1_SIMPLE(AC_ATTRIBUTE, qualifier, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END(AC_ATTRIBUTE) - M_ASN1_GENERALIZEDTIME_free(a->notBefore); - M_ASN1_GENERALIZEDTIME_free(a->notAfter); +IMPLEMENT_ASN1_FUNCTIONS(AC_ATTRIBUTE) - OPENSSL_free(a); -} +ASN1_SEQUENCE(AC_ATT_HOLDER) = { + ASN1_SEQUENCE_OF(AC_ATT_HOLDER, grantor, GENERAL_NAME), + ASN1_SEQUENCE_OF(AC_ATT_HOLDER, attributes, AC_ATTRIBUTE) +} ASN1_SEQUENCE_END(AC_ATT_HOLDER) +IMPLEMENT_ASN1_FUNCTIONS(AC_ATT_HOLDER) -/* end of new code */ +ASN1_SEQUENCE(AC_FULL_ATTRIBUTES) = { + ASN1_SEQUENCE_OF(AC_FULL_ATTRIBUTES, providers, AC_ATT_HOLDER) +} ASN1_SEQUENCE_END(AC_FULL_ATTRIBUTES) +IMPLEMENT_ASN1_FUNCTIONS(AC_FULL_ATTRIBUTES) -int i2d_AC_INFO(AC_INFO *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); - - M_ASN1_I2D_len(a->version, i2d_ASN1_INTEGER); - M_ASN1_I2D_len(a->holder, i2d_AC_HOLDER); - M_ASN1_I2D_len_IMP_opt(a->form, i2d_AC_FORM); - M_ASN1_I2D_len(a->alg, i2d_X509_ALGOR); - M_ASN1_I2D_len(a->serial, i2d_ASN1_INTEGER); - M_ASN1_I2D_len(a->validity, i2d_AC_VAL); - M_ASN1_I2D_len_SEQUENCE(a->attrib, i2d_AC_ATTR); - M_ASN1_I2D_len_IMP_opt(a->id, i2d_ASN1_BIT_STRING); - M_ASN1_I2D_len_SEQUENCE_opt(a->exts, i2d_X509_EXTENSION); - M_ASN1_I2D_seq_total(); - - M_ASN1_I2D_put(a->version, i2d_ASN1_INTEGER); - M_ASN1_I2D_put(a->holder, i2d_AC_HOLDER); - M_ASN1_I2D_put_IMP_opt(a->form, i2d_AC_FORM, 0); - M_ASN1_I2D_put(a->alg, i2d_X509_ALGOR); - M_ASN1_I2D_put(a->serial, i2d_ASN1_INTEGER); - M_ASN1_I2D_put(a->validity, i2d_AC_VAL); - M_ASN1_I2D_put_SEQUENCE(a->attrib, i2d_AC_ATTR); - M_ASN1_I2D_put_IMP_opt(a->id, i2d_ASN1_BIT_STRING, V_ASN1_BIT_STRING); - M_ASN1_I2D_put_SEQUENCE_opt(a->exts, i2d_X509_EXTENSION); - M_ASN1_I2D_finish(); -} +ASN1_SEQUENCE(AC_ATTR) = { + ASN1_SIMPLE(AC_ATTR, type, ASN1_OBJECT), + ASN1_SET_OF(AC_ATTR, ietfattr, AC_IETFATTR), + ASN1_SEQUENCE_OF_OPT(AC_ATTR, fullattributes, AC_FULL_ATTRIBUTES) +} ASN1_SEQUENCE_END(AC_ATTR) -AC_INFO *d2i_AC_INFO(AC_INFO **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC_INFO *, AC_INFO_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->version, d2i_ASN1_INTEGER); - M_ASN1_D2I_get(ret->holder, d2i_AC_HOLDER); - M_ASN1_D2I_get_IMP_opt(ret->form, d2i_AC_FORM, 0, V_ASN1_SEQUENCE); - M_ASN1_D2I_get(ret->alg, d2i_X509_ALGOR); - M_ASN1_D2I_get(ret->serial, d2i_ASN1_INTEGER); - M_ASN1_D2I_get(ret->validity, d2i_AC_VAL); - M_ASN1_D2I_get_seq(ret->attrib, d2i_AC_ATTR, AC_ATTR_free); - M_ASN1_D2I_get_opt(ret->id, d2i_ASN1_BIT_STRING, V_ASN1_BIT_STRING); - M_ASN1_D2I_get_seq_opt(ret->exts, d2i_X509_EXTENSION, X509_EXTENSION_free); - M_ASN1_D2I_Finish(a, AC_INFO_free, AC_F_D2I_AC); -} +IMPLEMENT_ASN1_FUNCTIONS(AC_ATTR) -AC_INFO *AC_INFO_new(void) -{ - AC_INFO *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC_INFO); - M_ASN1_New(ret->version, ASN1_INTEGER_new); - M_ASN1_New(ret->holder, AC_HOLDER_new); - M_ASN1_New(ret->form, AC_FORM_new); - M_ASN1_New(ret->alg, X509_ALGOR_new); - M_ASN1_New(ret->serial, ASN1_INTEGER_new); - M_ASN1_New(ret->validity, AC_VAL_new); - M_ASN1_New(ret->attrib, sk_AC_ATTR_new_null); - ret->id = NULL; - M_ASN1_New(ret->exts, sk_X509_EXTENSION_new_null); -/* ret->exts=NULL; */ - return(ret); - M_ASN1_New_Error(AC_F_AC_INFO_NEW); -} +ASN1_ITEM_TEMPLATE(AC_ATTRS) = + ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, AcAttrs, AC_ATTR) +ASN1_ITEM_TEMPLATE_END(AC_ATTRS) -void AC_INFO_free(AC_INFO *a) -{ - if (a==NULL) return; - ASN1_INTEGER_free(a->version); - AC_HOLDER_free(a->holder); - AC_FORM_free(a->form); - X509_ALGOR_free(a->alg); - ASN1_INTEGER_free(a->serial); - AC_VAL_free(a->validity); - sk_AC_ATTR_pop_free(a->attrib, AC_ATTR_free); - ASN1_BIT_STRING_free(a->id); - sk_X509_EXTENSION_pop_free(a->exts, X509_EXTENSION_free); - OPENSSL_free(a); -} +IMPLEMENT_ASN1_FUNCTIONS(AC_ATTRS) -int i2d_AC(AC *a, unsigned char **pp) -{ - M_ASN1_I2D_vars(a); +ASN1_SEQUENCE(AC_INFO) = { + ASN1_SIMPLE(AC_INFO, version, ASN1_INTEGER), /* must be v2(1) */ + ASN1_SIMPLE(AC_INFO, holder, AC_HOLDER), + ASN1_EXP(AC_INFO, form, GENERAL_NAMES, 0), /* in place of an implicitly-tagged + * AC_FORM */ + ASN1_SIMPLE(AC_INFO, alg, X509_ALGOR), + ASN1_SIMPLE(AC_INFO, serial, ASN1_INTEGER), + ASN1_SIMPLE(AC_INFO, validity, AC_VAL), + ASN1_SIMPLE(AC_INFO, attrib, AC_ATTRS), + ASN1_OPT(AC_INFO, id, ASN1_BIT_STRING), + ASN1_SIMPLE(AC_INFO, exts, X509_EXTENSIONS) +} ASN1_SEQUENCE_END(AC_INFO) - M_ASN1_I2D_len(a->acinfo, i2d_AC_INFO); - M_ASN1_I2D_len(a->sig_alg, i2d_X509_ALGOR); - M_ASN1_I2D_len(a->signature, i2d_ASN1_BIT_STRING); +IMPLEMENT_ASN1_FUNCTIONS(AC_INFO) - M_ASN1_I2D_seq_total(); +ASN1_SEQUENCE(AC) = { + ASN1_SIMPLE(AC, acinfo, AC_INFO), + ASN1_SIMPLE(AC, sig_alg, X509_ALGOR), + ASN1_SIMPLE(AC, signature, ASN1_BIT_STRING) +} ASN1_SEQUENCE_END(AC) - M_ASN1_I2D_put(a->acinfo, i2d_AC_INFO); - M_ASN1_I2D_put(a->sig_alg, i2d_X509_ALGOR); - M_ASN1_I2D_put(a->signature, i2d_ASN1_BIT_STRING); +IMPLEMENT_ASN1_FUNCTIONS(AC) - M_ASN1_I2D_finish(); -} +AC * AC_dup(AC *x) { return (AC*)ASN1_item_dup((&(AC_it)), x); } -AC *d2i_AC(AC **a, VOMS_MAYBECONST unsigned char **pp, long length) -{ - M_ASN1_D2I_vars(a, AC *, AC_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->acinfo, d2i_AC_INFO); - M_ASN1_D2I_get(ret->sig_alg, d2i_X509_ALGOR); - M_ASN1_D2I_get(ret->signature, d2i_ASN1_BIT_STRING); - M_ASN1_D2I_Finish(a, AC_free, AC_F_D2I_AC); -} +ASN1_SEQUENCE(AC_SEQ) = { + ASN1_SEQUENCE_OF(AC_SEQ, acs, AC) +} ASN1_SEQUENCE_END(AC_SEQ) -AC *AC_new(void) -{ - AC *ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, AC); - M_ASN1_New(ret->acinfo, AC_INFO_new); - M_ASN1_New(ret->sig_alg, X509_ALGOR_new); - M_ASN1_New(ret->signature, M_ASN1_BIT_STRING_new); - return(ret); - M_ASN1_New_Error(AC_F_AC_New); -} +IMPLEMENT_ASN1_FUNCTIONS(AC_SEQ) -void AC_free(AC *a) -{ - if (a==NULL) return; +ASN1_SEQUENCE(AC_CERTS) = { + ASN1_SEQUENCE_OF(AC_CERTS, stackcert, X509) +} ASN1_SEQUENCE_END(AC_CERTS) - AC_INFO_free(a->acinfo); - X509_ALGOR_free(a->sig_alg); - M_ASN1_BIT_STRING_free(a->signature); - OPENSSL_free(a); -} - -/* Wrapping ASN1_dup with AC_dup for use in C++. - * Calling ASN1_dup with casting generates inconsistent behavior across C++ compilers - */ -AC *AC_dup(AC *ac) -{ - return (AC *)ASN1_dup((int (*)())i2d_AC, (char * (*) ())d2i_AC, (char *)ac); -} +IMPLEMENT_ASN1_FUNCTIONS(AC_CERTS) EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey) { - return (EVP_PKEY *)ASN1_dup((int (*)())i2d_PrivateKey, (char * (*) ())d2i_AutoPrivateKey, (char *)pkey); + return (EVP_PKEY *)ASN1_dup((i2d_of_void*)i2d_PrivateKey, (d2i_of_void*)d2i_AutoPrivateKey, pkey); } int AC_verify(X509_ALGOR *algor1, ASN1_BIT_STRING *signature,char *data, EVP_PKEY *pkey) diff --git a/src/ac/validate.cc b/src/ac/validate.cc index fb2aff3f..57248b51 100644 --- a/src/ac/validate.cc +++ b/src/ac/validate.cc @@ -37,7 +37,6 @@ extern "C" { #include #include #include -#include #include #include #include @@ -45,7 +44,6 @@ extern "C" { #include #include #include -#include #include "newformat.h" #include "acerrors.h" @@ -55,6 +53,7 @@ extern "C" { #include "acstack.h" #include "listfunc.h" #include "doio.h" +#include "ssl_compat.h" #include #include @@ -68,42 +67,6 @@ extern "C" { #include -extern "C" { -#if OPENSSL_VERSION_NUMBER <= 0x0090807fL - - /* The following have to be declared explicitly rather than relying - * on macros because openssl prototype unreliability makes the correct - * declaration impossible without requiring a rewrite of relying programs. - */ -DECLARE_STACK_OF(GENERAL_NAMES) - -STACK_OF(GENERAL_NAMES) *sk_GENERAL_NAMES_new (int (*cmp)(const GENERAL_NAMES * const *, const GENERAL_NAMES * const *)) -{ - return sk_new ( (int (*)(const char * const *, const char * const *))cmp); -} - -STACK_OF(GENERAL_NAMES) *sk_GENERAL_NAMES_new_null () -{ - return sk_new_null(); -} - -void sk_GENERAL_NAMES_free (STACK_OF(GENERAL_NAMES) *st) -{ - sk_free(st); -} - -int sk_GENERAL_NAMES_num (const STACK_OF(GENERAL_NAMES) *st) -{ - return sk_num(st); -} - -GENERAL_NAMES *sk_GENERAL_NAMES_value (const STACK_OF(GENERAL_NAMES) *st, int i) -{ - return (GENERAL_NAMES *)sk_value(st, i); -} -#endif -} - static std::string getfqdn(void); static int checkAttributes(STACK_OF(AC_ATTR) *, voms&); static int checkExtensions(STACK_OF(X509_EXTENSION) *,X509 *, int, realdata *); @@ -220,9 +183,6 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time CHECK(ac->acinfo->holder); NCHECK(ac->acinfo->holder->digest); CHECK(ac->acinfo->form); - CHECK(ac->acinfo->form->names); - NCHECK(ac->acinfo->form->is); - NCHECK(ac->acinfo->form->digest); CHECK(ac->acinfo->serial); CHECK(ac->acinfo->validity); CHECK(ac->acinfo->alg); @@ -267,7 +227,7 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time CTOCPPSTR(v.serverca, X509_NAME_oneline(X509_get_issuer_name(issuer), NULL, 0)); } else { - CTOCPPSTR(v.server, X509_NAME_oneline(sk_GENERAL_NAME_value(ac->acinfo->form->names, 0)->d.dirn,NULL, 0)); + CTOCPPSTR(v.server, X509_NAME_oneline(sk_GENERAL_NAME_value(ac->acinfo->form, 0)->d.dirn,NULL, 0)); v.serverca = "Unable to determine CA"; } @@ -279,7 +239,7 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time CHECK(ac->acinfo->holder->baseid->issuer); if (ASN1_INTEGER_cmp(ac->acinfo->holder->baseid->serial, - cert->cert_info->serialNumber)) + X509_get_serialNumber(cert))) ERROR(AC_ERR_HOLDER_SERIAL); names = ac->acinfo->holder->baseid->issuer; @@ -289,16 +249,18 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time ERROR(AC_ERR_HOLDER); if (name->type != GEN_DIRNAME) ERROR(AC_ERR_HOLDER); - if (X509_NAME_cmp(name->d.dirn, cert->cert_info->subject) && - X509_NAME_cmp(name->d.dirn, cert->cert_info->issuer)) + if (X509_NAME_cmp(name->d.dirn, X509_get_subject_name(cert)) && + X509_NAME_cmp(name->d.dirn, X509_get_issuer_name(cert))) ERROR(AC_ERR_HOLDER); - if ((!ac->acinfo->holder->baseid->uid && cert->cert_info->issuerUID) || - (!cert->cert_info->issuerUID && ac->acinfo->holder->baseid->uid)) + ASN1_BIT_STRING const* issuer_uid; + X509_get0_uids(cert, &issuer_uid, 0); + if ((!ac->acinfo->holder->baseid->uid && issuer_uid) || + (!issuer_uid && ac->acinfo->holder->baseid->uid)) ERROR(AC_ERR_UID_MISMATCH); if (ac->acinfo->holder->baseid->uid) { - if (M_ASN1_BIT_STRING_cmp(ac->acinfo->holder->baseid->uid, - cert->cert_info->issuerUID)) + if (ASN1_STRING_cmp(ac->acinfo->holder->baseid->uid, + issuer_uid)) ERROR(AC_ERR_UID_MISMATCH); } } @@ -310,7 +272,7 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time if ((sk_GENERAL_NAME_num(gname) == 1) || ((name = sk_GENERAL_NAME_value(gname,0)) || (name->type != GEN_DIRNAME))) { - if (X509_NAME_cmp(name->d.dirn, cert->cert_info->issuer)) { + if (X509_NAME_cmp(name->d.dirn, X509_get_issuer_name(cert))) { /* CHECK ALT_NAMES */ /* in VOMS ACs, checking into alt names is assumed to always fail. */ ERROR(AC_ERR_UID_MISMATCH); @@ -320,7 +282,7 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time } } - names = ac->acinfo->form->names; + names = ac->acinfo->form; if ((sk_GENERAL_NAME_num(names) != 1)) ERROR(AC_ERR_ISSUER_NAME); @@ -329,7 +291,7 @@ int validate(X509 *cert, X509 *issuer, AC *ac, voms &v, verify_type valids, time if (name->type != GEN_DIRNAME) ERROR(AC_ERR_ISSUER_NAME); if (valids & VERIFY_ID) - if (X509_NAME_cmp(name->d.dirn, issuer->cert_info->subject)) + if (X509_NAME_cmp(name->d.dirn, X509_get_subject_name(issuer))) ERROR(AC_ERR_ISSUER_NAME); if (ac->acinfo->serial->length>20) @@ -482,9 +444,9 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v) static int checkExtensions(STACK_OF(X509_EXTENSION) *exts, X509 *iss, int valids, realdata *rd) { - int nid1 = OBJ_txt2nid("idcenoRevAvail"); - int nid2 = OBJ_txt2nid("authorityKeyIdentifier"); - int nid3 = OBJ_txt2nid("idceTargets"); + int nid1 = NID_no_rev_avail; + int nid2 = NID_authority_key_identifier; + int nid3 = NID_target_information; int nid5 = OBJ_txt2nid("attributes"); int pos1 = X509v3_get_ext_by_NID(exts, nid1, -1); @@ -578,10 +540,11 @@ static int checkExtensions(STACK_OF(X509_EXTENSION) *exts, X509 *iss, int valids if (iss) { if (key->keyid) { - unsigned char hashed[20]; + unsigned char hashed[SHA_DIGEST_LENGTH]; - if (!SHA1(iss->cert_info->key->public_key->data, - iss->cert_info->key->public_key->length, + ASN1_BIT_STRING* pubkey = X509_get0_pubkey_bitstr(iss); + if (!SHA1(pubkey->data, + pubkey->length, hashed)) ret = AC_ERR_EXT_KEY; @@ -593,15 +556,15 @@ static int checkExtensions(STACK_OF(X509_EXTENSION) *exts, X509 *iss, int valids if (!(key->issuer && key->serial)) ret = AC_ERR_EXT_KEY; - if (M_ASN1_INTEGER_cmp((key->serial), - (iss->cert_info->serialNumber))) + if (ASN1_INTEGER_cmp((key->serial), + (X509_get0_serialNumber(iss)))) ret = AC_ERR_EXT_KEY; if (key->serial->type != GEN_DIRNAME) ret = AC_ERR_EXT_KEY; if (X509_NAME_cmp(sk_GENERAL_NAME_value((key->issuer), 0)->d.dirn, - (iss->cert_info->subject))) + (X509_get_subject_name(iss)))) ret = AC_ERR_EXT_KEY; } } diff --git a/src/ac/write.c b/src/ac/write.c index 3832ffda..7050caed 100644 --- a/src/ac/write.c +++ b/src/ac/write.c @@ -27,32 +27,146 @@ #include "config.h" #include -#include +#include #include #include #include #include #include +#include #include "newformat.h" #include "acerrors.h" #include "attributes.h" #include "doio.h" +#include "ssl_compat.h" #define ERROR(e) do { err = (e); goto err; } while (0) +void add_no_rev_avail_ext(AC *ac) { + + X509_EXTENSION* ext = X509V3_EXT_i2d(NID_no_rev_avail,0, ASN1_NULL_new()); + + assert( ext != NULL); + + sk_X509_EXTENSION_push(ac->acinfo->exts, ext); + +} + +int add_authority_key_id_ext(AC *ac, X509* issuer_cert) { + + // Copy akid extension from issuer_cert + int ext_loc = X509_get_ext_by_NID(issuer_cert, NID_authority_key_identifier, -1); + + if (ext_loc == -1){ + return 1; + } + + X509_EXTENSION *akid = X509_get_ext(issuer_cert, ext_loc); + + assert( akid != NULL ); + + X509v3_add_ext(&ac->acinfo->exts, akid, -1); + + return 0; +} + +AC_TARGET* build_ac_target(char* t){ + + AC_TARGET *target = AC_TARGET_new(); + ASN1_IA5STRING *target_str = ASN1_IA5STRING_new(); + + if (! target || !target_str) { + AC_TARGET_free(target); + ASN1_IA5STRING_free(target_str); + return NULL; + } + + ASN1_STRING_set(target_str, t, strlen(t)); + + GENERAL_NAME *name = target->name; + + name->type = GEN_URI; + name->d.ia5 = target_str; + + return target; +} + +AC_TARGETS* build_ac_targets_ext(char* targets) { + + const char* DELIMITER = ","; + char *targets_copy = strdup(targets); + char *token; + + AC_TARGETS* result = AC_TARGETS_new(); + + if (! targets_copy || !result ){ + goto err; + } + + token = strtok(targets_copy, DELIMITER); + + while (token != NULL){ + + AC_TARGET *target = build_ac_target(token); + + if (! target ) { + goto err; + } + + sk_AC_TARGET_push(result->targets, target); + token = strtok(NULL, DELIMITER); + } + + free(targets_copy); + return result; + +err: + + if (result) { + AC_TARGETS_free(result); + } + + return NULL; +} + +int add_targets_ext(AC* ac, char* targets_str) { + + AC_TARGETS *targets = build_ac_targets_ext(targets_str); + + if (!targets) { + return AC_ERR_NO_EXTENSION; + } + + X509_EXTENSION* ext = X509V3_EXT_i2d(NID_target_information,1, targets); + + if (!ext) { + return AC_ERR_NO_EXTENSION; + } + + sk_X509_EXTENSION_push(ac->acinfo->exts, ext); + + return 0; +} + static int make_and_push_ext(AC *ac, char *name, char *data, int critical) { - X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, OBJ_txt2nid(name), data); - if (ext) { - X509_EXTENSION_set_critical(ext, critical); - sk_X509_EXTENSION_push(ac->acinfo->exts, ext); - return 0; + int ext_NID = OBJ_txt2nid(name); + + if (ext_NID == NID_undef ){ + return AC_ERR_NO_EXTENSION; + } + + X509_EXTENSION *ext = X509V3_EXT_conf_nid(NULL, NULL, ext_NID, data); + + if (!ext) { + return AC_ERR_NO_EXTENSION; } - X509_EXTENSION_free(ext); - return AC_ERR_NO_EXTENSION; + X509_EXTENSION_set_critical(ext, critical); + sk_X509_EXTENSION_push(ac->acinfo->exts, ext); + return 0; } static void make_uri(const char *vo, const char *uri, STACK_OF(GENERAL_NAME) *names) @@ -145,9 +259,9 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * issdup = X509_NAME_dup(name1); dirn = GENERAL_NAME_new(); dirn2 = GENERAL_NAME_new(); - holdserial = M_ASN1_INTEGER_dup(holder->cert_info->serialNumber); + holdserial = ASN1_INTEGER_dup(X509_get_serialNumber(holder)); serial = BN_to_ASN1_INTEGER(s, NULL); - version = BN_to_ASN1_INTEGER((BIGNUM *)(BN_value_one()), NULL); + version = ASN1_INTEGER_new(); capabilities = AC_ATTR_new(); cobj = OBJ_txt2obj("idatcap",0); capnames = AC_IETFATTR_new(); @@ -155,36 +269,47 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * ac_full_attrs = AC_FULL_ATTRIBUTES_new(); ac_att_holder = AC_ATT_HOLDER_new(); - if (!subjdup || !issdup || !dirn || !dirn2 || !holdserial || !serial || + + if (!subjdup || !issdup || !dirn || !dirn2 || !holdserial || !serial || !version || !capabilities || !cobj || !capnames || !time1 || !time2 || !null || !ac_full_attrs || !ac_att_holder) ERROR(AC_ERR_MEMORY); + ASN1_INTEGER_set(version,1); + + if (capnames->names == NULL) { + capnames->names = GENERAL_NAMES_new(); + + if (capnames->names == NULL){ + ERROR(AC_ERR_MEMORY); + } + } + /* prepare AC_IETFATTR */ while(fqan[i]) { ASN1_OCTET_STRING *tmpc = ASN1_OCTET_STRING_new(); + if (!tmpc) { - ASN1_OCTET_STRING_free(tmpc); ERROR(AC_ERR_MEMORY); } + ASN1_OCTET_STRING_set(tmpc, (unsigned char*)fqan[i], strlen(fqan[i])); - sk_AC_IETFATTRVAL_push(capnames->values, (AC_IETFATTRVAL *)tmpc); + sk_AC_IETFATTRVAL_push(capnames->values, tmpc); i++; } if (vo || uri) { make_uri(vo, uri, capnames->names); - /* stuff the created AC_IETFATTR in ietfattr (values) and define its object */ sk_AC_IETFATTR_push(capabilities->ietfattr, capnames); capnames = NULL; } - capabilities->get_type = GET_TYPE_FQAN; ASN1_OBJECT_free(capabilities->type); capabilities->type = cobj; i = 0; + /* prepare AC_FULL_ATTRIBUTES */ if (attributes_strings) { while (attributes_strings[i]) { @@ -234,9 +359,10 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * } } - if (!i) + if (!i) { AC_ATT_HOLDER_free(ac_att_holder); - else { + ac_att_holder = NULL; + } else { make_uri(vo, uri, ac_att_holder->grantor); sk_AC_ATT_HOLDER_push(ac_full_attrs->providers, ac_att_holder); } @@ -253,9 +379,10 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * if (ret) ERROR(AC_ERR_NO_EXTENSION); - } - else + } else { AC_FULL_ATTRIBUTES_free(ac_full_attrs); + ac_full_attrs = NULL; + } stk = sk_X509_new_null(); @@ -275,18 +402,20 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * ret = make_and_push_ext(a, "certseq", (char*)stk, 0); sk_X509_pop_free(stk, X509_free); - if (ret) + if (ret) { ERROR(AC_ERR_NO_EXTENSION); + } /* Create several extensions */ - if (make_and_push_ext(a, "idcenoRevAvail", "loc", 0)) - ERROR(AC_ERR_NO_EXTENSION); + add_no_rev_avail_ext(a); - if (make_and_push_ext(a, "authKeyId", (char *)issuerc, 0)) + if (add_authority_key_id_ext(a,issuerc)){ ERROR(AC_ERR_NO_EXTENSION); + } - if (t && make_and_push_ext(a, "idceTargets", t, 1)) + if (t && add_targets_ext(a,t)){ ERROR(AC_ERR_NO_EXTENSION); + } if (extensions) { int proxyindex = 0; @@ -305,12 +434,20 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * } } - alg1 = X509_ALGOR_dup(issuerc->cert_info->signature); - alg2 = X509_ALGOR_dup(issuerc->sig_alg); + alg1 = X509_ALGOR_dup((X509_ALGOR*)X509_get0_tbs_sigalg(issuerc)); + { + X509_ALGOR /*const*/* sig_alg; + X509_get0_signature(NULL, &sig_alg, issuerc); + alg2 = X509_ALGOR_dup((X509_ALGOR*)sig_alg); + } - if (issuerc->cert_info->issuerUID) - if (!(uid = M_ASN1_BIT_STRING_dup(issuerc->cert_info->issuerUID))) - ERROR(AC_ERR_MEMORY); + { + ASN1_BIT_STRING const* issuerUID; + X509_get0_uids(issuerc, &issuerUID, NULL); + if (issuerUID) + if (!(uid = ASN1_STRING_dup(issuerUID))) + ERROR(AC_ERR_MEMORY); + } #define FREE_AND_SET(datum, value, type) type##_free((datum)); (datum) = (value) @@ -329,11 +466,11 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * sk_GENERAL_NAME_push(a->acinfo->holder->baseid->issuer, dirn); dirn2->d.dirn = issdup; dirn2->type = GEN_DIRNAME; - sk_GENERAL_NAME_push(a->acinfo->form->names, dirn2); + sk_GENERAL_NAME_push(a->acinfo->form, dirn2); a->acinfo->id = uid; /* Use same signature algorithm used to sign the certificate */ - EVP_MD *md = EVP_get_digestbyobj(a->sig_alg->algorithm); + EVP_MD const* md = EVP_get_digestbyobj(a->sig_alg->algorithm); if (md == NULL){ /* fall back to SHA1 */ @@ -344,6 +481,7 @@ int writeac(X509 *issuerc, STACK_OF(X509) *issuerstack, X509 *holder, EVP_PKEY * (char *)a->acinfo, pkey, md); *ac = a; + return 0; err: diff --git a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc index 714b543c..373e3bfe 100644 --- a/src/api/ccapi/api_util.cc +++ b/src/api/ccapi/api_util.cc @@ -37,7 +37,7 @@ extern "C" { #include #include - +#include #include #include #include @@ -45,6 +45,7 @@ extern "C" { #include #include "credentials.h" #include "sslutils.h" +#include "newformat.h" } #include @@ -156,13 +157,17 @@ static bool findexts(X509 *cert , AC_SEQ **listnew, std::string &extra_data, std ext = get_ext(cert, "incfile"); if (ext) { - extra_data = std::string((char *)(ext->value->data),ext->value->length); + ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext); + assert(value && "X509_EXTENSION_get_data failed"); + extra_data = std::string(reinterpret_cast(value->data), value->length); found = true; } ext = get_ext(cert, "vo"); if (ext) { - workvo = std::string((char *)(ext->value->data),ext->value->length); + ASN1_OCTET_STRING* value = X509_EXTENSION_get_data(ext); + assert(value && "X509_EXTENSION_get_data failed"); + workvo = std::string(reinterpret_cast(value->data), value->length); } return found; @@ -731,7 +736,6 @@ vomsdata::check_cert(STACK_OF(X509) *stack) void (*oldsignal)(int) = signal(SIGPIPE,SIG_IGN); #endif - CRYPTO_malloc_init(); if ((lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file()))) { X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); diff --git a/src/api/ccapi/voms_api.cc b/src/api/ccapi/voms_api.cc index 6823531e..8e387ae0 100644 --- a/src/api/ccapi/voms_api.cc +++ b/src/api/ccapi/voms_api.cc @@ -122,7 +122,7 @@ vomsdata::vomsdata(std::string voms_dir, std::string cert_dir) : ca_cert_dir(ce initialized = true; #ifdef NOGLOBUS SSL_library_init(); - SSLeay_add_all_algorithms(); + OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); OpenSSL_add_all_ciphers(); diff --git a/src/api/ccapi/voms_api.h b/src/api/ccapi/voms_api.h index 4c93d7ce..9648de93 100644 --- a/src/api/ccapi/voms_api.h +++ b/src/api/ccapi/voms_api.h @@ -30,7 +30,10 @@ #include #include +#ifndef NOGLOBUS #define NOGLOBUS +#endif + extern "C" { #ifndef GSSAPI_H_ /* diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc index 05d5398a..e28f4de2 100644 --- a/src/client/vomsclient.cc +++ b/src/client/vomsclient.cc @@ -39,7 +39,8 @@ extern "C" { #include #include #include - +#include + #include "listfunc.h" #include "credentials.h" #include "replace.h" @@ -66,7 +67,7 @@ extern "C" { extern "C" { -#include "myproxycertinfo.h" + //#include "myproxycertinfo.h" #include "vomsproxy.h" } @@ -610,10 +611,12 @@ void Client::CleanAll() free(outfile); listfree((char **)aclist, (freefn)AC_free); - if (v) - delete v; + delete v; OBJ_cleanup(); + +#warning if X509V3_EXT_cleanup is called valgrind moves some "still reachable" to "definitely lost"! + // X509V3_EXT_cleanup(); } Client::~Client() diff --git a/src/common/normalize.c b/src/common/normalize.c index ce445e53..8212a56b 100644 --- a/src/common/normalize.c +++ b/src/common/normalize.c @@ -64,26 +64,3 @@ char *normalize(const char *str) free(tmp2); return tmp; } - -#if 0 -int main(int argc, char *argv) -{ - char *str1="/prova/Email=frge/CN=op"; - char *str2="/prova/E=boh/emailAddress=mah/E=op/CN=fr"; - char *str3="/USERID=56/mah"; - - char *n1 = normalize(str1); - char *n2 = normalize(str2); - char *n3 = normalize(str3); - - printf("%s -> %s\n", str1, n1); - free(n1); - printf("%s -> %s\n", str2, n2); - free(n2); - printf("%s -> %s\n", str3, n3); - free(n3); - - exit(0); -} - -#endif diff --git a/src/common/xmlcc.cc b/src/common/xmlcc.cc index c67f4120..6f9fe372 100644 --- a/src/common/xmlcc.cc +++ b/src/common/xmlcc.cc @@ -298,7 +298,7 @@ std::string XML_Req_Encode(const std::string &command, const std::string &order, } -std::string Encode(std::string data, int base64) +std::string Encode(const std::string &data, int base64) { int j = 0; char *tmp = NULL; diff --git a/src/include/Makefile.am b/src/include/Makefile.am index 1cee02be..52de22e2 100644 --- a/src/include/Makefile.am +++ b/src/include/Makefile.am @@ -10,7 +10,7 @@ endif EXTRA_DIST = Client.h data.h gssapi_compat.h \ options.h pass.h Server.h fqan.h doio.h \ vomsxml.h errors.h log.h sslutils.h normalize.h \ -listfunc.h credentials.h newformat.h myproxycertinfo.h \ +listfunc.h credentials.h newformat.h proxycertinfo.h proxypolicy.h \ acstack.h validate.h ccac.h init.h ccwrite.h getopts.h replace.h dbwrap.h \ stamp-h.in stamp-h1.in diff --git a/src/include/acstack.h b/src/include/acstack.h index 7e222ba1..c0497f17 100644 --- a/src/include/acstack.h +++ b/src/include/acstack.h @@ -28,6 +28,7 @@ #include #include #include +#include #ifndef VOMS_MAYBECONST #if defined(D2I_OF) @@ -38,25 +39,36 @@ #endif #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + +#define DECL_STACK(type) DEFINE_STACK_OF(type) +#define IMPL_STACK(type) + +#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + #define IMPL_STACK(type) \ DECLARE_STACK_OF(type) \ - STACK_OF(type) *sk_##type##_new (int (*cmp)(const type * const *, const type * const *)) \ - { return sk_new ( (int (*)(const char * const *, const char * const *))cmp);} \ - STACK_OF(type) *sk_##type##_new_null () { return sk_new_null(); } \ - void sk_##type##_free (STACK_OF(type) *st) { sk_free(st); } \ - int sk_##type##_num (const STACK_OF(type) *st) { return sk_num(st); } \ - type *sk_##type##_value (const STACK_OF(type) *st, int i) { return (type *)sk_value(st, i); } \ - int sk_##type##_push (STACK_OF(type) *st, type *val) { return sk_push(st, (char *)val); } \ - STACK_OF(type) *sk_##type##_dup (STACK_OF(type) *st) { return sk_dup(st); } \ - STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **st, VOMS_MAYBECONST unsigned char **pp, long length, type *(*d2ifunc)(), void (*freefunc)(type *), int ex_tag, int ex_class) \ - { return d2i_ASN1_SET(st, pp, length, (char *(*)())d2ifunc, (void (*)(void *))freefunc, ex_tag, ex_class); } \ - int i2d_ASN1_SET_OF_##type (STACK_OF(type) *st, unsigned char **pp, int (*i2dfunc)(), int ex_tag, int ex_class, int is_set) \ - { return i2d_ASN1_SET(st, pp, i2dfunc, ex_tag, ex_class, is_set); } \ - void sk_##type##_pop_free (STACK_OF(type) *st, void (*func)(type *)) { sk_pop_free(st, (void (*)(void *))func); } + STACK_OF(type) *sk_##type##_new (int (*cmp)(const type *, const type *)) \ + { return (STACK_OF(type) *)sk_new ( (int (*)(const void *, const void *))cmp);} \ + STACK_OF(type) *sk_##type##_new_null () { return (STACK_OF(type) *)sk_new_null(); } \ + void sk_##type##_free (STACK_OF(type) *st) { sk_free((_STACK *)st); } \ + int sk_##type##_num (const STACK_OF(type) *st) { return sk_num((_STACK *)st); } \ + type *sk_##type##_value (const STACK_OF(type) *st, int i) { return (type *)sk_value((const _STACK *)st, i); } \ + int sk_##type##_push (STACK_OF(type) *st, type *val) { return sk_push((_STACK *)st, (char *)val); } \ + STACK_OF(type) *sk_##type##_dup (STACK_OF(type) *st) { return (STACK_OF(type) *)sk_dup((_STACK *)st); } \ + void sk_##type##_pop_free (STACK_OF(type) *st, void (*func)(type *)) { sk_pop_free((_STACK *)st, (void (*)(void *))func); } +/* the following are not part of the stack interface + * + * STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **st, VOMS_MAYBECONST unsigned char **pp, long length, type *(*d2ifunc)(), void (*freefunc)(type *), int ex_tag, int ex_class) \ + * { return d2i_ASN1_SET(st, pp, length, (char *(*)())d2ifunc, (void (*)(void *))freefunc, ex_tag, ex_class); } \ + * int i2d_ASN1_SET_OF_##type (STACK_OF(type) *st, unsigned char **pp, int (*i2dfunc)(), int ex_tag, int ex_class, int is_set) \ + * { return i2d_ASN1_SET(st, pp, i2dfunc, ex_tag, ex_class, is_set); } \ + */ + #define DECL_STACK(type) \ PREDECLARE_STACK_OF(type) \ - extern STACK_OF(type) *sk_##type##_new (int (*)(const type * const *, const type * const *)); \ + extern STACK_OF(type) *sk_##type##_new (int (*)(const type *, const type *)); \ extern STACK_OF(type) *sk_##type##_new_null (); \ extern void sk_##type##_free (STACK_OF(type) *); \ extern int sk_##type##_num (const STACK_OF(type) *); \ @@ -74,12 +86,16 @@ extern void sk_##type##_pop_free (STACK_OF(type) *, void (*)(type *)); \ extern type *sk_##type##_shift (STACK_OF(type) *); \ extern type *sk_##type##_pop (STACK_OF(type) *); \ - extern void sk_##type##_sort (STACK_OF(type) *); \ - extern STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **, VOMS_MAYBECONST unsigned char **, long, type *(*)(), void (*)(type *), int, int); \ - extern int i2d_ASN1_SET_OF_##type (STACK_OF(type) *, unsigned char **, int (*)(), int, int, int); \ - extern unsigned char *ASN1_seq_pack_##type (STACK_OF(type) *, int (*)(), unsigned char **, int *); \ - extern STACK_OF(type) *ASN1_seq_unpack_##type (unsigned char *, int, type *(*)(), void (*)(type *)) ; + extern void sk_##type##_sort (STACK_OF(type) *); +/* the following are not part of the stack interface + * + * extern STACK_OF(type) *d2i_ASN1_SET_OF_##type (STACK_OF(type) **, VOMS_MAYBECONST unsigned char **, long, type *(*)(), void (*)(type *), int, int); \ + * extern int i2d_ASN1_SET_OF_##type (STACK_OF(type) *, unsigned char **, int (*)(), int, int, int); \ + * extern unsigned char *ASN1_seq_pack_##type (STACK_OF(type) *, int (*)(), unsigned char **, int *); \ + * extern STACK_OF(type) *ASN1_seq_unpack_##type (unsigned char *, int, type *(*)(), void (*)(type *)) ; + */ +#endif #endif diff --git a/src/include/newformat.h b/src/include/newformat.h index 5092e3d9..886d8195 100644 --- a/src/include/newformat.h +++ b/src/include/newformat.h @@ -28,7 +28,6 @@ #include #include -#include #include #include #include @@ -52,19 +51,19 @@ typedef struct ACDIGEST { } AC_DIGEST; typedef struct ACIS { - STACK_OF(GENERAL_NAME) *issuer; + GENERAL_NAMES *issuer; ASN1_INTEGER *serial; ASN1_BIT_STRING *uid; } AC_IS; typedef struct ACFORM { - STACK_OF(GENERAL_NAME) *names; + GENERAL_NAMES *names; AC_IS *is; AC_DIGEST *digest; } AC_FORM; typedef struct ACACI { - STACK_OF(GENERAL_NAME) *names; + GENERAL_NAMES *names; AC_FORM *form; } AC_ACI; @@ -79,10 +78,10 @@ typedef struct ACVAL { ASN1_GENERALIZEDTIME *notAfter; } AC_VAL; -typedef struct asn1_string_st AC_IETFATTRVAL; +typedef ASN1_OCTET_STRING AC_IETFATTRVAL; typedef struct ACIETFATTR { - STACK_OF(GENERAL_NAME) *names; + GENERAL_NAMES *names; STACK_OF(AC_IETFATTRVAL) *values; } AC_IETFATTR; @@ -98,23 +97,22 @@ typedef struct ACTARGETS { typedef struct ACATTR { ASN1_OBJECT * type; - int get_type; STACK_OF(AC_IETFATTR) *ietfattr; STACK_OF(AC_FULL_ATTRIBUTES) *fullattributes; } AC_ATTR; -#define GET_TYPE_FQAN 1 -#define GET_TYPE_ATTRIBUTES 2 + +typedef STACK_OF(AC_ATTR) AC_ATTRS; typedef struct ACINFO { ASN1_INTEGER *version; AC_HOLDER *holder; - AC_FORM *form; + GENERAL_NAMES *form; X509_ALGOR *alg; ASN1_INTEGER *serial; AC_VAL *validity; - STACK_OF(AC_ATTR) *attrib; + AC_ATTRS *attrib; ASN1_BIT_STRING *id; - STACK_OF(X509_EXTENSION) *exts; + X509_EXTENSIONS *exts; } AC_INFO; typedef struct ACC { @@ -146,74 +144,26 @@ DECL_STACK(AC_IS) DECL_STACK(AC_DIGEST) DECL_STACK(AC_CERTS) -extern int i2d_AC_ATTR(AC_ATTR *a, unsigned char **pp); -extern AC_ATTR *d2i_AC_ATTR(AC_ATTR **a, VOMS_MAYBECONST unsigned char **p, long length); -extern AC_ATTR *AC_ATTR_new(); -extern void AC_ATTR_free(AC_ATTR *a); -extern int i2d_AC_IETFATTR(AC_IETFATTR *a, unsigned char **pp); -extern AC_IETFATTR *d2i_AC_IETFATTR(AC_IETFATTR **a, VOMS_MAYBECONST unsigned char **p, long length); -extern AC_IETFATTR *AC_IETFATTR_new(); -extern void AC_IETFATTR_free (AC_IETFATTR *a); -extern int i2d_AC_IETFATTRVAL(AC_IETFATTRVAL *a, unsigned char **pp); -extern AC_IETFATTRVAL *d2i_AC_IETFATTRVAL(AC_IETFATTRVAL **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_IETFATTRVAL *AC_IETFATTRVAL_new(); -extern void AC_IETFATTRVAL_free(AC_IETFATTRVAL *a); -extern int i2d_AC_DIGEST(AC_DIGEST *a, unsigned char **pp); -extern AC_DIGEST *d2i_AC_DIGEST(AC_DIGEST **a, VOMS_MAYBECONST unsigned char **pp, long length);; -extern AC_DIGEST *AC_DIGEST_new(void); -extern void AC_DIGEST_free(AC_DIGEST *a); -extern int i2d_AC_IS(AC_IS *a, unsigned char **pp); -extern AC_IS *d2i_AC_IS(AC_IS **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_IS *AC_IS_new(void); -extern void AC_IS_free(AC_IS *a); -extern int i2d_AC_FORM(AC_FORM *a, unsigned char **pp); -extern AC_FORM *d2i_AC_FORM(AC_FORM **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_FORM *AC_FORM_new(void); -extern void AC_FORM_free(AC_FORM *a); -extern int i2d_AC_ACI(AC_ACI *a, unsigned char **pp); -extern AC_ACI *d2i_AC_ACI(AC_ACI **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_ACI *AC_ACI_new(void); -extern void AC_ACI_free(AC_ACI *a); - -extern int i2d_AC_HOLDER(AC_HOLDER *a, unsigned char **pp); -extern AC_HOLDER *d2i_AC_HOLDER(AC_HOLDER **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_HOLDER *AC_HOLDER_new(void); -extern void AC_HOLDER_free(AC_HOLDER *a); - -/* new AC_VAL functions by Valerio */ -extern int i2d_AC_VAL(AC_VAL *a, unsigned char **pp); -extern AC_VAL *d2i_AC_VAL(AC_VAL **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_VAL *AC_VAL_new(void); -extern void AC_VAL_free(AC_VAL *a); -/* end*/ - -extern int i2d_AC_INFO(AC_INFO *a, unsigned char **pp); -extern AC_INFO *d2i_AC_INFO(AC_INFO **a, VOMS_MAYBECONST unsigned char **p, long length); -extern AC_INFO *AC_INFO_new(void); -extern void AC_INFO_free(AC_INFO *a); -extern int i2d_AC(AC *a, unsigned char **pp) ; -extern AC *d2i_AC(AC **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC *AC_new(void); -extern void AC_free(AC *a); -extern int i2d_AC_TARGETS(AC_TARGETS *a, unsigned char **pp) ; -extern AC_TARGETS *d2i_AC_TARGETS(AC_TARGETS **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_TARGETS *AC_TARGETS_new(void); -extern void AC_TARGETS_free(AC_TARGETS *a); -extern int i2d_AC_TARGET(AC_TARGET *a, unsigned char **pp) ; -extern AC_TARGET *d2i_AC_TARGET(AC_TARGET **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_TARGET *AC_TARGET_new(void); -extern void AC_TARGET_free(AC_TARGET *a); -extern int i2d_AC_SEQ(AC_SEQ *a, unsigned char **pp) ; -extern AC_SEQ *d2i_AC_SEQ(AC_SEQ **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_SEQ *AC_SEQ_new(void); -extern void AC_SEQ_free(AC_SEQ *a); - -extern int i2d_AC_CERTS(AC_CERTS *a, unsigned char **pp) ; -extern AC_CERTS *d2i_AC_CERTS(AC_CERTS **a, VOMS_MAYBECONST unsigned char **pp, long length); -extern AC_CERTS *AC_CERTS_new(void); -extern void AC_CERTS_free(AC_CERTS *a); +DECLARE_ASN1_FUNCTIONS(AC_ATTRS) +DECLARE_ASN1_FUNCTIONS(AC_DIGEST) +DECLARE_ASN1_FUNCTIONS(AC_IS) +DECLARE_ASN1_FUNCTIONS(AC_FORM) +DECLARE_ASN1_FUNCTIONS(AC_ACI) +DECLARE_ASN1_FUNCTIONS(AC_HOLDER) +DECLARE_ASN1_FUNCTIONS(AC_VAL) +DECLARE_ASN1_FUNCTIONS(AC_IETFATTR) +DECLARE_ASN1_FUNCTIONS(AC_TARGET) +DECLARE_ASN1_FUNCTIONS(AC_TARGETS) +DECLARE_ASN1_FUNCTIONS(AC_ATTR) +DECLARE_ASN1_FUNCTIONS(AC_INFO) +DECLARE_ASN1_FUNCTIONS(AC) +DECLARE_ASN1_FUNCTIONS(AC_SEQ) +DECLARE_ASN1_FUNCTIONS(AC_CERTS) + +DECLARE_ASN1_PRINT_FUNCTION(AC) extern AC *AC_dup(AC *ac); + extern EVP_PKEY *EVP_PKEY_dup(EVP_PKEY *pkey); extern int AC_verify(X509_ALGOR *algor1, ASN1_BIT_STRING *signature,char *data,EVP_PKEY *pkey); diff --git a/src/include/proxycertinfo.h b/src/include/proxycertinfo.h new file mode 100644 index 00000000..0ab99c4c --- /dev/null +++ b/src/include/proxycertinfo.h @@ -0,0 +1,84 @@ +/* + * Copyright 1999-2006 University of Chicago + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef HEADER_PROXYCERTINFO_H +#define HEADER_PROXYCERTINFO_H + +/** + * @file proxycertinfo.h + * @brief Proxy Certificate Info + * @author Sam Meder + * @author Sam Lang + */ +#include "proxypolicy.h" +#include +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @defgroup proxycertinfo ProxyCertInfo + * @ingroup globus_gsi_proxy_ssl_api + * + * The proxycertinfo.h file defines a method of + * maintaining information about proxy certificates. + */ + +#define PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222" +#define PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14" +#define PROXYCERTINFO_SN "PROXYCERTINFO" +#define PROXYCERTINFO_LN "Proxy Certificate Info Extension" +#define PROXYCERTINFO_OLD_SN "OLD_PROXYCERTINFO" +#define PROXYCERTINFO_OLD_LN "Proxy Certificate Info Extension (old OID)" + +/* + * Used for error checking + */ +#define ASN1_F_PROXYCERTINFO_NEW 430 +#define ASN1_F_D2I_PROXYCERTINFO 431 + + + X509V3_EXT_METHOD * PROXYCERTINFO_OLD_x509v3_ext_meth(); + + void InitProxyCertInfoExtension(int full); + + int + PROXY_CERT_INFO_EXTENSION_set_path_length( + PROXY_CERT_INFO_EXTENSION* pci + , long pl + ); + + PROXY_POLICY* + PROXY_CERT_INFO_EXTENSION_get_policy(PROXY_CERT_INFO_EXTENSION const* pci); + + int + PROXY_CERT_INFO_EXTENSION_set_policy( + PROXY_CERT_INFO_EXTENSION* pci + , PROXY_POLICY* policy + ); + + long + PROXY_CERT_INFO_EXTENSION_get_path_length(PROXY_CERT_INFO_EXTENSION const* pci); + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_PROXYCERTINFO_H */ diff --git a/src/include/proxypolicy.h b/src/include/proxypolicy.h new file mode 100644 index 00000000..c5bec33e --- /dev/null +++ b/src/include/proxypolicy.h @@ -0,0 +1,87 @@ +/* + * Copyright 1999-2006 University of Chicago + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#ifndef HEADER_PROXYPOLICY_H +#define HEADER_PROXYPOLICY_H + +/** + * @file proxypolicy.h + * @brief Proxy Policy + * @author Sam Meder + * @author Sam Lang + */ +/** + * @defgroup proxypolicy ProxyPolicy + * @ingroup globus_gsi_proxy_ssl_api + * + * The proxypolicy set of data structures + * and functions provides an interface to generating + * a PROXYPOLICY structure which is maintained as + * a field in the PROXYCERTINFO structure, + * and ultimately gets written to a DER encoded string. + * + * Further Information about proxy policies + * is available in the X.509 Proxy Certificate Profile document. + */ + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define ANY_LANGUAGE_OID "1.3.6.1.5.5.7.21.0" +#define ANY_LANGUAGE_SN "ANY_LANGUAGE" +#define ANY_LANGUAGE_LN "Any Language" + +#define IMPERSONATION_PROXY_OID "1.3.6.1.5.5.7.21.1" +#define IMPERSONATION_PROXY_SN "IMPERSONATION_PROXY" +#define IMPERSONATION_PROXY_LN "GSI impersonation proxy" + +#define INDEPENDENT_PROXY_OID "1.3.6.1.5.5.7.21.2" +#define INDEPENDENT_PROXY_SN "INDEPENDENT_PROXY" +#define INDEPENDENT_PROXY_LN "GSI independent proxy" + + /* generic policy language */ +#define GLOBUS_GSI_PROXY_GENERIC_POLICY_OID "1.3.6.1.4.1.3536.1.1.1.8" + +#define LIMITED_PROXY_OID "1.3.6.1.4.1.3536.1.1.1.9" +#define LIMITED_PROXY_SN "LIMITED_PROXY" +#define LIMITED_PROXY_LN "GSI limited proxy" + +/* Used for error handling */ +#define ASN1_F_PROXYPOLICY_NEW 450 +#define ASN1_F_D2I_PROXYPOLICY 451 + + int PROXY_POLICY_set_policy_language( + PROXY_POLICY * policy + , ASN1_OBJECT * policy_language); + + int PROXY_POLICY_set_policy( + PROXY_POLICY * proxypolicy + , unsigned char * policy + , int length); + + PROXY_POLICY* PROXY_POLICY_dup(PROXY_POLICY* policy); + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_PROXYPOLICY_H */ diff --git a/src/include/ssl_compat.h b/src/include/ssl_compat.h new file mode 100644 index 00000000..ffc69ec8 --- /dev/null +++ b/src/include/ssl_compat.h @@ -0,0 +1,74 @@ +#include + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +#include +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); +struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +int X509_REQ_get_signature_nid(const X509_REQ *req); +const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x); +int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); +const ASN1_TIME *X509_get0_notAfter(const X509 *x); +void X509_set_proxy_flag(X509 *x); +void X509_set_proxy_pathlen(X509 *x, long l); +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); +X509_OBJECT *X509_OBJECT_new(void); +X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a); +const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x); +STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); +long X509_get_proxy_pathlen(X509 *x); +uint32_t X509_get_extension_flags(X509 *x); +void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); +void X509_OBJECT_free(X509_OBJECT *a); +typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, + X509 *x, X509 *issuer); +void X509_STORE_set_check_issued(X509_STORE *ctx, + X509_STORE_CTX_check_issued_fn check_issued); +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +void RSA_get0_key(const RSA *r, + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); +const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); +void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid); +int BIO_get_new_index(void); +BIO_METHOD *BIO_meth_new(int type, const char *name); +int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); +int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); +int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); +int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); +int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); +int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); +int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); +int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); +long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); +int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); +int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); +int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); +int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); +int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); +long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, bio_info_cb *); +int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, bio_info_cb *)); + +#if OPENSSL_VERSION_NUMBER < 0x10002000L + +int X509_get_signature_nid(const X509 *x); +void X509_get0_signature(const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg, const X509 *x); + +#endif + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/src/include/sslutils.h b/src/include/sslutils.h index 6aba7e75..594c14ff 100644 --- a/src/include/sslutils.h +++ b/src/include/sslutils.h @@ -328,7 +328,7 @@ struct proxy_verify_desc_struct { proxy_verify_ctx_desc * pvxd; int flags; X509_STORE_CTX * cert_store; - int recursive_depth; + int recursive_depth; /* unused */ int proxy_depth; int cert_depth; int limited_proxy; diff --git a/src/include/vomsxml.h b/src/include/vomsxml.h index 285037fa..2c3f17b7 100644 --- a/src/include/vomsxml.h +++ b/src/include/vomsxml.h @@ -52,6 +52,6 @@ extern std::string XML_Ans_Encode(const std::string&, const std::string&, const std::vector&, bool); extern bool XML_Req_Decode(const std::string&, request &); extern bool XML_Ans_Decode(const std::string&, answer &); -extern std::string Encode(std::string data, int base64); +extern std::string Encode(const std::string& data, int base64); extern std::string Decode(const std::string& data); #endif diff --git a/src/log/fs.c b/src/log/fs.c index 0dc34b2d..bd0df80d 100644 --- a/src/log/fs.c +++ b/src/log/fs.c @@ -212,7 +212,8 @@ void *FILEStreamerAdd(void *h) static int logfile_rotate(const char * name) { - char *pos, *dirname, *newname, *oldname, *basename; + char *pos, *dirname, *newname, *oldname; + char const* basename = NULL; DIR * dir = NULL; struct dirent * de = NULL; int result = 0; diff --git a/src/server/Makefile.am b/src/server/Makefile.am index ab36fe7d..725dcda9 100644 --- a/src/server/Makefile.am +++ b/src/server/Makefile.am @@ -23,8 +23,8 @@ soapH.h soapStub.h: soapC.cpp soapC.cpp: VOMSAC.h $(SOAPCPP2) VOMSAC.h -VOMSAC.h: VOMSAC.wsdl - $(WSDL2H) $(WSDL2H_FLAGS) -s VOMSAC.wsdl +VOMSAC.h: $(top_srcdir)/src/server/VOMSAC.wsdl + $(WSDL2H) $(WSDL2H_FLAGS) -s -o $@ $(top_srcdir)/src/server/VOMSAC.wsdl EXTRA_DIST= VOMSAC.wsdl CLEANFILES= soap* VOMSAC.h vomsSOAP* diff --git a/src/server/vomsd.cc b/src/server/vomsd.cc index 983e7df2..700c5f1d 100644 --- a/src/server/vomsd.cc +++ b/src/server/vomsd.cc @@ -51,7 +51,7 @@ extern "C" { static int reload = 0; void *logh = NULL; -#include "myproxycertinfo.h" +#include "proxycertinfo.h" } #include @@ -96,11 +96,15 @@ std::string vomsresult::makeRESTAnswer(int& code) std::string output = ""; code = SOAP_HTML; - if (ac != "A" && !ac.empty()) - output += ""+Encode(ac, true)+""; + if (ac != "A" && !ac.empty()){ + std::string encoded_ac = Encode(ac,true); + output += ""+encoded_ac+""; + } - if (!data.empty()) - output += ""+Encode(data, true)+""; + if (!data.empty()){ + std::string encoded_data = Encode(data,true); + output += ""+encoded_data+""; + } std::vector::const_iterator end = errs.end(); for (std::vector::const_iterator i = errs.begin(); i != end; ++i) { @@ -1219,16 +1223,15 @@ bool VOMSServer::makeAC(vomsresult& vr, EVP_PKEY *key, X509 *issuer, /* Encode AC */ if (!res) { - unsigned int len = i2d_AC(a, NULL); + unsigned char *buf = NULL; - unsigned char *tmp = (unsigned char *)OPENSSL_malloc(len); - unsigned char *ttmp = tmp; + int len = i2d_AC(a, &buf); - if (tmp) { - i2d_AC(a, &tmp); - codedac = std::string((char *)ttmp, len); + if (len > 0) { + codedac = std::string(reinterpret_cast(buf), len); } - free(ttmp); + + OPENSSL_free(buf); } else vr.setError(ERR_NOT_MEMBER, get_error(res)); diff --git a/src/socklib/Client.cpp b/src/socklib/Client.cpp index 80b3d397..5bcac54f 100644 --- a/src/socklib/Client.cpp +++ b/src/socklib/Client.cpp @@ -162,8 +162,6 @@ proxy_verify_desc *setup_initializers(char *cadir) pvd = (proxy_verify_desc*) malloc(sizeof(proxy_verify_desc)); pvxd = (proxy_verify_ctx_desc *)malloc(sizeof(proxy_verify_ctx_desc)); - pvd->cert_store = NULL; - if (!pvd || !pvxd) { free(pvd); diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp index e8936120..10483f3b 100644 --- a/src/socklib/Server.cpp +++ b/src/socklib/Server.cpp @@ -46,6 +46,7 @@ extern "C" { #include #include #include +#include #include #include @@ -60,6 +61,7 @@ extern "C" { #include "log.h" #include "vomsssl.h" #include "sslutils.h" +#include "ssl_compat.h" } #include "ipv6sock.h" @@ -282,6 +284,72 @@ void GSISocketServer::CloseListened(void) newopened = false; } +static BIO* make_VOMS_BIO(int sock) +{ + int ret; + + int const biom_type = BIO_get_new_index(); + static char const* const biom_name = "VOMS I/O"; + BIO_METHOD* voms_biom = BIO_meth_new(biom_type|BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR, biom_name); + assert(voms_biom && "BIO_meth_new failed"); + + BIO_METHOD const* sock_biom = BIO_s_socket(); + assert(sock_biom != NULL && "BIO_s_socket"); + + writeb = BIO_meth_get_write(const_cast(sock_biom)); + assert(writeb != NULL && "BIO_meth_get_write failed"); + ret = BIO_meth_set_write(voms_biom, globusf_write); + assert(ret == 1 && "BIO_meth_set_write failed"); + + readb = BIO_meth_get_read(const_cast(sock_biom)); + assert(readb != NULL && "BIO_meth_get_read failed"); + ret = BIO_meth_set_read(voms_biom, globusf_read); + assert(ret == 1 && "BIO_meth_set_read failed"); + + ret = BIO_meth_set_puts( + voms_biom + , BIO_meth_get_puts(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_puts failed"); + + ret = BIO_meth_set_gets( + voms_biom + , BIO_meth_get_gets(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_gets failed"); + + ret = BIO_meth_set_ctrl( + voms_biom + , BIO_meth_get_ctrl(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_ctrl failed"); + + ret = BIO_meth_set_create( + voms_biom + , BIO_meth_get_create(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_create failed"); + + ret = BIO_meth_set_destroy( + voms_biom + , BIO_meth_get_destroy(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_destroy failed"); + + ret = BIO_meth_set_callback_ctrl( + voms_biom + , BIO_meth_get_callback_ctrl(const_cast(sock_biom)) + ); + assert(ret == 1 && "BIO_meth_get/set_callback_ctrl failed"); + + BIO* voms_bio = BIO_new(voms_biom); + assert(voms_bio && "BIO_new failed"); + BIO_set_fd(voms_bio, sock, BIO_NOCLOSE); + (void)BIO_set_nbio(voms_bio, 1); + + return voms_bio; +} + /** * Accept the GSI Authentication. * @param sock the socket for communication. @@ -300,6 +368,7 @@ GSISocketServer::AcceptGSIAuthentication() bool accept_timed_out = false; int expected = 0; BIO *bio = NULL; + BIO_METHOD* bio_method = NULL; char *cert_file, *user_cert, *user_key, *user_proxy; char *serial=NULL; @@ -333,11 +402,11 @@ GSISocketServer::AcceptGSIAuthentication() * Certificate was a proxy with a cert. chain. * Add the certificates one by one to the chain. */ - X509_STORE_add_cert(ctx->cert_store, ucert); + X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx), ucert); for (int i = 0; i cert_store, cert)) { + if (!X509_STORE_add_cert(SSL_CTX_get_cert_store(ctx), cert)) { if (ERR_GET_REASON(ERR_peek_error()) == X509_R_CERT_ALREADY_IN_HASH_TABLE) { ERR_clear_error(); continue; @@ -353,17 +422,11 @@ GSISocketServer::AcceptGSIAuthentication() flags = fcntl(newsock, F_GETFL, 0); (void)fcntl(newsock, F_SETFL, flags | O_NONBLOCK); - bio = BIO_new_socket(newsock, BIO_NOCLOSE); - (void)BIO_set_nbio(bio, 1); + bio = make_VOMS_BIO(newsock); ssl = SSL_new(ctx); setup_SSL_proxy_handler(ssl, cacertdir); - writeb = bio->method->bwrite; - readb = bio->method->bread; - bio->method->bwrite = globusf_write; - bio->method->bread = globusf_read; - SSL_set_bio(ssl, bio, bio); curtime = starttime = time(NULL); diff --git a/src/sslutils/Makefile.am b/src/sslutils/Makefile.am index 7a06cb4b..3899b891 100644 --- a/src/sslutils/Makefile.am +++ b/src/sslutils/Makefile.am @@ -7,9 +7,10 @@ endif noinst_LTLIBRARIES = libssl_utils_nog.la -SOURCES= scutils.c scutils.h sslutils.c proxycertinfo.c \ +SOURCES= scutils.c scutils.h sslutils.c proxycertinfo.c proxypolicy.c \ signing_policy.c lex.signing.c namespaces.c lex.namespaces.c \ - evaluate.c proxy.c vomsproxy.h voms_cert_type.h voms_cert_type.c + evaluate.c proxy.c vomsproxy.h voms_cert_type.h voms_cert_type.c \ + ssl_compat.c EXTRA_DIST = namespaces.l namespaces.y namespaces.h \ diff --git a/src/sslutils/myproxycertinfo.c b/src/sslutils/myproxycertinfo.c new file mode 100644 index 00000000..8f9f90de --- /dev/null +++ b/src/sslutils/myproxycertinfo.c @@ -0,0 +1,510 @@ +/********************************************************************* + * + * Authors: Valerio Venturi - Valerio.Venturi@cnaf.infn.it + * Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it + * + * Copyright (c) Members of the EGEE Collaboration. 2004-2010. + * See http://www.eu-egee.org/partners/ for details on the copyright holders. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Parts of this code may be based upon or even include verbatim pieces, + * originally written by other people, in which case the original header + * follows. + * + *********************************************************************/ +#include "config.h" + +#include + +#include +#include +#include + +#include "myproxycertinfo.h" +#include "doio.h" + +/* myPROXYPOLICY function */ + +myPROXYPOLICY * myPROXYPOLICY_new() +{ + myPROXYPOLICY* ret = (myPROXYPOLICY*)OPENSSL_malloc(sizeof(myPROXYPOLICY)); + + if (ret) + { + ret->policy_language = OBJ_nid2obj(OBJ_sn2nid(IMPERSONATION_PROXY_SN)); + ret->policy = NULL; + } + + return ret; +} + +void myPROXYPOLICY_free(myPROXYPOLICY * policy) +{ + if(policy == NULL) return; + + ASN1_OBJECT_free(policy->policy_language); + ASN1_OCTET_STRING_free(policy->policy); + OPENSSL_free(policy); +} + +/* duplicate */ +myPROXYPOLICY * myPROXYPOLICY_dup(myPROXYPOLICY * policy) +{ +#ifdef TYPEDEF_I2D_OF + return ((myPROXYPOLICY *) ASN1_dup((i2d_of_void *)i2d_myPROXYPOLICY, + (d2i_of_void *)d2i_myPROXYPOLICY, + (char *)policy)); +#else + return ((myPROXYPOLICY *) ASN1_dup((int (*)())i2d_myPROXYPOLICY, + (char *(*)())d2i_myPROXYPOLICY, + (char *)policy)); +#endif +} + +/* set policy language */ +int myPROXYPOLICY_set_policy_language(myPROXYPOLICY * policy, ASN1_OBJECT * policy_language) +{ + if(policy_language != NULL) { + ASN1_OBJECT_free(policy->policy_language); + policy->policy_language = OBJ_dup(policy_language); + return 1; + } + + return 0; +} + +/* get policy language */ +ASN1_OBJECT * myPROXYPOLICY_get_policy_language(myPROXYPOLICY * policy) +{ + return policy->policy_language; +} + +/* set policy */ +int myPROXYPOLICY_set_policy(myPROXYPOLICY * proxypolicy, unsigned char * policy, int length) +{ + if(policy != NULL) { + /* if member policy of proxypolicy non set */ + if(!proxypolicy->policy) + proxypolicy->policy = ASN1_OCTET_STRING_new(); + + /* set member policy of proxypolicy */ + ASN1_OCTET_STRING_set(proxypolicy->policy, policy, length); + } + else + ASN1_OCTET_STRING_free(proxypolicy->policy); + + return 1; +} + +/* get policy */ +unsigned char * myPROXYPOLICY_get_policy(myPROXYPOLICY * proxypolicy, int * length) +{ + /* assure field policy is set */ + + if(proxypolicy->policy) { + *length = proxypolicy->policy->length; + + /* assure ASN1_OCTET_STRING is full */ + if (*length>0 && proxypolicy->policy->data) { + unsigned char * copy = malloc(*length); + memcpy(copy, proxypolicy->policy->data, *length); + return copy; + } + } + return NULL; +} + +/* internal to der conversion */ +int i2d_myPROXYPOLICY(myPROXYPOLICY * policy, unsigned char ** pp) +{ + M_ASN1_I2D_vars(policy); + + M_ASN1_I2D_len(policy->policy_language, i2d_ASN1_OBJECT); + + if(policy->policy) { + M_ASN1_I2D_len(policy->policy, i2d_ASN1_OCTET_STRING); + } + + M_ASN1_I2D_seq_total(); + M_ASN1_I2D_put(policy->policy_language, i2d_ASN1_OBJECT); + + if(policy->policy) { + M_ASN1_I2D_put(policy->policy, i2d_ASN1_OCTET_STRING); + } + + M_ASN1_I2D_finish(); +} + +myPROXYPOLICY * d2i_myPROXYPOLICY(myPROXYPOLICY ** a, unsigned char ** pp, long length) +{ + M_ASN1_D2I_vars(a, myPROXYPOLICY *, myPROXYPOLICY_new); + + M_ASN1_D2I_Init(); + M_ASN1_D2I_start_sequence(); + M_ASN1_D2I_get(ret->policy_language, d2i_ASN1_OBJECT); + + /* need to try getting the policy using + * a) a call expecting no tags + * b) a call expecting tags + * one of which should succeed + */ + + M_ASN1_D2I_get_opt(ret->policy, + d2i_ASN1_OCTET_STRING, + V_ASN1_OCTET_STRING); + M_ASN1_D2I_get_IMP_opt(ret->policy, + d2i_ASN1_OCTET_STRING, + 0, + V_ASN1_OCTET_STRING); + M_ASN1_D2I_Finish(a, + myPROXYPOLICY_free, + ASN1_F_D2I_PROXYPOLICY); +} + + + +/* myPROXYCERTINFO function */ + +myPROXYCERTINFO * myPROXYCERTINFO_new() +{ + myPROXYCERTINFO * ret = NULL; + ASN1_CTX c; + + M_ASN1_New_Malloc(ret, myPROXYCERTINFO); + memset(ret, 0, sizeof(myPROXYCERTINFO)); + ret->path_length = NULL; + ret->proxypolicy = myPROXYPOLICY_new(); + return (ret); + M_ASN1_New_Error(ASN1_F_PROXYCERTINFO_NEW); +} + +void myPROXYCERTINFO_free(myPROXYCERTINFO * proxycertinfo) +{ + /* assure proxycertinfo not empty */ + if(proxycertinfo == NULL) return; + + ASN1_INTEGER_free(proxycertinfo->path_length); + myPROXYPOLICY_free(proxycertinfo->proxypolicy); + OPENSSL_free(proxycertinfo); +} + +/* set path_length */ +int myPROXYCERTINFO_set_path_length(myPROXYCERTINFO * proxycertinfo, long path_length) +{ + /* assure proxycertinfo is not empty */ + if(proxycertinfo != NULL) { + + if(path_length != -1) { + /* if member path_length is empty allocate memory then set */ + if(proxycertinfo->path_length == NULL) + proxycertinfo->path_length = ASN1_INTEGER_new(); + return ASN1_INTEGER_set(proxycertinfo->path_length, path_length); + } + else { + ASN1_INTEGER_free(proxycertinfo->path_length); + proxycertinfo->path_length = NULL; + } + + return 1; + } + + return 0; +} + +int myPROXYCERTINFO_set_version(myPROXYCERTINFO * proxycertinfo, int version) +{ + if (proxycertinfo != NULL) { + proxycertinfo->version = version; + return 1; + } + + return 0; +} + +int myPROXYCERTINFO_get_version(myPROXYCERTINFO * proxycertinfo) +{ + if (proxycertinfo) + return proxycertinfo->version; + return -1; +} + + +/* get path length */ +long myPROXYCERTINFO_get_path_length(myPROXYCERTINFO * proxycertinfo) +{ + if(proxycertinfo && proxycertinfo->path_length) + return ASN1_INTEGER_get(proxycertinfo->path_length); + else + return -1; +} + +/* set policy */ +int myPROXYCERTINFO_set_proxypolicy(myPROXYCERTINFO * proxycertinfo, myPROXYPOLICY * proxypolicy) +{ + myPROXYPOLICY_free(proxycertinfo->proxypolicy); + + if(proxypolicy != NULL) + proxycertinfo->proxypolicy = myPROXYPOLICY_dup(proxypolicy); + else + proxycertinfo->proxypolicy = NULL; + + return 1; +} + +/* get policy */ +myPROXYPOLICY * myPROXYCERTINFO_get_proxypolicy(myPROXYCERTINFO * proxycertinfo) +{ + if(proxycertinfo) + return proxycertinfo->proxypolicy; + + return NULL; +} + +/* internal to der conversion */ +static int i2d_myPROXYCERTINFO_v3(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) +{ + int v1; + + M_ASN1_I2D_vars(proxycertinfo); + + v1 = 0; + + M_ASN1_I2D_len(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); + + M_ASN1_I2D_len_EXP_opt(proxycertinfo->path_length,i2d_ASN1_INTEGER, 1, v1); + M_ASN1_I2D_seq_total(); + M_ASN1_I2D_put(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); + M_ASN1_I2D_put_EXP_opt(proxycertinfo->path_length, i2d_ASN1_INTEGER, 1, v1); + M_ASN1_I2D_finish(); +} + +static int i2d_myPROXYCERTINFO_v4(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) +{ + M_ASN1_I2D_vars(proxycertinfo); + + if(proxycertinfo->path_length) + { + M_ASN1_I2D_len(proxycertinfo->path_length, i2d_ASN1_INTEGER); + } + + M_ASN1_I2D_len(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); + + M_ASN1_I2D_seq_total(); + if(proxycertinfo->path_length) + { + M_ASN1_I2D_put(proxycertinfo->path_length, i2d_ASN1_INTEGER); + } + M_ASN1_I2D_put(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); + M_ASN1_I2D_finish(); +} + +int i2d_myPROXYCERTINFO(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) +{ + switch(proxycertinfo->version) { + case 3: + return i2d_myPROXYCERTINFO_v3(proxycertinfo, pp); + break; + + case 4: + return i2d_myPROXYCERTINFO_v4(proxycertinfo, pp); + break; + + default: + return -1; + break; + } +} + +static myPROXYCERTINFO * d2i_myPROXYCERTINFO_v3(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) +{ + M_ASN1_D2I_vars(cert_info, myPROXYCERTINFO *, myPROXYCERTINFO_new); + + M_ASN1_D2I_Init(); + M_ASN1_D2I_start_sequence(); + + M_ASN1_D2I_get((ret->proxypolicy), d2i_myPROXYPOLICY); + + M_ASN1_D2I_get_EXP_opt(ret->path_length, d2i_ASN1_INTEGER, 1); + + ret->version = 3; + M_ASN1_D2I_Finish(cert_info, myPROXYCERTINFO_free, ASN1_F_D2I_PROXYCERTINFO); +} + +static myPROXYCERTINFO * d2i_myPROXYCERTINFO_v4(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) +{ + M_ASN1_D2I_vars(cert_info, myPROXYCERTINFO *, myPROXYCERTINFO_new); + + M_ASN1_D2I_Init(); + M_ASN1_D2I_start_sequence(); + + M_ASN1_D2I_get_EXP_opt(ret->path_length, d2i_ASN1_INTEGER, 1); + + M_ASN1_D2I_get_opt(ret->path_length, d2i_ASN1_INTEGER, V_ASN1_INTEGER); + + M_ASN1_D2I_get((ret->proxypolicy),d2i_myPROXYPOLICY); + + ret->version = 4; + M_ASN1_D2I_Finish(cert_info, myPROXYCERTINFO_free, ASN1_F_D2I_PROXYCERTINFO); +} + +myPROXYCERTINFO * d2i_myPROXYCERTINFO(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) +{ + myPROXYCERTINFO *info = d2i_myPROXYCERTINFO_v3(cert_info, pp, length); + if (!info) + info = d2i_myPROXYCERTINFO_v4(cert_info, pp, length); + return info; +} + + +static int nativeopenssl = 0; + +static char *norep() +{ + static char *buffer=""; + return buffer; +} + +static void *myproxycertinfo_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ctx *ctx), UNUSED(char *data)) +{ + return (myPROXYCERTINFO*)data; +} + +static char *myproxycertinfo_i2s(UNUSED(struct v3_ext_method *method), void *ext) +{ + myPROXYCERTINFO *pci = NULL; + char *encoding = NULL; + char *output = NULL; + myPROXYPOLICY *pp; + int dooid = 0; + char oid[256]; + + pci = (myPROXYCERTINFO *)ext; + + if (!pci) + return norep(); + + if (pci->path_length) { + int j = ASN1_INTEGER_get(pci->path_length); + + char *buffer = snprintf_wrap("%X", j); + output = snprintf_wrap("Path Length Constraint: %s%s\n\n", strlen(buffer)%2 ? "0" : "", buffer); + free(buffer); + } + else + output = strdup("Path Length Constraint: unlimited\n"); + + pp = pci->proxypolicy; + + if (pp && i2t_ASN1_OBJECT(oid, 256, pp->policy_language)) { + dooid = 1; + } + + encoding = snprintf_wrap("%sPolicy Language: %s%s%s%s\n", + output, + ( dooid ? oid : ""), + ( (pp && pp->policy) ? "\nPolicy Text: " : ""), + ( (pp && pp->policy) ? (char*)ASN1_STRING_data(pp->policy) : ""), + ( (pp && pp->policy) ? "\n" : "")); + + free(output); + return encoding; +} + +void InitProxyCertInfoExtension(int full) +{ +#define PROXYCERTINFO_V3 "1.3.6.1.4.1.3536.1.222" +#define PROXYCERTINFO_V4 "1.3.6.1.5.5.7.1.14" +#define OBJC(c,n) OBJ_create(c,n,n) + + X509V3_EXT_METHOD *pcert; + static int set = 0; + ASN1_OBJECT *objv3; + ASN1_OBJECT *objv4; + + if (set) + return; + + set = 1; + + + objv3 = OBJ_txt2obj(PROXYCERTINFO_V3,1); + objv4 = OBJ_txt2obj(PROXYCERTINFO_V4,1); + + /* Proxy Certificate Extension's related objects */ + if (OBJ_obj2nid(objv3) == 0) { + ERR_clear_error(); + OBJC(PROXYCERTINFO_V3, "Proxy Certificate Information"); + if (full) { + pcert = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); + + if (pcert) { + memset(pcert, 0, sizeof(*pcert)); + pcert->ext_nid = OBJ_txt2nid(PROXYCERTINFO_V3); + pcert->ext_flags = 0; + pcert->ext_new = (X509V3_EXT_NEW) myPROXYCERTINFO_new; + pcert->ext_free = (X509V3_EXT_FREE)myPROXYCERTINFO_free; + pcert->d2i = (X509V3_EXT_D2I) d2i_myPROXYCERTINFO; + pcert->i2d = (X509V3_EXT_I2D) i2d_myPROXYCERTINFO; + pcert->i2s = (X509V3_EXT_I2S) myproxycertinfo_i2s; + pcert->s2i = (X509V3_EXT_S2I) myproxycertinfo_s2i; + pcert->v2i = (X509V3_EXT_V2I) NULL; + pcert->r2i = (X509V3_EXT_R2I) NULL; + pcert->i2v = (X509V3_EXT_I2V) NULL; + pcert->i2r = (X509V3_EXT_I2R) NULL; + + X509V3_EXT_add(pcert); + } + } + } + + if (OBJ_obj2nid(objv4) == 0) { + ERR_clear_error(); + OBJC(PROXYCERTINFO_V4, "Proxy Certificate Information"); + if (full) { + pcert = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); + + if (pcert) { + memset(pcert, 0, sizeof(*pcert)); + pcert->ext_nid = OBJ_txt2nid(PROXYCERTINFO_V4); + pcert->ext_flags = 0; + pcert->ext_new = (X509V3_EXT_NEW) myPROXYCERTINFO_new; + pcert->ext_free = (X509V3_EXT_FREE)myPROXYCERTINFO_free; + pcert->d2i = (X509V3_EXT_D2I) d2i_myPROXYCERTINFO; + pcert->i2d = (X509V3_EXT_I2D) i2d_myPROXYCERTINFO; + pcert->i2s = (X509V3_EXT_I2S) myproxycertinfo_i2s; + pcert->s2i = (X509V3_EXT_S2I) myproxycertinfo_s2i; + pcert->v2i = (X509V3_EXT_V2I) NULL; + pcert->r2i = (X509V3_EXT_R2I) NULL; + pcert->i2v = (X509V3_EXT_I2V) NULL; + pcert->i2r = (X509V3_EXT_I2R) NULL; + + X509V3_EXT_add(pcert); + } + } + } + +#ifdef X509_V_FLAG_ALLOW_PROXY_CERTS + nativeopenssl = 1; +#endif + + ASN1_OBJECT_free(objv3); + ASN1_OBJECT_free(objv4); + + return; +} + +int proxynative(void) +{ + return nativeopenssl; +} diff --git a/src/sslutils/namespaces.c b/src/sslutils/namespaces.c index ec10f3b4..780845d7 100644 --- a/src/sslutils/namespaces.c +++ b/src/sslutils/namespaces.c @@ -1671,19 +1671,6 @@ YYSTYPE yylval; /* Line 1675 of yacc.c */ #line 110 "namespaces.y" - -#if 0 -int main() -{ - namespacesdebug = 1; - struct policy **arg = NULL; - void *scanner=NULL; - namespaceslex_init(&scanner); - namespacesset_debug(1, scanner); - return namespacesparse(&arg, scanner); -} -#endif - void namespaceserror(UNUSED(void *policies), UNUSED(void *scanner), UNUSED(char const *msg)) { } diff --git a/src/sslutils/proxy.c b/src/sslutils/proxy.c index 8bb1b6cb..dccb7275 100644 --- a/src/sslutils/proxy.c +++ b/src/sslutils/proxy.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include @@ -40,7 +41,7 @@ #include #include "vomsproxy.h" -#include "myproxycertinfo.h" +#include "proxycertinfo.h" #include "sslutils.h" #include "doio.h" @@ -55,6 +56,19 @@ static int getBitValue(char *bitname); static int convertMethod(char *bits, int *warning, void **additional); static X509_EXTENSION *get_BasicConstraints(int ca); +AC_SEQ* create_ac_seq(AC** aclist) { + + if (!aclist) return NULL; + + AC_SEQ* seq = AC_SEQ_new(); + + while(*aclist) { + sk_AC_push(seq->acs, *aclist++); + } + + return seq; +} + struct VOMSProxyArguments *VOMS_MakeProxyArguments() { return (struct VOMSProxyArguments*)calloc(1, sizeof(struct VOMSProxyArguments)); @@ -132,7 +146,7 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, X509_REQ * req = NULL; STACK_OF(X509_EXTENSION) * extensions = NULL; int ku_flags = 0; - char *policy = NULL; + char* policy = NULL; X509_EXTENSION *ex1 = NULL, *ex2 = NULL, *ex3 = NULL, *ex4 = NULL, *ex5 = NULL, *ex6 = NULL, *ex7 = NULL, @@ -143,31 +157,27 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, struct VOMSProxy *proxy = NULL; - static int init = 0; - int (*cback)(); - if (!init) { - InitProxyCertInfoExtension(1); - init = 1; - } + InitProxyCertInfoExtension(1); setWarning(warning, PROXY_NO_ERROR); - if (args->callback) + if (args->callback) { cback = args->callback; - else + } else { cback = kpcallback; - + } if (args->proxyrequest == NULL) { if (proxy_genreq(args->cert, &req, &npkey, args->bits, args->newsubject ? args->newsubject : NULL, - (int (*)())cback)) + (int (*)())cback)) { goto err; - } - else + } + } else { req = args->proxyrequest; + } /* initialize extensions stack */ @@ -188,8 +198,7 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); goto err; } - } - else { + } else { PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); goto err; } @@ -205,8 +214,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex1)) + if (!SET_EXT(ex1)) { goto err; + } } /* include extension */ @@ -224,10 +234,10 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, } free(filedata); - if (!SET_EXT(ex3)) + if (!SET_EXT(ex3)) { goto err; - } - else { + } + } else { setAdditional(additional, args->filename); goto err; } @@ -237,13 +247,24 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, if (args->aclist) { - if ((ex5 = X509V3_EXT_conf_nid(NULL, NULL, OBJ_txt2nid("acseq"), (char *)args->aclist)) == NULL) { + AC_SEQ* acseq = create_ac_seq(args->aclist); + + if (!acseq){ + // FIXME: set this error to out of memory + PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); + goto err; + } + + ex5 = X509V3_EXT_i2d(OBJ_txt2nid("acseq"),0, acseq); + + if ( ex5 == NULL) { PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); goto err; } - if (!SET_EXT(ex5)) + if (!SET_EXT(ex5)) { goto err; + } } /* keyUsage extension */ @@ -254,12 +275,10 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); goto err; } - } - else if (args->selfsigned) { + } else if (args->selfsigned) { ku_flags = X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_CERT_SIGN | X509v3_KU_CRL_SIGN; - } - else { + } else { ku_flags = get_KeyUsageFlags(args->cert); if (ku_flags != 0) { @@ -276,8 +295,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, X509_EXTENSION_set_critical(ex8, 1); - if (!SET_EXT(ex8)) + if (!SET_EXT(ex8)) { goto err; + } } /* netscapeCert extension */ @@ -288,8 +308,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex9)) + if (!SET_EXT(ex9)) { goto err; + } } /* extended key usage */ @@ -302,8 +323,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex10)) + if (!SET_EXT(ex10)) { goto err; + } } /* Basic Constraints */ @@ -315,8 +337,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, X509_EXTENSION_set_critical(ex12, 1); - if (!SET_EXT(ex12)) + if (!SET_EXT(ex12)) { goto err; + } /* vo extension */ @@ -326,8 +349,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex4)) + if (!SET_EXT(ex4)) { goto err; + } } /* authority key identifier and subject key identifier extension */ @@ -346,8 +370,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex13)) + if (!SET_EXT(ex13)) { goto err; + } tmpcert = X509_new(); if (tmpcert) { @@ -358,11 +383,10 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, ex11 = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid"); X509_free(tmpcert); EVP_PKEY_free(key); - } - else + } else { ex11 = NULL; - } - else { + } + } else { ex11 = X509V3_EXT_conf_nid(NULL, &ctx, NID_authority_key_identifier, "keyid"); } @@ -371,8 +395,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, goto err; } - if (!SET_EXT(ex11)) + if (!SET_EXT(ex11)) { goto err; + } } /* class_add extension */ @@ -394,9 +419,10 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, /* PCI extension */ if (args->proxyversion>=3) { - myPROXYPOLICY * proxypolicy; - myPROXYCERTINFO * proxycertinfo = NULL; - ASN1_OBJECT * policy_language; + PROXY_POLICY* proxypolicy; + PROXY_CERT_INFO_EXTENSION* proxycertinfo = NULL; + ASN1_OBJECT* policy_language; + /* char* policy = NULL; */ /* getting contents of policy file */ @@ -418,65 +444,65 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, if (!args->policyfile) { policylang = IMPERSONATION_PROXY_OID; setWarning(warning, PROXY_WARNING_GSI_ASSUMED); - } - else { + } else { policylang = GLOBUS_GSI_PROXY_GENERIC_POLICY_OID; setWarning(warning, PROXY_WARNING_GENERIC_LANGUAGE_ASSUMED); } - } /* predefined policy language can be specified with simple name string */ - else if (strcmp(policylang, IMPERSONATION_PROXY_SN) == 0) + } else if (strcmp(policylang, IMPERSONATION_PROXY_SN) == 0) { policylang = IMPERSONATION_PROXY_OID; - else if (strcmp(policylang, INDEPENDENT_PROXY_SN) == 0) + } else if (strcmp(policylang, INDEPENDENT_PROXY_SN) == 0) { policylang = INDEPENDENT_PROXY_OID; - - /* does limited prevail on others? don't know what does grid-proxy_init since if pl is given with - limited options it crash */ - if (args->limited) + } + + /* does limited prevail on others? don't know what does grid-proxy_init + since if pl is given with limited options it crash */ + if (args->limited) { policylang = LIMITED_PROXY_OID; + } - OBJ_create(policylang, policylang, policylang); - - if (!(policy_language = OBJ_nid2obj(OBJ_sn2nid(policylang)))) { + if (OBJ_txt2nid(policylang) == 0) { + OBJ_create(policylang, policylang, policylang); + } + + if (!(policy_language = OBJ_txt2obj(policylang, 1))) { PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_OID); goto err; } - int nativeopenssl = proxynative(); - - if (args->proxyversion == 3 || (args->proxyversion == 4 && !nativeopenssl)) { + if (args->proxyversion == 3) { /* proxypolicy */ - proxypolicy = myPROXYPOLICY_new(); + proxypolicy = PROXY_POLICY_new(); if (policy) { - myPROXYPOLICY_set_policy(proxypolicy, (unsigned char*)policy, policysize); + PROXY_POLICY_set_policy(proxypolicy, (unsigned char*)policy, policysize); free(policy); policy = NULL; - } - else if (args->policytext) - myPROXYPOLICY_set_policy(proxypolicy, + } else if (args->policytext) { + PROXY_POLICY_set_policy(proxypolicy, (unsigned char*)args->policytext, strlen(args->policytext)); + } - myPROXYPOLICY_set_policy_language(proxypolicy, policy_language); + PROXY_POLICY_set_policy_language(proxypolicy, policy_language); /* proxycertinfo */ - proxycertinfo = myPROXYCERTINFO_new(); - myPROXYCERTINFO_set_version(proxycertinfo, args->proxyversion); - myPROXYCERTINFO_set_proxypolicy(proxycertinfo, proxypolicy); + proxycertinfo = PROXY_CERT_INFO_EXTENSION_new(); +#warning is the call to PROXYCERTINFO_set_version needed/useful? + /* PROXYCERTINFO_set_version(proxycertinfo, args->proxyversion); */ + PROXY_CERT_INFO_EXTENSION_set_policy(proxycertinfo, proxypolicy); - myPROXYPOLICY_free(proxypolicy); + PROXY_POLICY_free(proxypolicy); if (args->pathlength>=0) - myPROXYCERTINFO_set_path_length(proxycertinfo, args->pathlength); + PROXY_CERT_INFO_EXTENSION_set_path_length(proxycertinfo, args->pathlength); value = (char *)proxycertinfo; - } - else { + } else { if (args->pathlength != -1) { char *buffer = snprintf_wrap("%d", args->pathlength); @@ -484,56 +510,69 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, value = snprintf_wrap("language:%s,pathlen:%s,policy:text:%s", policylang, buffer, policy); free(policy); policy = NULL; - } - else if (args->policytext) + } else if (args->policytext) { value = snprintf_wrap("language:%s,pathlen:%s,policy:text:%s", policylang, buffer, args->policytext); - else + } else { value = snprintf_wrap("language:%s,pathlen:%s", policylang, buffer); + } free(buffer); - } - else { - if (policy) + } else { + if (policy) { value = snprintf_wrap("language:%s,policy:text:%s", policylang, policy); - else if (args->policytext) + } else if (args->policytext) { value = snprintf_wrap("language:%s,policy:text:%s", policylang, args->policytext); - else + } else { value = snprintf_wrap("language:%s", policylang); + } } } if (args->proxyversion == 3) { - ex7 = X509V3_EXT_conf_nid(NULL, NULL, my_txt2nid(PROXYCERTINFO_V3), (char*)proxycertinfo); + /* Convert internal representation to DER */ + unsigned char* der = NULL; + int len; + ASN1_OCTET_STRING* oct = NULL; + int v3nid = my_txt2nid(PROXYCERTINFO_OLD_OID); + X509V3_EXT_METHOD const* method = X509V3_EXT_get_nid(v3nid); + + assert(method != NULL && "X509V3_EXT_get_nid failed"); + assert(method->it != NULL && "method->it cannot be null"); + + len = ASN1_item_i2d((void*)proxycertinfo, &der, ASN1_ITEM_ptr(method->it)); + oct = ASN1_OCTET_STRING_new(); + assert(oct != NULL && "ASN1_OCTET_STRING_new failed"); + + oct->data = der; + oct->length = len; + ex7 = X509_EXTENSION_create_by_NID(NULL, v3nid, 1 /*critical*/, oct); + + ASN1_OCTET_STRING_free(oct); + value = NULL; } else { - if (nativeopenssl) { - X509V3_CTX ctx; - X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0L); - ctx.db = (void*)&ctx; - X509V3_CONF_METHOD method = { NULL, NULL, NULL, NULL }; - ctx.db_meth = &method; - ex7 = X509V3_EXT_conf_nid(NULL, &ctx, my_txt2nid(PROXYCERTINFO_V4), (char*)value); - free(value); - value = NULL; - } - else - ex7 = X509V3_EXT_conf_nid(NULL, NULL, my_txt2nid(PROXYCERTINFO_V4), (char*)value); + assert(args->proxyversion == 4); + X509V3_CTX ctx; + X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0L); + ctx.db = (void*)&ctx; + X509V3_CONF_METHOD method = { NULL, NULL, NULL, NULL }; + ctx.db_meth = &method; + ex7 = X509V3_EXT_conf_nid(NULL, &ctx, my_txt2nid(PROXYCERTINFO_OID), (char*)value); + assert(ex7 != NULL && "X509V3_EXT_conf_nid failed"); + + free(value); + X509_EXTENSION_set_critical(ex7, 1); + value = NULL; } - if (policy) { - free(policy); - policy = NULL; - } + free(policy); + policy = NULL; if (ex7 == NULL) { PRXYerr(PRXYERR_F_PROXY_SIGN, PRXYERR_R_CLASS_ADD_EXT); goto err; } - if (args->proxyversion >= 3) { - X509_EXTENSION_set_critical(ex7, 1); - } - if (!SET_EXT(ex7)) goto err; } @@ -554,23 +593,20 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, args->selfsigned)) { goto err; } - } - else { - if (proxy_sign(NULL, - npkey, - req, - &ncert, - args->hours*60*60 + args->minutes*60, - extensions, - args->limited, - 0, - args->newsubject, - args->newsubject, - args->pastproxy, - NULL, - args->selfsigned)) { - goto err; - } + } else if (proxy_sign(NULL, + npkey, + req, + &ncert, + args->hours*60*60 + args->minutes*60, + extensions, + args->limited, + 0, + args->newsubject, + args->newsubject, + args->pastproxy, + NULL, + args->selfsigned)) { + goto err; } proxy = (struct VOMSProxy*)malloc(sizeof(struct VOMSProxy)); @@ -580,11 +616,13 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, proxy->key = npkey; proxy->chain = sk_X509_new_null(); - if (args->cert) + if (args->cert) { sk_X509_push(proxy->chain, X509_dup(args->cert)); + } - for (i = 0; i < sk_X509_num(args->chain); i++) + for (i = 0; i < sk_X509_num(args->chain); i++) { sk_X509_push(proxy->chain, X509_dup(sk_X509_value(args->chain, i))); + } } err: @@ -597,8 +635,10 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, if (extensions) { sk_X509_EXTENSION_pop_free(extensions, X509_EXTENSION_free); } - if (!args->proxyrequest) + + if (!args->proxyrequest) { X509_REQ_free(req); + } X509_EXTENSION_free(ex13); X509_EXTENSION_free(ex12); diff --git a/src/sslutils/proxycertinfo.c b/src/sslutils/proxycertinfo.c index a944ea17..41bc5139 100644 --- a/src/sslutils/proxycertinfo.c +++ b/src/sslutils/proxycertinfo.c @@ -1,511 +1,359 @@ -/********************************************************************* - * - * Authors: Valerio Venturi - Valerio.Venturi@cnaf.infn.it - * Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it - * - * Copyright (c) Members of the EGEE Collaboration. 2004-2010. - * See http://www.eu-egee.org/partners/ for details on the copyright holders. - * +/* + * Copyright 1999-2006 University of Chicago + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * + * + * http://www.apache.org/licenses/LICENSE-2.0 + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - * - * Parts of this code may be based upon or even include verbatim pieces, - * originally written by other people, in which case the original header - * follows. - * - *********************************************************************/ -#include "config.h" + */ #include - #include -#include -#include +#include +#include +#include +#include -#include "myproxycertinfo.h" #include "doio.h" -/* myPROXYPOLICY function */ - -myPROXYPOLICY * myPROXYPOLICY_new() -{ - ASN1_CTX c; - myPROXYPOLICY * ret; - - ret = NULL; +#include "proxycertinfo.h" - M_ASN1_New_Malloc(ret, myPROXYPOLICY); - ret->policy_language = OBJ_nid2obj(OBJ_sn2nid(IMPERSONATION_PROXY_SN)); - ret->policy = NULL; - return (ret); - M_ASN1_New_Error(ASN1_F_PROXYPOLICY_NEW); -} +typedef PROXY_CERT_INFO_EXTENSION PROXYCERTINFO_OLD; -void myPROXYPOLICY_free(myPROXYPOLICY * policy) +ASN1_SEQUENCE(PROXYCERTINFO_OLD) = { - if(policy == NULL) return; - - ASN1_OBJECT_free(policy->policy_language); - M_ASN1_OCTET_STRING_free(policy->policy); - OPENSSL_free(policy); -} - -/* duplicate */ -myPROXYPOLICY * myPROXYPOLICY_dup(myPROXYPOLICY * policy) + ASN1_SIMPLE(PROXYCERTINFO_OLD, proxyPolicy, PROXY_POLICY), + ASN1_EXP_OPT(PROXYCERTINFO_OLD, pcPathLengthConstraint, ASN1_INTEGER, 1), +} ASN1_SEQUENCE_END(PROXYCERTINFO_OLD) + +IMPLEMENT_ASN1_FUNCTIONS(PROXYCERTINFO_OLD) +IMPLEMENT_ASN1_DUP_FUNCTION(PROXYCERTINFO_OLD) + +static +void* +PROXYCERTINFO_OLD_s2i( + struct v3_ext_method const* method + , struct v3_ext_ctx* ctx + , char const* data +) { -#ifdef TYPEDEF_I2D_OF - return ((myPROXYPOLICY *) ASN1_dup((i2d_of_void *)i2d_myPROXYPOLICY, - (d2i_of_void *)d2i_myPROXYPOLICY, - (char *)policy)); -#else - return ((myPROXYPOLICY *) ASN1_dup((int (*)())i2d_myPROXYPOLICY, - (char *(*)())d2i_myPROXYPOLICY, - (char *)policy)); -#endif + return (PROXY_CERT_INFO_EXTENSION*)data; } -/* set policy language */ -int myPROXYPOLICY_set_policy_language(myPROXYPOLICY * policy, ASN1_OBJECT * policy_language) +static +char* PROXYCERTINFO_OLD_i2s(struct v3_ext_method* method, void* ext) { - if(policy_language != NULL) { - ASN1_OBJECT_free(policy->policy_language); - policy->policy_language = OBJ_dup(policy_language); - return 1; - } - - return 0; -} - -/* get policy language */ -ASN1_OBJECT * myPROXYPOLICY_get_policy_language(myPROXYPOLICY * policy) -{ - return policy->policy_language; -} - -/* set policy */ -int myPROXYPOLICY_set_policy(myPROXYPOLICY * proxypolicy, unsigned char * policy, int length) -{ - if(policy != NULL) { - /* if member policy of proxypolicy non set */ - if(!proxypolicy->policy) - proxypolicy->policy = ASN1_OCTET_STRING_new(); - - /* set member policy of proxypolicy */ - ASN1_OCTET_STRING_set(proxypolicy->policy, policy, length); - } - else - ASN1_OCTET_STRING_free(proxypolicy->policy); - - return 1; -} + PROXY_CERT_INFO_EXTENSION* pci = NULL; + char *encoding = NULL; + char *output = NULL; + PROXY_POLICY *pp; + int dooid = 0; + char oid[256]; -/* get policy */ -unsigned char * myPROXYPOLICY_get_policy(myPROXYPOLICY * proxypolicy, int * length) -{ - /* assure field policy is set */ + pci = (PROXY_CERT_INFO_EXTENSION *)ext; + + if (!pci) + return ""; - if(proxypolicy->policy) { - *length = proxypolicy->policy->length; + if (pci->pcPathLengthConstraint) { + int j = ASN1_INTEGER_get(pci->pcPathLengthConstraint); - /* assure ASN1_OCTET_STRING is full */ - if (*length>0 && proxypolicy->policy->data) { - unsigned char * copy = malloc(*length); - memcpy(copy, proxypolicy->policy->data, *length); - return copy; - } + char *buffer = snprintf_wrap("%X", j); + output = snprintf_wrap("Path Length Constraint: %s%s\n\n", strlen(buffer)%2 ? "0" : "", buffer); + free(buffer); } - return NULL; -} - -/* internal to der conversion */ -int i2d_myPROXYPOLICY(myPROXYPOLICY * policy, unsigned char ** pp) -{ - M_ASN1_I2D_vars(policy); - - M_ASN1_I2D_len(policy->policy_language, i2d_ASN1_OBJECT); + else + output = strdup("Path Length Constraint: unlimited\n"); - if(policy->policy) { - M_ASN1_I2D_len(policy->policy, i2d_ASN1_OCTET_STRING); - } - - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(policy->policy_language, i2d_ASN1_OBJECT); + pp = pci->proxyPolicy; - if(policy->policy) { - M_ASN1_I2D_put(policy->policy, i2d_ASN1_OCTET_STRING); + if (pp && i2t_ASN1_OBJECT(oid, 256, pp->policyLanguage)) { + dooid = 1; } - M_ASN1_I2D_finish(); -} - -myPROXYPOLICY * d2i_myPROXYPOLICY(myPROXYPOLICY ** a, unsigned char ** pp, long length) -{ - M_ASN1_D2I_vars(a, myPROXYPOLICY *, myPROXYPOLICY_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - M_ASN1_D2I_get(ret->policy_language, d2i_ASN1_OBJECT); - - /* need to try getting the policy using - * a) a call expecting no tags - * b) a call expecting tags - * one of which should succeed - */ - - M_ASN1_D2I_get_opt(ret->policy, - d2i_ASN1_OCTET_STRING, - V_ASN1_OCTET_STRING); - M_ASN1_D2I_get_IMP_opt(ret->policy, - d2i_ASN1_OCTET_STRING, - 0, - V_ASN1_OCTET_STRING); - M_ASN1_D2I_Finish(a, - myPROXYPOLICY_free, - ASN1_F_D2I_PROXYPOLICY); -} - - - -/* myPROXYCERTINFO function */ - -myPROXYCERTINFO * myPROXYCERTINFO_new() -{ - myPROXYCERTINFO * ret = NULL; - ASN1_CTX c; - - M_ASN1_New_Malloc(ret, myPROXYCERTINFO); - memset(ret, 0, sizeof(myPROXYCERTINFO)); - ret->path_length = NULL; - ret->proxypolicy = myPROXYPOLICY_new(); - return (ret); - M_ASN1_New_Error(ASN1_F_PROXYCERTINFO_NEW); -} + encoding = snprintf_wrap("%sPolicy Language: %s%s%s%s\n", + output, + ( dooid ? oid : ""), + ( (pp && pp->policy) ? "\nPolicy Text: " : ""), + ( (pp && pp->policy) ? (char*)ASN1_STRING_data(pp->policy) : ""), + ( (pp && pp->policy) ? "\n" : "")); -void myPROXYCERTINFO_free(myPROXYCERTINFO * proxycertinfo) -{ - /* assure proxycertinfo not empty */ - if(proxycertinfo == NULL) return; - - ASN1_INTEGER_free(proxycertinfo->path_length); - myPROXYPOLICY_free(proxycertinfo->proxypolicy); - OPENSSL_free(proxycertinfo); + free(output); + return encoding; } -/* set path_length */ -int myPROXYCERTINFO_set_path_length(myPROXYCERTINFO * proxycertinfo, long path_length) -{ - /* assure proxycertinfo is not empty */ - if(proxycertinfo != NULL) { - - if(path_length != -1) { - /* if member path_length is empty allocate memory then set */ - if(proxycertinfo->path_length == NULL) - proxycertinfo->path_length = ASN1_INTEGER_new(); - return ASN1_INTEGER_set(proxycertinfo->path_length, path_length); - } - else { - ASN1_INTEGER_free(proxycertinfo->path_length); - proxycertinfo->path_length = NULL; - } - - return 1; - } +STACK_OF(CONF_VALUE) * i2v_PROXYCERTINFO_OLD( + struct v3_ext_method * method, + PROXY_CERT_INFO_EXTENSION * ext, + STACK_OF(CONF_VALUE) * extlist); - return 0; -} - -int myPROXYCERTINFO_set_version(myPROXYCERTINFO * proxycertinfo, int version) +static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, + BIO *out, int indent) { - if (proxycertinfo != NULL) { - proxycertinfo->version = version; + BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); + if (pci->pcPathLengthConstraint) + i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); + else + BIO_printf(out, "infinite"); + BIO_puts(out, "\n"); + BIO_printf(out, "%*sPolicy Language: ", indent, ""); + i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); + BIO_puts(out, "\n"); + if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) + BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + pci->proxyPolicy->policy->data); return 1; - } - - return 0; } -int myPROXYCERTINFO_get_version(myPROXYCERTINFO * proxycertinfo) +X509V3_EXT_METHOD * PROXYCERTINFO_OLD_x509v3_ext_meth() { - if (proxycertinfo) - return proxycertinfo->version; - return -1; + static X509V3_EXT_METHOD proxycertinfo_x509v3_ext_meth = + { + -1, + X509V3_EXT_MULTILINE, + ASN1_ITEM_ref(PROXYCERTINFO_OLD), + 0, 0, 0, 0, + (X509V3_EXT_I2S) 0,//PROXYCERTINFO_OLD_i2s, + (X509V3_EXT_S2I) 0,//PROXYCERTINFO_OLD_s2i, + (X509V3_EXT_I2V) 0 /*i2v_PROXYCERTINFO_OLD*/, 0, + (X509V3_EXT_I2R) i2r_pci, 0, + NULL + }; + return (&proxycertinfo_x509v3_ext_meth); } - -/* get path length */ -long myPROXYCERTINFO_get_path_length(myPROXYCERTINFO * proxycertinfo) +ASN1_OBJECT * PROXY_POLICY_get_policy_language( + PROXY_POLICY * policy) { - if(proxycertinfo && proxycertinfo->path_length) - return ASN1_INTEGER_get(proxycertinfo->path_length); - else - return -1; + return policy->policyLanguage; } -/* set policy */ -int myPROXYCERTINFO_set_proxypolicy(myPROXYCERTINFO * proxycertinfo, myPROXYPOLICY * proxypolicy) +unsigned char * PROXY_POLICY_get_policy( + PROXY_POLICY * policy, + int * length) { - myPROXYPOLICY_free(proxycertinfo->proxypolicy); - - if(proxypolicy != NULL) - proxycertinfo->proxypolicy = myPROXYPOLICY_dup(proxypolicy); - else - proxycertinfo->proxypolicy = NULL; - - return 1; + if(policy->policy) + { + (*length) = policy->policy->length; + if(*length > 0 && policy->policy->data) + { + unsigned char * copy = malloc(*length); + memcpy(copy, policy->policy->data, *length); + return copy; + } + } + + return NULL; } -/* get policy */ -myPROXYPOLICY * myPROXYCERTINFO_get_proxypolicy(myPROXYCERTINFO * proxycertinfo) +STACK_OF(CONF_VALUE) * i2v_PROXYPOLICY( + struct v3_ext_method * method, + PROXY_POLICY * ext, + STACK_OF(CONF_VALUE) * extlist) { - if(proxycertinfo) - return proxycertinfo->proxypolicy; + unsigned char * policy = NULL; + char policy_lang[128]; + unsigned char * tmp_string = NULL; + unsigned char * index = NULL; + int nid; + int policy_length; - return NULL; -} + X509V3_add_value("Proxy Policy:", NULL, &extlist); -/* internal to der conversion */ -static int i2d_myPROXYCERTINFO_v3(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) -{ - int v1; + nid = OBJ_obj2nid(PROXY_POLICY_get_policy_language(ext)); - M_ASN1_I2D_vars(proxycertinfo); + if(nid != NID_undef) + { + BIO_snprintf(policy_lang, 128, " %s", OBJ_nid2ln(nid)); + } + else + { + policy_lang[0] = ' '; + i2t_ASN1_OBJECT(&policy_lang[1], + 127, + PROXY_POLICY_get_policy_language(ext)); + } - v1 = 0; - - M_ASN1_I2D_len(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); - - M_ASN1_I2D_len_EXP_opt(proxycertinfo->path_length,i2d_ASN1_INTEGER, 1, v1); - M_ASN1_I2D_seq_total(); - M_ASN1_I2D_put(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); - M_ASN1_I2D_put_EXP_opt(proxycertinfo->path_length, i2d_ASN1_INTEGER, 1, v1); - M_ASN1_I2D_finish(); + X509V3_add_value(" Policy Language", + policy_lang, + &extlist); + + policy = PROXY_POLICY_get_policy(ext, &policy_length); + + if(!policy) + { + X509V3_add_value(" Policy", " EMPTY", &extlist); + } + else + { + X509V3_add_value(" Policy:", NULL, &extlist); + + tmp_string = policy; + while (policy_length > 0) + { + int policy_line_length; + + index = memchr(tmp_string, '\n', (size_t) policy_length); + + /* Weird to indent the last line only... */ + if (!index) + { + char * last_string; + + policy_line_length = policy_length; + + last_string = malloc(policy_line_length + 9); + BIO_snprintf( + last_string, + (size_t) (policy_line_length +9), + "%8s%.*s", "", + policy_line_length, + (char *) tmp_string); + X509V3_add_value(NULL, last_string, &extlist); + free(last_string); + } + else + { + *(index++) = '\0'; + policy_line_length = index - tmp_string; + + X509V3_add_value(NULL, (char *) tmp_string, &extlist); + + tmp_string = index; + } + policy_length -= policy_line_length; + } + + free(policy); + } + + return extlist; } -static int i2d_myPROXYCERTINFO_v4(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) +STACK_OF(CONF_VALUE) * i2v_PROXYCERTINFO_OLD( + struct v3_ext_method * method, + PROXY_CERT_INFO_EXTENSION * ext, + STACK_OF(CONF_VALUE) * extlist) { - M_ASN1_I2D_vars(proxycertinfo); + int len = 128; + char tmp_string[128]; + + if (!ext) { + extlist = NULL; + return extlist; + } - if(proxycertinfo->path_length) - { - M_ASN1_I2D_len(proxycertinfo->path_length, i2d_ASN1_INTEGER); + if (extlist == NULL) + { + extlist = sk_CONF_VALUE_new_null(); + if(extlist == NULL) + { + return NULL; + } } - M_ASN1_I2D_len(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); - - M_ASN1_I2D_seq_total(); - if(proxycertinfo->path_length) - { - M_ASN1_I2D_put(proxycertinfo->path_length, i2d_ASN1_INTEGER); + if (PROXY_CERT_INFO_EXTENSION_get_path_length(ext) > -1) + { + memset(tmp_string, 0, len); + BIO_snprintf(tmp_string, len, " %lu (0x%lx)", + PROXY_CERT_INFO_EXTENSION_get_path_length(ext), + PROXY_CERT_INFO_EXTENSION_get_path_length(ext)); + X509V3_add_value("Path Length", tmp_string, &extlist); } - M_ASN1_I2D_put(proxycertinfo->proxypolicy, i2d_myPROXYPOLICY); - M_ASN1_I2D_finish(); -} -int i2d_myPROXYCERTINFO(myPROXYCERTINFO * proxycertinfo, unsigned char ** pp) -{ - switch(proxycertinfo->version) { - case 3: - return i2d_myPROXYCERTINFO_v3(proxycertinfo, pp); - break; + if(PROXY_CERT_INFO_EXTENSION_get_policy(ext)) + { + i2v_PROXYPOLICY(NULL, + PROXY_CERT_INFO_EXTENSION_get_policy(ext), + extlist); + } - case 4: - return i2d_myPROXYCERTINFO_v4(proxycertinfo, pp); - break; - default: - return -1; - break; - } + return extlist; } -static myPROXYCERTINFO * d2i_myPROXYCERTINFO_v3(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) -{ - M_ASN1_D2I_vars(cert_info, myPROXYCERTINFO *, myPROXYCERTINFO_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); +int +PROXY_CERT_INFO_EXTENSION_set_path_length( + PROXY_CERT_INFO_EXTENSION* pci + , long pl +) +{ + if (pci != NULL) { - M_ASN1_D2I_get((ret->proxypolicy), d2i_myPROXYPOLICY); + if (pl != -1) { + if (pci->pcPathLengthConstraint == NULL) { + pci->pcPathLengthConstraint = ASN1_INTEGER_new(); + } + return ASN1_INTEGER_set(pci->pcPathLengthConstraint, pl); + } else { + ASN1_INTEGER_free(pci->pcPathLengthConstraint); + pci->pcPathLengthConstraint = NULL; + } - M_ASN1_D2I_get_EXP_opt(ret->path_length, d2i_ASN1_INTEGER, 1); + return 1; + } - ret->version = 3; - M_ASN1_D2I_Finish(cert_info, myPROXYCERTINFO_free, ASN1_F_D2I_PROXYCERTINFO); + return 0; } -static myPROXYCERTINFO * d2i_myPROXYCERTINFO_v4(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) +long +PROXY_CERT_INFO_EXTENSION_get_path_length(PROXY_CERT_INFO_EXTENSION const* pci) { - M_ASN1_D2I_vars(cert_info, myPROXYCERTINFO *, myPROXYCERTINFO_new); - - M_ASN1_D2I_Init(); - M_ASN1_D2I_start_sequence(); - - M_ASN1_D2I_get_EXP_opt(ret->path_length, d2i_ASN1_INTEGER, 1); - - M_ASN1_D2I_get_opt(ret->path_length, d2i_ASN1_INTEGER, V_ASN1_INTEGER); - - M_ASN1_D2I_get((ret->proxypolicy),d2i_myPROXYPOLICY); - - ret->version = 4; - M_ASN1_D2I_Finish(cert_info, myPROXYCERTINFO_free, ASN1_F_D2I_PROXYCERTINFO); + if (pci && pci->pcPathLengthConstraint) { + return ASN1_INTEGER_get(pci->pcPathLengthConstraint); + } else { + return -1; + } } -myPROXYCERTINFO * d2i_myPROXYCERTINFO(myPROXYCERTINFO ** cert_info, unsigned char ** pp, long length) +int +PROXY_CERT_INFO_EXTENSION_set_policy( + PROXY_CERT_INFO_EXTENSION* pci + , PROXY_POLICY* policy +) { - myPROXYCERTINFO *info = d2i_myPROXYCERTINFO_v3(cert_info, pp, length); - if (!info) - info = d2i_myPROXYCERTINFO_v4(cert_info, pp, length); - return info; -} - + PROXY_POLICY_free(pci->proxyPolicy); -static int nativeopenssl = 0; + pci->proxyPolicy = PROXY_POLICY_dup(policy); -static char *norep() -{ - static char *buffer=""; - return buffer; -} - -static void *myproxycertinfo_s2i(UNUSED(struct v3_ext_method *method), UNUSED(struct v3_ext_ctx *ctx), UNUSED(char *data)) -{ - return (myPROXYCERTINFO*)data; + return 1; } -static char *myproxycertinfo_i2s(UNUSED(struct v3_ext_method *method), void *ext) +PROXY_POLICY* +PROXY_CERT_INFO_EXTENSION_get_policy(PROXY_CERT_INFO_EXTENSION const* pci) { - myPROXYCERTINFO *pci = NULL; - char *encoding = NULL; - char *output = NULL; - myPROXYPOLICY *pp; - int dooid = 0; - char oid[256]; - - pci = (myPROXYCERTINFO *)ext; - - if (!pci) - return norep(); - - if (pci->path_length) { - int j = ASN1_INTEGER_get(pci->path_length); - - char *buffer = snprintf_wrap("%X", j); - output = snprintf_wrap("Path Length Constraint: %s%s\n\n", strlen(buffer)%2 ? "0" : "", buffer); - free(buffer); - } - else - output = strdup("Path Length Constraint: unlimited\n"); - - pp = pci->proxypolicy; - - if (pp && i2t_ASN1_OBJECT(oid, 256, pp->policy_language)) { - dooid = 1; + if (pci) { + return pci->proxyPolicy; + } else { + return NULL; } - - encoding = snprintf_wrap("%sPolicy Language: %s%s%s%s\n", - output, - ( dooid ? oid : ""), - ( (pp && pp->policy) ? "\nPolicy Text: " : ""), - ( (pp && pp->policy) ? (char*)ASN1_STRING_data(pp->policy) : ""), - ( (pp && pp->policy) ? "\n" : "")); - - free(output); - return encoding; } void InitProxyCertInfoExtension(int full) { -#define PROXYCERTINFO_V3 "1.3.6.1.4.1.3536.1.222" -#define PROXYCERTINFO_V4 "1.3.6.1.5.5.7.1.14" -#define OBJC(c,n) OBJ_create(c,n,n) - - X509V3_EXT_METHOD *pcert; - static int set = 0; - ASN1_OBJECT *objv3; - ASN1_OBJECT *objv4; + static int init_done = 0; - if (set) + if (init_done) { return; - - set = 1; - - - objv3 = OBJ_txt2obj(PROXYCERTINFO_V3,1); - objv4 = OBJ_txt2obj(PROXYCERTINFO_V4,1); - - /* Proxy Certificate Extension's related objects */ - if (OBJ_obj2nid(objv3) == 0) { - ERR_clear_error(); - OBJC(PROXYCERTINFO_V3, "Proxy Certificate Information"); - if (full) { - pcert = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); - - if (pcert) { - memset(pcert, 0, sizeof(*pcert)); - pcert->ext_nid = OBJ_txt2nid(PROXYCERTINFO_V3); - pcert->ext_flags = 0; - pcert->ext_new = (X509V3_EXT_NEW) myPROXYCERTINFO_new; - pcert->ext_free = (X509V3_EXT_FREE)myPROXYCERTINFO_free; - pcert->d2i = (X509V3_EXT_D2I) d2i_myPROXYCERTINFO; - pcert->i2d = (X509V3_EXT_I2D) i2d_myPROXYCERTINFO; - pcert->i2s = (X509V3_EXT_I2S) myproxycertinfo_i2s; - pcert->s2i = (X509V3_EXT_S2I) myproxycertinfo_s2i; - pcert->v2i = (X509V3_EXT_V2I) NULL; - pcert->r2i = (X509V3_EXT_R2I) NULL; - pcert->i2v = (X509V3_EXT_I2V) NULL; - pcert->i2r = (X509V3_EXT_I2R) NULL; - - X509V3_EXT_add(pcert); - } - } } - if (OBJ_obj2nid(objv4) == 0) { - ERR_clear_error(); - OBJC(PROXYCERTINFO_V4, "Proxy Certificate Information"); - if (full) { - pcert = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); - - if (pcert) { - memset(pcert, 0, sizeof(*pcert)); - pcert->ext_nid = OBJ_txt2nid(PROXYCERTINFO_V4); - pcert->ext_flags = 0; - pcert->ext_new = (X509V3_EXT_NEW) myPROXYCERTINFO_new; - pcert->ext_free = (X509V3_EXT_FREE)myPROXYCERTINFO_free; - pcert->d2i = (X509V3_EXT_D2I) d2i_myPROXYCERTINFO; - pcert->i2d = (X509V3_EXT_I2D) i2d_myPROXYCERTINFO; - pcert->i2s = (X509V3_EXT_I2S) myproxycertinfo_i2s; - pcert->s2i = (X509V3_EXT_S2I) myproxycertinfo_s2i; - pcert->v2i = (X509V3_EXT_V2I) NULL; - pcert->r2i = (X509V3_EXT_R2I) NULL; - pcert->i2v = (X509V3_EXT_I2V) NULL; - pcert->i2r = (X509V3_EXT_I2R) NULL; - - X509V3_EXT_add(pcert); - } - } - } + char const* pci_v3_sn = "proxyCertInfo_V3"; + char const* pci_v3_ln = "Proxy Certificate Information (V3)"; + int const v3nid = OBJ_create(PROXYCERTINFO_OLD_OID, pci_v3_sn, pci_v3_ln); + assert(v3nid != 0 && "OBJ_create failed"); -#ifdef X509_V_FLAG_ALLOW_PROXY_CERTS - nativeopenssl = 1; -#endif - - ASN1_OBJECT_free(objv3); - ASN1_OBJECT_free(objv4); - - return; -} + if (X509V3_EXT_get_nid(v3nid) == NULL) { + X509V3_EXT_METHOD* meth = PROXYCERTINFO_OLD_x509v3_ext_meth(); + meth->ext_nid = v3nid; + X509V3_EXT_add(meth); + } -int proxynative(void) -{ - return nativeopenssl; + init_done = 1; } diff --git a/src/sslutils/proxypolicy.c b/src/sslutils/proxypolicy.c new file mode 100644 index 00000000..bb998a3d --- /dev/null +++ b/src/sslutils/proxypolicy.c @@ -0,0 +1,88 @@ +/* + * Copyright 1999-2006 University of Chicago + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +#include +#include +#include +#include +#include + +#include "proxypolicy.h" + +/** + * Sets the policy language of the PROXY_POLICY + * + * @param policy the PROXY_POLICY to set the policy language of + * @param policy_language the policy language to set it to + * + * @return 1 on success, 0 on error + */ +int PROXY_POLICY_set_policy_language( + PROXY_POLICY * policy, + ASN1_OBJECT * policy_language) +{ + if(policy_language != NULL) + { + ASN1_OBJECT_free(policy->policyLanguage); + policy->policyLanguage = OBJ_dup(policy_language); + return 1; + } + return 0; +} + +/** + * Sets the policy of the PROXY_POLICY + * + * @param proxypolicy the proxy policy to set the policy of + * @param policy the policy to set it to + * @param length the length of the policy + * + * @return 1 on success, 0 on error + */ +int PROXY_POLICY_set_policy( + PROXY_POLICY * proxypolicy, + unsigned char * policy, + int length) +{ + assert(length >= 0); + + if(policy != NULL) + { + unsigned char * copy = malloc(length); + assert(copy != NULL && "malloc failed"); + memcpy(copy, policy, length); + + if(!proxypolicy->policy) + { + proxypolicy->policy = ASN1_OCTET_STRING_new(); + } + + ASN1_OCTET_STRING_set(proxypolicy->policy, copy, length); + + } + else + { + if(proxypolicy->policy) + { + ASN1_OCTET_STRING_free(proxypolicy->policy); + } + } + + return 1; +} + +IMPLEMENT_ASN1_DUP_FUNCTION(PROXY_POLICY); diff --git a/src/sslutils/signing_policy.c b/src/sslutils/signing_policy.c index 77984519..03f13ab2 100644 --- a/src/sslutils/signing_policy.c +++ b/src/sslutils/signing_policy.c @@ -1779,17 +1779,6 @@ char **parse_subjects(char *string) return list; } -#if 0 -int main() -{ - signingdebug = 1; - void **arg = NULL; - void *scanner=NULL; - signinglex_init(&scanner); - signingset_debug(1, scanner); - return signingparse(arg, scanner); -} -#endif void signingerror(UNUSED(void *policies), UNUSED(void *scanner), UNUSED(char const *msg)) { } diff --git a/src/sslutils/ssl_compat.c b/src/sslutils/ssl_compat.c new file mode 100644 index 00000000..fd039e65 --- /dev/null +++ b/src/sslutils/ssl_compat.c @@ -0,0 +1,363 @@ +#include "ssl_compat.h" + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +#include +#include +#include +#include + +#define X509_F_X509_PUBKEY_GET0 119 +#define EVP_F_EVP_PKEY_GET0_RSA 121 +#define X509_F_X509_PUBKEY_DECODE 148 +#define X509_F_X509_OBJECT_NEW 150 + +static void *CRYPTO_zalloc(size_t num, const char *file, int line) +{ + void *ret = CRYPTO_malloc(num, file, line); + + if (ret != NULL) + memset(ret, 0, num); + return ret; +} + +#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__) + +const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) +{ + return x->data; +} + +struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_RSA) { + EVPerr(EVP_F_EVP_PKEY_GET0_RSA, EVP_R_EXPECTING_AN_RSA_KEY); + return NULL; + } + return pkey->pkey.rsa; +} + +int X509_REQ_get_signature_nid(const X509_REQ *req) +{ + return OBJ_obj2nid(req->sig_alg->algorithm); +} + +const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x) +{ + return x->cert_info->serialNumber; +} + +static int x509_set1_time(ASN1_TIME **ptm, const ASN1_TIME *tm) +{ + ASN1_TIME *in; + in = *ptm; + if (in != tm) { + in = ASN1_STRING_dup(tm); + if (in != NULL) { + ASN1_TIME_free(*ptm); + *ptm = in; + } + } + return (in != NULL); +} + +int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) +{ + if (x == NULL) + return 0; + return x509_set1_time(&x->cert_info->validity->notAfter, tm); +} + +const ASN1_TIME *X509_get0_notAfter(const X509 *x) +{ + return x->cert_info->validity->notAfter; +} + +void X509_set_proxy_flag(X509 *x) +{ + x->ex_flags |= EXFLAG_PROXY; +} + +void X509_set_proxy_pathlen(X509 *x, long l) +{ + x->ex_pcpathlen = l; +} + +X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) +{ + return ctx->cert; +} + +#define X509_LU_NONE 0 + +X509_OBJECT *X509_OBJECT_new(void) +{ + X509_OBJECT *ret = OPENSSL_zalloc(sizeof(*ret)); + + if (ret == NULL) { + X509err(X509_F_X509_OBJECT_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } + ret->type = X509_LU_NONE; + return ret; +} + +X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *a) +{ + if (a == NULL || a->type != X509_LU_CRL) + return NULL; + return a->data.crl; +} + +const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl) +{ + return crl->crl->nextUpdate; +} + +const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) +{ + return x->serialNumber; +} + +STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx) +{ + return ctx->chain; +} + +long X509_get_proxy_pathlen(X509 *x) +{ + /* Called for side effect of caching extensions */ + if (X509_check_purpose(x, -1, -1) != 1 + || (x->ex_flags & EXFLAG_PROXY) == 0) + return -1; + return x->ex_pcpathlen; +} + +uint32_t X509_get_extension_flags(X509 *x) +{ + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(x, -1, -1); + return x->ex_flags; +} + +void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) +{ + ctx->current_cert = x; +} + +void X509_OBJECT_free(X509_OBJECT *a) +{ + if (a == NULL) + return; + switch (a->type) { + default: + break; + case X509_LU_X509: + X509_free(a->data.x509); + break; + case X509_LU_CRL: + X509_CRL_free(a->data.crl); + break; + } + OPENSSL_free(a); +} + +void X509_STORE_set_check_issued(X509_STORE *ctx, + X509_STORE_CTX_check_issued_fn check_issued) +{ + ctx->check_issued = check_issued; +} + +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +void RSA_get0_key(const RSA *r, + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + /* If the fields n and e in r are NULL, the corresponding input + * parameters MUST be non-NULL for n and e. d may be + * left NULL (in case only the public key is used). + */ + if ((r->n == NULL && n == NULL) + || (r->e == NULL && e == NULL)) + return 0; + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return 1; +} + +const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x) +{ + return x->cert_info->extensions; +} + +const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) +{ + return x->cert_info->signature; +} + +void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid) +{ + if (piuid != NULL) + *piuid = x->cert_info->issuerUID; + if (psuid != NULL) + *psuid = x->cert_info->subjectUID; +} + +#define BIO_TYPE_START 128 + +int BIO_get_new_index(void) +{ + static int bio_count = BIO_TYPE_START; + + /* not thread-safe */ + return ++bio_count; +} + +BIO_METHOD *BIO_meth_new(int type, const char *name) +{ + BIO_METHOD *biom = OPENSSL_zalloc(sizeof(BIO_METHOD)); + + if (biom != NULL) { + biom->type = type; + biom->name = name; + } + return biom; +} + +int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int) +{ + return biom->bwrite; +} + +int BIO_meth_set_write(BIO_METHOD *biom, int (*bwrite) (BIO *, const char *, int)) +{ + biom->bwrite = bwrite; + return 1; +} + +int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int) +{ + return biom->bread; +} + +int BIO_meth_set_read(BIO_METHOD *biom, int (*bread) (BIO *, char *, int)) +{ + biom->bread = bread; + return 1; +} + +int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *) +{ + return biom->bputs; +} + +int BIO_meth_set_puts(BIO_METHOD *biom, + int (*bputs) (BIO *, const char *)) +{ + biom->bputs = bputs; + return 1; +} + +int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int) +{ + return biom->bgets; +} + +int BIO_meth_set_gets(BIO_METHOD *biom, int (*bgets) (BIO *, char *, int)) +{ + biom->bgets = bgets; + return 1; +} + +long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *) +{ + return biom->ctrl; +} + +int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)) +{ + biom->ctrl = ctrl; + return 1; +} + +int (*BIO_meth_get_create(BIO_METHOD *biom)) (BIO *) +{ + return biom->create; +} + +int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)) +{ + biom->create = create; + return 1; +} + +int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *) +{ + return biom->destroy; +} + +int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)) +{ + biom->destroy = destroy; + return 1; +} + +long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) (BIO *, int, bio_info_cb *) +{ + return biom->callback_ctrl; +} + +int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, bio_info_cb *)) +{ + biom->callback_ctrl = callback_ctrl; + return 1; +} + +#if OPENSSL_VERSION_NUMBER < 0x10002000L + +int X509_get_signature_nid(const X509 *x) +{ + return OBJ_obj2nid(x->sig_alg->algorithm); +} + +void X509_get0_signature(const ASN1_BIT_STRING **psig, + const X509_ALGOR **palg, const X509 *x) +{ + if (psig) + *psig = x->signature; + if (palg) + *palg = x->sig_alg; +} + +#endif + +#endif diff --git a/src/sslutils/sslutils.c b/src/sslutils/sslutils.c index c8865711..5320d90d 100644 --- a/src/sslutils/sslutils.c +++ b/src/sslutils/sslutils.c @@ -33,12 +33,13 @@ sslutils.c #include "config.h" #include "replace.h" -#include "myproxycertinfo.h" +#include "proxycertinfo.h" #include "sslutils.h" #include "parsertypes.h" #include "doio.h" #include "data.h" #include "voms_cert_type.h" +#include "ssl_compat.h" #ifdef HAVE_UNISTD_H #include @@ -98,6 +99,8 @@ sslutils.c #include "scutils.h" #endif +#include + static int fix_add_entry_asn1_set_param = 0; @@ -260,27 +263,27 @@ X509_NAME_cmp_no_set( X509_NAME_ENTRY * na; X509_NAME_ENTRY * nb; - if (sk_X509_NAME_ENTRY_num(a->entries) != - sk_X509_NAME_ENTRY_num(b->entries)) + if (X509_NAME_entry_count(a) != X509_NAME_entry_count(b)) { - return(sk_X509_NAME_ENTRY_num(a->entries) - - sk_X509_NAME_ENTRY_num(b->entries)); + return(X509_NAME_entry_count(a) - X509_NAME_entry_count(b)); } - for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) + for (i=X509_NAME_entry_count(a)-1; i>=0; i--) { - na = sk_X509_NAME_ENTRY_value(a->entries,i); - nb = sk_X509_NAME_ENTRY_value(b->entries,i); - j = na->value->length-nb->value->length; + na = X509_NAME_get_entry(a,i); + nb = X509_NAME_get_entry(b,i); + ASN1_STRING* sa = X509_NAME_ENTRY_get_data(na); + ASN1_STRING* sb = X509_NAME_ENTRY_get_data(nb); + j = ASN1_STRING_length(sa) - ASN1_STRING_length(sb); if (j) { return(j); } - j = memcmp(na->value->data, - nb->value->data, - na->value->length); + j = memcmp(ASN1_STRING_get0_data(sa), + ASN1_STRING_get0_data(sb), + ASN1_STRING_length(sa)); if (j) { return(j); @@ -290,11 +293,11 @@ X509_NAME_cmp_no_set( /* We will check the object types after checking the values * since the values will more often be different than the object * types. */ - for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) + for (i=X509_NAME_entry_count(a)-1; i>=0; i--) { - na = sk_X509_NAME_ENTRY_value(a->entries,i); - nb = sk_X509_NAME_ENTRY_value(b->entries,i); - j = OBJ_cmp(na->object,nb->object); + na = X509_NAME_get_entry(a,i); + nb = X509_NAME_get_entry(b,i); + j = OBJ_cmp(X509_NAME_ENTRY_get_object(na),X509_NAME_ENTRY_get_object(nb)); if (j) { @@ -420,6 +423,8 @@ ERR_load_proxy_error_strings(){ ERR_load_strings(ERR_USER_LIB_PRXYERR_NUMBER,prxyerr_str_functs); ERR_load_strings(ERR_USER_LIB_PRXYERR_NUMBER,prxyerr_str_reasons); } + + return 0; } /********************************************************************** @@ -471,6 +476,7 @@ ERR_load_prxyerr_strings( OBJ_create("1.3.6.1.4.1.3536.1.1.1.2","DELEGATE","Delegate"); OBJ_create("1.3.6.1.4.1.3536.1.1.1.3","RESTRICTEDRIGHTS", "RestrictedRights"); + /* the following is already available in OpenSSL... */ OBJ_create("0.9.2342.19200300.100.1.1","USERID","userId"); ERR_load_strings(ERR_USER_LIB_PRXYERR_NUMBER,prxyerr_str_functs); @@ -504,7 +510,7 @@ ERR_load_prxyerr_strings( RAND_load_file(randfile,1024L*1024L); } -#if SSLEAY_VERSION_NUMBER >= 0x0090581fL +#if SSLEAY_VERSION_NUMBER >= 0x0090581fL && !defined(OPENSSL_NO_EGD) /* * Try to use the Entropy Garthering Deamon * See the OpenSSL crypto/rand/rand_egd.c @@ -628,7 +634,7 @@ proxy_load_user_proxy( x = PEM_read_bio_X509(in,NULL, OPENSSL_PEM_CB(NULL,NULL)); if (x == NULL) { - if ((ERR_GET_REASON(ERR_peek_error()) == + if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { ERR_clear_error(); @@ -642,31 +648,20 @@ proxy_load_user_proxy( } if (count) { - (void)sk_X509_insert(cert_chain,x,sk_X509_num(cert_chain)); - - x = NULL; + (void)sk_X509_push(cert_chain,x); + } else { + X509_free(x); } count++; - if (x) - { - X509_free(x); - x = NULL; - } } ret = count; err: - if (x != NULL) - { - X509_free(x); - } + X509_free(x); + BIO_free(in); - if (in != NULL) - { - BIO_free(in); - } return(ret); } @@ -715,7 +710,7 @@ proxy_genreq( goto err; } - if (upkey->type != EVP_PKEY_RSA) + if (!EVP_PKEY_get0_RSA(upkey)) { PRXYerr(PRXYERR_F_PROXY_GENREQ,PRXYERR_R_PROCESS_PROXY_KEY); goto err; @@ -801,11 +796,11 @@ proxy_genreq( name = NULL; X509_REQ_set_pubkey(req,pkey); - EVP_MD* md = EVP_get_digestbyobj(req->sig_alg->algorithm); + EVP_MD const* md = EVP_get_digestbynid(X509_REQ_get_signature_nid(req)); if ( ucert ){ - md = EVP_get_digestbyobj(ucert->sig_alg->algorithm); + md = EVP_get_digestbynid(X509_get_signature_nid(ucert)); } @@ -914,14 +909,14 @@ proxy_sign( unsigned char md[SHA_DIGEST_LENGTH]; unsigned int len; - EVP_MD* sig_algo; + EVP_MD const* sig_algo; - sig_algo = EVP_get_digestbyobj(req->sig_alg->algorithm); + sig_algo = EVP_get_digestbynid(X509_REQ_get_signature_nid(req)); if (sig_algo == NULL) sig_algo = EVP_sha1(); if(proxyver>=3) { unsigned sub_hash; - EVP_MD* cn_sig_algo; + EVP_MD const* cn_sig_algo; EVP_PKEY* req_public_key; cn_sig_algo = EVP_sha1(); @@ -954,7 +949,7 @@ proxy_sign( PRXYerr(PRXYERR_F_PROXY_SIGN,PRXYERR_R_PROCESS_SIGN); if (proxyver >= 3) { free(newcn); - free(newserial); + free((void*)newserial); } return 1; } @@ -992,7 +987,7 @@ proxy_sign( if (proxyver >= 3) { free(newcn); - free(newserial); + free((void*)newserial); } return rc; @@ -1060,32 +1055,16 @@ proxy_sign_ext( { EVP_PKEY * new_public_key = NULL; EVP_PKEY * tmp_public_key = NULL; - X509_CINF * new_cert_info; - X509_CINF * user_cert_info; - X509_EXTENSION * extension = NULL; time_t time_diff, time_now, time_after; ASN1_UTCTIME * asn1_time = NULL; int i; - unsigned char md[SHA_DIGEST_LENGTH]; unsigned int len; - EVP_MD* sig_algo; + EVP_MD const* sig_algo; sig_algo = EVP_sha1(); - if (!selfsigned) - user_cert_info = user_cert->cert_info; - *new_cert = NULL; - if ((req->req_info == NULL) || - (req->req_info->pubkey == NULL) || - (req->req_info->pubkey->public_key == NULL) || - (req->req_info->pubkey->public_key->data == NULL)) - { - PRXYerr(PRXYERR_F_PROXY_SIGN,PRXYERR_R_MALFORM_REQ); - goto err; - } - if ((new_public_key=X509_REQ_get_pubkey(req)) == NULL) { PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_MALFORM_REQ); goto err; @@ -1115,8 +1094,6 @@ proxy_sign_ext( goto err; } - new_cert_info = (*new_cert)->cert_info; - /* set the subject name */ if(subject_name && !X509_set_subject_name(*new_cert,subject_name)) @@ -1133,14 +1110,15 @@ proxy_sign_ext( BIGNUM *bn = NULL; if (BN_hex2bn(&bn, newserial) != 0) { ASN1_INTEGER *a_int = BN_to_ASN1_INTEGER(bn, NULL); - ASN1_INTEGER_free((*new_cert)->cert_info->serialNumber); - - /* Note: The a_int == NULL case is handled below. */ - (*new_cert)->cert_info->serialNumber = a_int; BN_free(bn); + /* Note: The a_int == NULL case is handled below. */ + X509_set_serialNumber(*new_cert, a_int); + ASN1_INTEGER_free(a_int); } } else if (proxyver > 2) { + unsigned char md[SHA_DIGEST_LENGTH + 1]; + ASN1_INTEGER_free(X509_get_serialNumber(*new_cert)); new_public_key = X509_REQ_get_pubkey(req); @@ -1149,44 +1127,36 @@ proxy_sign_ext( #else ASN1_digest(i2d_PUBKEY, sig_algo, (char *) new_public_key, md, &len); #endif + md[len] = '\0'; + EVP_PKEY_free(new_public_key); new_public_key = NULL; - (*new_cert)->cert_info->serialNumber = ASN1_INTEGER_new(); - (*new_cert)->cert_info->serialNumber->length = len; - (*new_cert)->cert_info->serialNumber->data = malloc(len); - - if (!((*new_cert)->cert_info->serialNumber->data)) { - PRXYerr(PRXYERR_F_PROXY_SIGN_EXT, PRXYERR_R_PROCESS_PROXY); - goto err; + BIGNUM* bn = NULL; + if (BN_hex2bn(&bn, (char*)md) != 0) { + ASN1_INTEGER *a_int = BN_to_ASN1_INTEGER(bn, NULL); + BN_free(bn); + X509_set_serialNumber(*new_cert, a_int); + ASN1_INTEGER_free(a_int); } - memcpy((*new_cert)->cert_info->serialNumber->data, md, SHA_DIGEST_LENGTH); + } else if (selfsigned) { - ASN1_INTEGER *copy = ASN1_INTEGER_new(); - if (copy) { - ASN1_INTEGER_set(copy, 1); - ASN1_INTEGER_free((*new_cert)->cert_info->serialNumber); - - (*new_cert)->cert_info->serialNumber = copy; + ASN1_INTEGER *a_int = ASN1_INTEGER_new(); + if (a_int) { + ASN1_INTEGER_set(a_int, 1); + X509_set_serialNumber(*new_cert, a_int); + ASN1_INTEGER_free(a_int); } else goto err; } else { - ASN1_INTEGER *copy = ASN1_INTEGER_dup(X509_get_serialNumber(user_cert)); - ASN1_INTEGER_free((*new_cert)->cert_info->serialNumber); - - /* Note: The copy == NULL case is handled immediately below. */ - (*new_cert)->cert_info->serialNumber = copy; - } - - if (!(*new_cert)->cert_info->serialNumber) { - PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_PROCESS_PROXY); - goto err; + ASN1_INTEGER *a_int = ASN1_INTEGER_dup(X509_get0_serialNumber(user_cert)); + X509_set_serialNumber(*new_cert, a_int); + ASN1_INTEGER_free(a_int); } - /* set the issuer name */ if (issuer_name) @@ -1231,73 +1201,51 @@ proxy_sign_ext( X509_gmtime_adj(X509_get_notAfter(*new_cert),(long) seconds - pastproxy); } else { - X509_set_notAfter(*new_cert, user_cert_info->validity->notAfter); + int ret = X509_set1_notAfter(*new_cert, X509_get0_notAfter(user_cert)); + assert(ret == 1 && "X509_set1_notAfter failed"); } } /* transfer the public key from req to new cert */ - /* DEE? should this be a dup? */ - - X509_PUBKEY_free(new_cert_info->key); - new_cert_info->key = req->req_info->pubkey; - req->req_info->pubkey = NULL; + { + EVP_PKEY* const pub_key = X509_REQ_get_pubkey(req); + assert(pub_key && "X509_REQ_get0_pubkey failed"); + int const ret = X509_set_pubkey(*new_cert, pub_key); + assert(ret == 1 && "X509_set_pubkey failed"); + EVP_PKEY_free(pub_key); + } /* * We can now add additional extentions here * such as to control the usage of the cert */ - if (new_cert_info->version == NULL) { - if ((new_cert_info->version = ASN1_INTEGER_new()) == NULL) - { - PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_PROCESS_PROXY); - goto err; - } - } - - ASN1_INTEGER_set(new_cert_info->version,2); /* version 3 certificate */ - - /* Free the current entries if any, there should not - * be any I belive - */ - - if (new_cert_info->extensions != NULL) - { - sk_X509_EXTENSION_pop_free(new_cert_info->extensions, - X509_EXTENSION_free); + int const ret = X509_set_version(*new_cert, 2L); + assert(ret == 1 && "X509_set_version failed"); } /* Add extensions provided by the client */ + /* TODO: who frees extensions? */ if (extensions) { - if ((new_cert_info->extensions = - sk_X509_EXTENSION_new_null()) == NULL) - { - PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_DELEGATE_COPY); - } - - /* Lets 'copy' the client extensions to the new proxy */ - /* we should look at the type, and only copy some */ - for (i=0; iextensions, - extension)) - { - PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_DELEGATE_COPY); - goto err; - } + if (ret == 0) + { + PRXYerr(PRXYERR_F_PROXY_SIGN_EXT,PRXYERR_R_DELEGATE_COPY); + goto err; + } } } @@ -1452,7 +1400,7 @@ proxy_marshal_bp( } if (!PEM_write_bio_RSAPrivateKey(bp, - npkey->pkey.rsa, + EVP_PKEY_get0_RSA(npkey), NULL, NULL, 0, @@ -1524,6 +1472,8 @@ proxy_verify_init( pvd->cert_chain = NULL; pvd->limited_proxy = 0; pvd->multiple_limited_proxy_ok = 0; + pvd->cert_store = NULL; + pvd->recursive_depth = 0; } /********************************************************************** @@ -1658,12 +1608,12 @@ int proxy_verify_name(X509* cert){ // If we reach this point, name checks on the proxy have // succeeded, and this is actually a proxy, inform OpenSSL // (is this still needed?) - cert->ex_flags |= EXFLAG_PROXY; - cert->ex_pcpathlen = -1; + X509_set_proxy_flag(cert); + X509_set_proxy_pathlen(cert, -1L); if (VOMS_IS_LIMITED_PROXY(cert_type)) { - cert->ex_pcpathlen = 0; + X509_set_proxy_pathlen(cert, 0L); return 2; } @@ -1732,12 +1682,11 @@ proxy_verify_callback( int ok, X509_STORE_CTX * ctx) { - X509_OBJECT obj; + X509_OBJECT* obj = NULL; X509 * cert = NULL; X509 * prev_cert = NULL; X509_CRL * crl; - X509_CRL_INFO * crl_info; X509_REVOKED * revoked; SSL * ssl = NULL; @@ -1795,15 +1744,15 @@ proxy_verify_callback( X509_STORE_CTX_get_error_depth(ctx) -1); if (proxy_verify_name(prev_cert) > 0 && - proxy_check_issued(ctx, ctx->current_cert, prev_cert)){ + proxy_check_issued(ctx, X509_STORE_CTX_get_current_cert(ctx), prev_cert)){ ok = 1; } break; case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: - if (proxy_verify_name(ctx->cert) > 0) { - if (check_critical_extensions(ctx->cert, 1)) + if (proxy_verify_name(X509_STORE_CTX_get0_cert(ctx)) > 0) { + if (check_critical_extensions(X509_STORE_CTX_get0_cert(ctx), 1)) /* Allows proxy specific extensions on proxies. */ ok = 1; } @@ -1816,17 +1765,17 @@ proxy_verify_callback( /* if already failed, skip the rest, but add error messages */ if (!ok) { - if (ctx->error==X509_V_ERR_CERT_NOT_YET_VALID) + if (X509_STORE_CTX_get_error(ctx)==X509_V_ERR_CERT_NOT_YET_VALID) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CERT_NOT_YET_VALID); ERR_set_continue_needed(); } - else if (ctx->error==X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + else if (X509_STORE_CTX_get_error(ctx)==X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_LOCAL_CA_UNKNOWN); ERR_set_continue_needed(); } - else if (ctx->error==X509_V_ERR_CERT_HAS_EXPIRED) + else if (X509_STORE_CTX_get_error(ctx)==X509_V_ERR_CERT_HAS_EXPIRED) { PRXYerr(PRXYERR_F_VERIFY_CB, PRXYERR_R_REMOTE_CRED_EXPIRED); ERR_set_continue_needed(); @@ -1848,12 +1797,12 @@ proxy_verify_callback( * and ca-signing-policy rules. We will also do a CRL check */ - ret = proxy_verify_name(ctx->current_cert); + ret = proxy_verify_name(X509_STORE_CTX_get_current_cert(ctx)); if (ret < 0) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_BAD_PROXY_ISSUER); ERR_set_continue_needed(); - ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_SIGNATURE_FAILURE); goto fail_verify; } else if (ret > 0) { /* Its a proxy */ @@ -1862,10 +1811,10 @@ proxy_verify_callback( pvd->limited_proxy = 1; /* its a limited proxy */ - if (ctx->error_depth && !pvd->multiple_limited_proxy_ok) { + if (X509_STORE_CTX_get_error_depth(ctx) && !pvd->multiple_limited_proxy_ok) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_LPROXY_MISSED_USED); ERR_set_continue_needed(); - ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_SIGNATURE_FAILURE); goto fail_verify; } } @@ -1876,36 +1825,38 @@ proxy_verify_callback( if (!itsaproxy) { - + obj = X509_OBJECT_new(); /** CRL checks **/ int n = 0; - if (X509_STORE_get_by_subject(ctx, - X509_LU_CRL, - X509_get_subject_name(ctx->current_issuer), - &obj)) + if (obj != NULL + && X509_STORE_get_by_subject(ctx, + X509_LU_CRL, + X509_get_subject_name(X509_STORE_CTX_get0_current_issuer(ctx)), + obj)) { objset = 1; - crl = obj.data.crl; - crl_info = crl->crl; + crl = X509_OBJECT_get0_X509_CRL(obj); + assert(crl != NULL && "X509_OBJECT_get0_X509_CRL failed"); + /* verify the signature on this CRL */ - key = X509_get_pubkey(ctx->current_issuer); + key = X509_get_pubkey(X509_STORE_CTX_get0_current_issuer(ctx)); if (X509_CRL_verify(crl, key) <= 0) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CRL_SIGNATURE_FAILURE); ERR_set_continue_needed(); - ctx->error = X509_V_ERR_CRL_SIGNATURE_FAILURE; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); goto fail_verify; } /* Check date see if expired */ - i = X509_cmp_current_time(crl_info->nextUpdate); + i = X509_cmp_current_time(X509_CRL_get0_nextUpdate(crl)); if (i == 0) { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CRL_NEXT_UPDATE_FIELD); ERR_set_continue_needed(); - ctx->error = X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); goto fail_verify; } @@ -1914,35 +1865,34 @@ proxy_verify_callback( { PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CRL_HAS_EXPIRED); ERR_set_continue_needed(); - ctx->error = X509_V_ERR_CRL_HAS_EXPIRED; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); goto fail_verify; } /* check if this cert is revoked */ - - n = sk_X509_REVOKED_num(crl_info->revoked); + n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for (i=0; irevoked,i); + X509_CRL_get_REVOKED(crl),i); - if(!ASN1_INTEGER_cmp(revoked->serialNumber, - X509_get_serialNumber(ctx->current_cert))) + if(!ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), + X509_get_serialNumber(X509_STORE_CTX_get_current_cert(ctx)))) { long serial; char buf[256]; char *s; PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CERT_REVOKED); - serial = ASN1_INTEGER_get(revoked->serialNumber); + serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(revoked)); sprintf(buf,"%ld (0x%lX)",serial,serial); s = X509_NAME_oneline(X509_get_subject_name( - ctx->current_cert),NULL,0); + X509_STORE_CTX_get_current_cert(ctx)),NULL,0); ERR_add_error_data(4,"Serial number = ",buf, " Subject=",s); - ctx->error = X509_V_ERR_CERT_REVOKED; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); ERR_set_continue_needed(); free(s); s = NULL; @@ -1951,8 +1901,8 @@ proxy_verify_callback( } } - if (X509_NAME_cmp(X509_get_subject_name(ctx->current_cert), - X509_get_issuer_name(ctx->current_cert))) + if (X509_NAME_cmp(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)))) { cert_dir = pvd->pvxd->certdir ? pvd->pvxd->certdir : getenv(X509_CERT_DIR); @@ -1963,9 +1913,9 @@ proxy_verify_callback( struct policy **namespaces = NULL; int result = SUCCESS_UNDECIDED; - read_pathrestriction(ctx->chain, cert_dir, &namespaces, &signings); + read_pathrestriction(X509_STORE_CTX_get0_chain(ctx), cert_dir, &namespaces, &signings); - result = restriction_evaluate(ctx->chain, namespaces, signings); + result = restriction_evaluate(X509_STORE_CTX_get0_chain(ctx), namespaces, signings); voms_free_policies(namespaces); voms_free_policies(signings); @@ -1974,7 +1924,7 @@ proxy_verify_callback( { PRXYerr(PRXYERR_F_VERIFY_CB, PRXYERR_R_CA_POLICY_VIOLATION); - ctx->error = X509_V_ERR_INVALID_PURPOSE; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE); if (error_string != NULL) { @@ -2006,7 +1956,7 @@ proxy_verify_callback( * Will be used for lifetime calculations */ - goodtill = ASN1_UTCTIME_mktime(X509_get_notAfter(ctx->current_cert)); + goodtill = ASN1_UTCTIME_mktime(X509_get_notAfter(X509_STORE_CTX_get_current_cert(ctx))); if (pvd->pvxd->goodtill == 0 || goodtill < pvd->pvxd->goodtill) { pvd->pvxd->goodtill = goodtill; @@ -2024,9 +1974,9 @@ proxy_verify_callback( free(ca_policy_file_path); } - if (!check_critical_extensions(ctx->current_cert, itsaproxy)) { + if (!check_critical_extensions(X509_STORE_CTX_get_current_cert(ctx), itsaproxy)) { PRXYerr(PRXYERR_F_VERIFY_CB, PRXYERR_R_UNKNOWN_CRIT_EXT); - ctx->error = X509_V_ERR_CERT_REJECTED; + X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED); goto fail_verify; } @@ -2040,17 +1990,17 @@ proxy_verify_callback( * all we do is substract off the proxy_dpeth */ - if(ctx->current_cert == ctx->cert) + if(X509_STORE_CTX_get_current_cert(ctx) == X509_STORE_CTX_get0_cert(ctx)) { - for (i=0; i < sk_X509_num(ctx->chain); i++) + for (i=0; i < sk_X509_num(X509_STORE_CTX_get0_chain(ctx)); i++) { - cert = sk_X509_value(ctx->chain,i); - if (((i - pvd->proxy_depth) > 1) && (cert->ex_pathlen != -1) - && ((i - pvd->proxy_depth) > (cert->ex_pathlen + 1)) - && (cert->ex_flags & EXFLAG_BCONS)) + cert = sk_X509_value(X509_STORE_CTX_get0_chain(ctx),i); + if (((i - pvd->proxy_depth) > 1) && (X509_get_proxy_pathlen(cert) != -1) + && ((i - pvd->proxy_depth) > (X509_get_proxy_pathlen(cert) + 1)) + && (X509_get_extension_flags(cert) & EXFLAG_BCONS)) { - ctx->current_cert = cert; /* point at failing cert */ - ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; + X509_STORE_CTX_set_current_cert(ctx, cert); /* point at failing cert */ + X509_STORE_CTX_set_error(ctx, X509_V_ERR_PATH_LENGTH_EXCEEDED); goto fail_verify; } } @@ -2060,7 +2010,7 @@ proxy_verify_callback( if (objset) { - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(obj); } return(ok); @@ -2074,22 +2024,23 @@ proxy_verify_callback( if (objset) { - X509_OBJECT_free_contents(&obj); + X509_OBJECT_free(obj); } - if (ctx->current_cert) + if (X509_STORE_CTX_get_current_cert(ctx)) { char *subject_s = NULL; char *issuer_s = NULL; subject_s = X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert),NULL,0); + X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),NULL,0); issuer_s = X509_NAME_oneline( - X509_get_issuer_name(ctx->current_cert),NULL,0); + X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)),NULL,0); - char *openssl_error_str = X509_verify_cert_error_string(ctx->error); + int const error = X509_STORE_CTX_get_error(ctx); + char const* const error_str = X509_verify_cert_error_string(error); - switch (ctx->error) + switch (error) { case X509_V_OK: case X509_V_ERR_INVALID_PURPOSE: @@ -2097,7 +2048,7 @@ proxy_verify_callback( ERR_add_error_data(9, ": ", - openssl_error_str ? openssl_error_str : "", + error_str ? error_str : "", " [file=", ca_policy_file_path ? ca_policy_file_path : "UNKNOWN", ",subject=", @@ -2108,11 +2059,10 @@ proxy_verify_callback( break; default: PRXYerr(PRXYERR_F_VERIFY_CB,PRXYERR_R_CB_CALLED_WITH_ERROR); - char *openssl_error_str = X509_verify_cert_error_string(ctx->error); ERR_add_error_data(7, ": ", - openssl_error_str ? openssl_error_str : "", + error_str ? error_str : "", " [subject=", subject_s ? subject_s : "UNKNOWN", ",issuer=", @@ -2151,14 +2101,18 @@ proxy_verify_cert_chain( int retval = 0; X509_STORE * cert_store = NULL; X509_LOOKUP * lookup = NULL; - X509_STORE_CTX csc; + X509_STORE_CTX* csc = NULL; X509 * xcert = NULL; X509 * scert = NULL; int cscinitialized = 0; scert = ucert; cert_store = X509_STORE_new(); - X509_STORE_set_verify_cb_func(cert_store, proxy_verify_callback); + X509_STORE_set_verify_cb(cert_store, proxy_verify_callback); +#if SSLEAY_VERSION_NUMBER >= 0x0090600fL + /* override the check_issued with our version */ + X509_STORE_set_check_issued(cert_store, proxy_check_issued); +#endif if (cert_chain != NULL) { int i =0; @@ -2193,18 +2147,15 @@ proxy_verify_cert_chain( X509_LOOKUP_hash_dir()))) { X509_LOOKUP_add_dir(lookup,pvd->pvxd->certdir,X509_FILETYPE_PEM); - X509_STORE_CTX_init(&csc,cert_store,scert,NULL); + csc = X509_STORE_CTX_new(); + X509_STORE_CTX_init(csc,cert_store,scert,NULL); cscinitialized = 1; -#if SSLEAY_VERSION_NUMBER >= 0x0090600fL - /* override the check_issued with our version */ - csc.check_issued = proxy_check_issued; -#endif - X509_STORE_CTX_set_ex_data(&csc, + X509_STORE_CTX_set_ex_data(csc, PVD_STORE_EX_DATA_IDX, (void *)pvd); #ifdef X509_V_FLAG_ALLOW_PROXY_CERTS - X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_ALLOW_PROXY_CERTS); + X509_STORE_CTX_set_flags(csc, X509_V_FLAG_ALLOW_PROXY_CERTS); #endif - if(!X509_verify_cert(&csc)) + if(!X509_verify_cert(csc)) { goto err; } @@ -2213,7 +2164,7 @@ proxy_verify_cert_chain( err: if (cscinitialized) - X509_STORE_CTX_cleanup(&csc); + X509_STORE_CTX_free(csc); if (cert_store) X509_STORE_free(cert_store); return retval; @@ -3151,52 +3102,59 @@ proxy_load_user_key( */ if (ucert) { - X509_PUBKEY *key = X509_get_X509_PUBKEY(ucert); - ucertpkey = X509_PUBKEY_get(key); + ucertpkey = X509_get_pubkey(ucert); int mismatch = 0; - if (ucertpkey!= NULL && ucertpkey->type == - (*private_key)->type) + if (ucertpkey != NULL + && EVP_PKEY_base_id(ucertpkey) == EVP_PKEY_base_id(*private_key)) { - if (ucertpkey->type == EVP_PKEY_RSA) + RSA* public_rsa = EVP_PKEY_get0_RSA(ucertpkey); + if (public_rsa) { - /* add in key as random data too */ - if (ucertpkey->pkey.rsa != NULL) + { /* add in key as random data too */ + BIGNUM const* p; + BIGNUM const* q; + RSA_get0_factors(public_rsa, &p, &q); + if(p != NULL) { - if(ucertpkey->pkey.rsa->p != NULL) - { - RAND_add((void*)ucertpkey->pkey.rsa->p->d, - BN_num_bytes(ucertpkey->pkey.rsa->p), - BN_num_bytes(ucertpkey->pkey.rsa->p)); - } - if(ucertpkey->pkey.rsa->q != NULL) - { - RAND_add((void*)ucertpkey->pkey.rsa->q->d, - BN_num_bytes(ucertpkey->pkey.rsa->q), - BN_num_bytes(ucertpkey->pkey.rsa->q)); - } + RAND_add(p, /* awful hack; d is the first field */ + BN_num_bytes(p), + BN_num_bytes(p)); } - if ((ucertpkey->pkey.rsa != NULL) && - (ucertpkey->pkey.rsa->n != NULL) && - ((*private_key)->pkey.rsa != NULL) ) + if (q != NULL) { - if ((*private_key)->pkey.rsa->n != NULL - && BN_num_bytes((*private_key)->pkey.rsa->n)) - { - if (BN_cmp(ucertpkey->pkey.rsa->n, - (*private_key)->pkey.rsa->n)) - { - mismatch=1; - } - } - else - { - (*private_key)->pkey.rsa->n = - BN_dup(ucertpkey->pkey.rsa->n); - (*private_key)->pkey.rsa->e = - BN_dup(ucertpkey->pkey.rsa->e); - } + RAND_add(q, BN_num_bytes(q), BN_num_bytes(q)); + } + } + { + BIGNUM const* public_n; + BIGNUM const* public_e; + RSA* private_rsa = EVP_PKEY_get0_RSA(*private_key); + RSA_get0_key(public_rsa, &public_n, &public_e, NULL); + if (public_n != NULL && private_rsa != NULL) + { + BIGNUM const* private_n; + BIGNUM const* private_e; + RSA_get0_key(private_rsa, &private_n, &private_e, NULL); + if (private_n != NULL && BN_num_bytes(private_n)) + { + if (BN_cmp(public_n, private_n)) + { + mismatch=1; + } + } + else + { + int ret; + BIGNUM* n = BN_dup(public_n); + assert(n != NULL && "BN_dup failed"); + BIGNUM* e = BN_dup(public_e); + assert(e != NULL && "BN_dup failed"); + ret = RSA_set0_key(private_rsa, n, e, NULL); + assert(ret == 1 && "RSA_set0_key failed"); + } } + } } } else @@ -3502,7 +3460,7 @@ int load_credentials(const char *certname, const char *keyname, err: if (chain) - sk_X509_free(chain); + sk_X509_pop_free(chain, X509_free); if (cert) { X509_free(*cert); *cert = NULL; @@ -3760,10 +3718,10 @@ static int check_critical_extensions(X509 *cert, int itsaproxy) int nid; X509_EXTENSION *ex; - int nid_pci3 = my_txt2nid(PROXYCERTINFO_V3); - int nid_pci4 = my_txt2nid(PROXYCERTINFO_V4); + int nid_pci3 = my_txt2nid(PROXYCERTINFO_OLD_OID); + int nid_pci4 = my_txt2nid(PROXYCERTINFO_OID); - STACK_OF(X509_EXTENSION) *extensions = cert->cert_info->extensions; + STACK_OF(X509_EXTENSION) const* extensions = X509_get0_extensions(cert); for (i=0; i < sk_X509_EXTENSION_num(extensions); i++) { ex = (X509_EXTENSION *) sk_X509_EXTENSION_value(extensions,i); diff --git a/src/sslutils/voms_cert_type.c b/src/sslutils/voms_cert_type.c index b1a5c703..b2639bed 100644 --- a/src/sslutils/voms_cert_type.c +++ b/src/sslutils/voms_cert_type.c @@ -9,6 +9,7 @@ #include #include +#include #define LIMITED_PROXY_OID "1.3.6.1.4.1.3536.1.1.1.9" #define PROXYCERTINFO_OLD_OID "1.3.6.1.4.1.3536.1.222" @@ -86,7 +87,7 @@ get_proxy_type(ASN1_OBJECT *policy_lang){ } - if (policy_nid = NID_Independent) + if (policy_nid == NID_Independent) { return VOMS_CERT_TYPE_INDEPENDENT_PROXY; diff --git a/src/utils/voms_proxy_info.cc b/src/utils/voms_proxy_info.cc index c598a058..2d0723b8 100644 --- a/src/utils/voms_proxy_info.cc +++ b/src/utils/voms_proxy_info.cc @@ -62,7 +62,7 @@ extern "C" { #include "sslutils.h" #include "newformat.h" #include "listfunc.h" -#include "myproxycertinfo.h" +#include "proxycertinfo.h" } extern int AC_Init(void); @@ -330,8 +330,8 @@ static const char *proxy_type(X509 *cert) if (point2 > point1) return "limited proxy"; - int nidv3 = OBJ_txt2nid(PROXYCERTINFO_V3); - int nidv4 = OBJ_txt2nid(PROXYCERTINFO_V4); + int nidv3 = OBJ_txt2nid(PROXYCERTINFO_OLD_OID); + int nidv4 = OBJ_txt2nid(PROXYCERTINFO_OID); int indexv3 = X509_get_ext_by_NID(cert, nidv3, -1); int indexv4 = X509_get_ext_by_NID(cert, nidv4, -1); diff --git a/src/utils/voms_verify.cc b/src/utils/voms_verify.cc index 1dc02c7e..491a4f27 100644 --- a/src/utils/voms_verify.cc +++ b/src/utils/voms_verify.cc @@ -1,6 +1,7 @@ #include "sslutils.h" -#include "openssl/x509_vfy.h" -#include "openssl/x509v3.h" +#include +#include +#include "ssl_compat.h" #include #include @@ -63,7 +64,6 @@ int load_user_proxy(STACK_OF(X509) *cert_chain, const char *file) { int verify_cert(X509_STORE_CTX *ctx) { - ctx->check_issued = proxy_check_issued; return X509_verify_cert(ctx); } @@ -74,8 +74,6 @@ proxy_verify_desc *setup_initializers(const char *cadir) pvd = (proxy_verify_desc*) malloc(sizeof(proxy_verify_desc)); pvxd = (proxy_verify_ctx_desc *) malloc(sizeof(proxy_verify_ctx_desc)); - pvd->cert_store = NULL; - if (!pvd || !pvxd) { free(pvd); @@ -183,9 +181,7 @@ int main(int argc, char* argv[]){ internal_error("Error creating X.509 store"); } - if (!X509_STORE_set_verify_cb_func(store, proxy_verify_callback)){ - internal_error("Error setting context store certificate verify callback"); - } + X509_STORE_set_verify_cb(store, proxy_verify_callback); if (!(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()))){ internal_error("Error creating store CA dir lookup"); @@ -203,6 +199,7 @@ int main(int argc, char* argv[]){ internal_error("Error creating X509_STORE_CTX object"); } + X509_STORE_set_check_issued(store, proxy_check_issued); if (X509_STORE_CTX_init(ctx, store, cert, cert_chain) != 1) { internal_error("Error initializing verification context"); } diff --git a/src/utils/vomsfake.cc b/src/utils/vomsfake.cc index b98f56b2..0aee29d6 100644 --- a/src/utils/vomsfake.cc +++ b/src/utils/vomsfake.cc @@ -78,7 +78,7 @@ extern FILE *yyin; extern "C" { -#include "myproxycertinfo.h" +#include "proxycertinfo.h" extern int writeac(const X509 *issuerc, const STACK_OF(X509) *certstack, const X509 *holder, const EVP_PKEY *pkey, BIGNUM *s, char **c, const char *t, char **attributes, AC **ac, const char *voname, From 16f971f6aa8083bbe7507b9aee20e5539d2f7caa Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Wed, 25 Jan 2017 19:48:50 +0100 Subject: [PATCH 02/16] Restore pkg-config check for OpenSSL --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 4e3da01c..d04cf232 100644 --- a/configure.ac +++ b/configure.ac @@ -31,8 +31,8 @@ AC_PROG_YACC AC_PROG_LEX AC_COMPILER -#PKG_CHECK_MODULES([OPENSSL], [openssl]) -AC_OPENSSL +PKG_CHECK_MODULES([OPENSSL], [openssl]) +# AC_OPENSSL PKG_CHECK_MODULES([GSOAP],[gsoap >= 2.7]) PKG_CHECK_MODULES([GSOAP_PP],[gsoap++ >= 2.7]) From 85264b26aeedf96a6c49611c5ab89767a610936c Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Fri, 3 Feb 2017 16:08:27 +0100 Subject: [PATCH 03/16] fix issue #54 --- src/ac/init.c | 15 ++++++++++++--- src/sslutils/proxy.c | 5 +++-- src/sslutils/proxycertinfo.c | 25 +++++++++++-------------- src/sslutils/sslutils.c | 26 ++++++++++++++++++++------ 4 files changed, 46 insertions(+), 25 deletions(-) diff --git a/src/ac/init.c b/src/ac/init.c index 442184c3..dda004de 100644 --- a/src/ac/init.c +++ b/src/ac/init.c @@ -26,8 +26,18 @@ #include #include +#include #include "extensions.h" +static void OBJC(char const* oid, char const* name) +{ + assert(oid != NULL && name != NULL); + if (OBJ_txt2nid(oid) == NID_undef) { + int nid = OBJ_create(oid, name, name); + assert(nid != NID_undef && "OBJ_create failed"); + } +} + void declareOIDs(void) { #define idpkix "1.3.6.1.5.5.7" @@ -59,11 +69,10 @@ void declareOIDs(void) #define certseq "1.3.6.1.4.1.8005.100.100.10" #define email idpkcs9 ".1" -#define OBJC(c,n) OBJ_create(c,n,#c) - static int done=0; - if (done) + if (done) { return; + } done=1; diff --git a/src/sslutils/proxy.c b/src/sslutils/proxy.c index dccb7275..31ccc646 100644 --- a/src/sslutils/proxy.c +++ b/src/sslutils/proxy.c @@ -463,8 +463,9 @@ struct VOMSProxy *VOMS_MakeProxy(struct VOMSProxyArguments *args, int *warning, policylang = LIMITED_PROXY_OID; } - if (OBJ_txt2nid(policylang) == 0) { - OBJ_create(policylang, policylang, policylang); + if (OBJ_txt2nid(policylang) == NID_undef) { + int nid = OBJ_create(policylang, policylang, policylang); + assert(nid != NID_undef && "OBJ_create failed"); } if (!(policy_language = OBJ_txt2obj(policylang, 1))) { diff --git a/src/sslutils/proxycertinfo.c b/src/sslutils/proxycertinfo.c index 41bc5139..89fa222f 100644 --- a/src/sslutils/proxycertinfo.c +++ b/src/sslutils/proxycertinfo.c @@ -338,22 +338,19 @@ PROXY_CERT_INFO_EXTENSION_get_policy(PROXY_CERT_INFO_EXTENSION const* pci) void InitProxyCertInfoExtension(int full) { - static int init_done = 0; + if (OBJ_txt2nid(PROXYCERTINFO_OLD_OID) == NID_undef) { + int ret = 0; + X509V3_EXT_METHOD* meth = NULL; - if (init_done) { - return; - } - - char const* pci_v3_sn = "proxyCertInfo_V3"; - char const* pci_v3_ln = "Proxy Certificate Information (V3)"; - int const v3nid = OBJ_create(PROXYCERTINFO_OLD_OID, pci_v3_sn, pci_v3_ln); - assert(v3nid != 0 && "OBJ_create failed"); + char const* pci_v3_sn = "proxyCertInfo_V3"; + char const* pci_v3_ln = "Proxy Certificate Information (V3)"; + int const v3nid = OBJ_create(PROXYCERTINFO_OLD_OID, pci_v3_sn, pci_v3_ln); + assert(v3nid != NID_undef && "OBJ_create failed"); - if (X509V3_EXT_get_nid(v3nid) == NULL) { - X509V3_EXT_METHOD* meth = PROXYCERTINFO_OLD_x509v3_ext_meth(); + meth = PROXYCERTINFO_OLD_x509v3_ext_meth(); + assert(meth != NULL && "PROXYCERTINFO_OLD_x509v3_ext_meth failed"); meth->ext_nid = v3nid; - X509V3_EXT_add(meth); + ret = X509V3_EXT_add(meth); + assert(ret != 0 && "X509V3_EXT_add failed"); } - - init_done = 1; } diff --git a/src/sslutils/sslutils.c b/src/sslutils/sslutils.c index 5320d90d..ac8038fa 100644 --- a/src/sslutils/sslutils.c +++ b/src/sslutils/sslutils.c @@ -472,12 +472,26 @@ ERR_load_prxyerr_strings( SSL_load_error_strings(); } - OBJ_create("1.3.6.1.4.1.3536.1.1.1.1","CLASSADD","ClassAdd"); - OBJ_create("1.3.6.1.4.1.3536.1.1.1.2","DELEGATE","Delegate"); - OBJ_create("1.3.6.1.4.1.3536.1.1.1.3","RESTRICTEDRIGHTS", - "RestrictedRights"); - /* the following is already available in OpenSSL... */ - OBJ_create("0.9.2342.19200300.100.1.1","USERID","userId"); + if (OBJ_txt2nid("1.3.6.1.4.1.3536.1.1.1.1") == NID_undef) { + int nid = OBJ_create("1.3.6.1.4.1.3536.1.1.1.1","CLASSADD","ClassAdd"); + assert(nid != NID_undef && "OBJ_create failed"); + } + + if (OBJ_txt2nid("1.3.6.1.4.1.3536.1.1.1.2") == NID_undef) { + int nid = OBJ_create("1.3.6.1.4.1.3536.1.1.1.2","DELEGATE","Delegate"); + assert(nid != NID_undef && "OBJ_create failed"); + } + + if (OBJ_txt2nid("1.3.6.1.4.1.3536.1.1.1.3") == NID_undef) { + int nid = OBJ_create("1.3.6.1.4.1.3536.1.1.1.3","RESTRICTEDRIGHTS", + "RestrictedRights"); + assert(nid != NID_undef && "OBJ_create failed"); + } + + if (OBJ_txt2nid("0.9.2342.19200300.100.1.1") == NID_undef) { + int nid = OBJ_create("0.9.2342.19200300.100.1.1","USERID","userId"); + assert(nid != NID_undef && "OBJ_create failed"); + } ERR_load_strings(ERR_USER_LIB_PRXYERR_NUMBER,prxyerr_str_functs); ERR_load_strings(ERR_USER_LIB_PRXYERR_NUMBER,prxyerr_str_reasons); From bcdeef56e1d57ce3cfb44d3013056572ed674945 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Fri, 3 Feb 2017 16:30:33 +0100 Subject: [PATCH 04/16] it's actually a fix to issue #60 From 5de1cf463b52002cfa3f3821a59f95ada5feb686 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Fri, 3 Feb 2017 16:54:32 +0100 Subject: [PATCH 05/16] fix issue #54 --- src/api/ccapi/voms_apic.h | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/src/api/ccapi/voms_apic.h b/src/api/ccapi/voms_apic.h index e613d09b..88078034 100644 --- a/src/api/ccapi/voms_apic.h +++ b/src/api/ccapi/voms_apic.h @@ -31,18 +31,10 @@ extern "C" { #endif #define NOGLOBUS -#ifndef GSSAPI_H_ - -/* - * Also check against _GSSAPI_H_ as that is what the Kerberos 5 code defines and - * what header files on some systems look for. - */ - -#ifndef _GSSAPI_H +#if !(defined(GSSAPI_H_) || defined(_GSSAPI_H) || defined(_GSSAPI_H_)) typedef void * gss_cred_id_t; typedef void * gss_ctx_id_t; #endif -#endif #include #include From 380171ef2eaeeacc923f8cbcac0e803137934881 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 3 May 2018 18:48:33 +0200 Subject: [PATCH 06/16] Added Jenkinsfile and minimal docker build image Based on italiangrid/pkg.base:centos6 --- Jenkinsfile | 55 +++++++++++++++++++++++++++++++++++++++ docker/Dockerfile.centos6 | 11 ++++++++ docker/build-image.sh | 3 +++ 3 files changed, 69 insertions(+) create mode 100644 Jenkinsfile create mode 100644 docker/Dockerfile.centos6 create mode 100644 docker/build-image.sh diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 00000000..4dca4c31 --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,55 @@ +#!/usr/bin/env groovy + +pipeline { + + agent { + kubernetes { + cloud 'Kube mwdevel' + label 'build' + containerTemplate { + name 'builder' + image 'voms/voms-build:centos6' + ttyEnabled true + command 'cat' + } + } + + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } + + stages { + stage ('build') { + steps { + container('builder') { + sh "./autogen.sh" + sh "./configure && make" + } + } + } + + stage('result'){ + steps { + script { + currentBuild.result = 'SUCCESS' + } + } + } + } + + post { + failure { + slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" + } + + changed { + script{ + if('SUCCESS'.equals(currentBuild.result)) { + slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)" + } + } + } + } + } +} diff --git a/docker/Dockerfile.centos6 b/docker/Dockerfile.centos6 new file mode 100644 index 00000000..5234daa1 --- /dev/null +++ b/docker/Dockerfile.centos6 @@ -0,0 +1,11 @@ +FROM italiangrid/pkg.base:centos6 + +USER root + +RUN yum -y install expat-devel \ + pkgconfig openssl-devel \ + gsoap-devel mysql-devel \ + libxslt docbook-style-xsl \ + doxygen bison + +USER build diff --git a/docker/build-image.sh b/docker/build-image.sh new file mode 100644 index 00000000..14115f4d --- /dev/null +++ b/docker/build-image.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +docker build -t voms/voms-build:centos6 -f Dockerfile.centos6 . From 09f60e222b83d110325c5963bffc18b9e525e9f5 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 3 May 2018 18:55:26 +0200 Subject: [PATCH 07/16] Fixed typos in Jenkinsfile --- Jenkinsfile | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 4dca4c31..5170bd92 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,23 +13,24 @@ pipeline { command 'cat' } } + } - options { - timeout(time: 1, unit: 'HOURS') - buildDiscarder(logRotator(numToKeepStr: '5')) - } + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } - stages { - stage ('build') { - steps { - container('builder') { - sh "./autogen.sh" - sh "./configure && make" - } + stages { + stage ('build') { + steps { + container('builder') { + sh "./autogen.sh" + sh "./configure && make" } } + } - stage('result'){ + stage('result'){ steps { script { currentBuild.result = 'SUCCESS' @@ -39,6 +40,7 @@ pipeline { } post { + failure { slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" } @@ -50,6 +52,5 @@ pipeline { } } } - } } } From 3bae0a7f7fea557421068662c0904e9a8d0ead85 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Fri, 21 Jun 2019 16:01:36 +0200 Subject: [PATCH 08/16] Migrate to new CI configuration --- Jenkinsfile | 26 +++++++++++++++----------- configure.ac | 2 +- docker/Dockerfile.centos6 | 1 - 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 5170bd92..b814becc 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -3,16 +3,18 @@ pipeline { agent { - kubernetes { - cloud 'Kube mwdevel' - label 'build' - containerTemplate { - name 'builder' - image 'voms/voms-build:centos6' - ttyEnabled true - command 'cat' - } - } + kubernetes { + label "voms-${env.JOB_BASE_NAME}-${env.BUILD_NUMBER}" + cloud 'Kube mwdevel' + defaultContainer 'jnlp' + inheritFrom 'ci-template' + containerTemplate { + name 'runner' + image 'voms/voms-build:centos6' + ttyEnabled true + command 'cat' + } + } } options { @@ -20,10 +22,12 @@ pipeline { buildDiscarder(logRotator(numToKeepStr: '5')) } + triggers { cron('@daily') } + stages { stage ('build') { steps { - container('builder') { + container('runner') { sh "./autogen.sh" sh "./configure && make" } diff --git a/configure.ac b/configure.ac index d04cf232..e42e8b94 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([VOMS], [2.1.0]) +AC_INIT([VOMS], [2.1.1]) AC_PREREQ(2.57) AC_CONFIG_AUX_DIR([./aux]) AM_INIT_AUTOMAKE diff --git a/docker/Dockerfile.centos6 b/docker/Dockerfile.centos6 index 5234daa1..af2416ff 100644 --- a/docker/Dockerfile.centos6 +++ b/docker/Dockerfile.centos6 @@ -8,4 +8,3 @@ RUN yum -y install expat-devel \ libxslt docbook-style-xsl \ doxygen bison -USER build From dba113478f485dfa06635eea2e5c09c7f3fe7dd8 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Mon, 18 May 2020 10:45:00 +0200 Subject: [PATCH 09/16] First incarnation of a systemd unit --- systemd/voms.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 systemd/voms.service diff --git a/systemd/voms.service b/systemd/voms.service new file mode 100644 index 00000000..22a286cf --- /dev/null +++ b/systemd/voms.service @@ -0,0 +1,14 @@ +[Unit] +Description=VOMS service + +[Service] +WorkingDirectory=/var/lib/voms-admin +EnvironmentFile=-/etc/sysconfig/voms +User=voms +Type=simple +ExecStart= +ExecStop=/bin/kill -TERM $MAINPID +KillMode=process + +[Install] +WantedBy=multi-user.target From 1414455cae346f5cdf98461bbf00e7d8c32098f3 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 28 May 2020 19:18:48 +0200 Subject: [PATCH 10/16] Instantiated service support for systemd unit --- systemd/voms.service | 14 -------------- systemd/voms@.service | 14 ++++++++++++++ 2 files changed, 14 insertions(+), 14 deletions(-) delete mode 100644 systemd/voms.service create mode 100644 systemd/voms@.service diff --git a/systemd/voms.service b/systemd/voms.service deleted file mode 100644 index 22a286cf..00000000 --- a/systemd/voms.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=VOMS service - -[Service] -WorkingDirectory=/var/lib/voms-admin -EnvironmentFile=-/etc/sysconfig/voms -User=voms -Type=simple -ExecStart= -ExecStop=/bin/kill -TERM $MAINPID -KillMode=process - -[Install] -WantedBy=multi-user.target diff --git a/systemd/voms@.service b/systemd/voms@.service new file mode 100644 index 00000000..e735e5e2 --- /dev/null +++ b/systemd/voms@.service @@ -0,0 +1,14 @@ +[Unit] +Description=VOMS service for VO %I + +[Service] +WorkingDirectory=/ +EnvironmentFile=/etc/sysconfig/voms +User=voms +Type=forking +ExecStart=/usr/sbin/voms --conf /etc/voms/%I/voms.conf +KillMode=process +SuccessExitStatus=1 + +[Install] +WantedBy=multi-user.target From e825be8611fab5a5ec87e9caf0c821bba328f863 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 28 May 2020 19:42:25 +0200 Subject: [PATCH 11/16] Stop building clients --- Makefile.am | 2 +- src/Makefile.am | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 4c520626..de892c20 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,7 +10,7 @@ APIDOC_FILES = $(top_srcdir)/AUTHORS $(top_srcdir)/INSTALL $(top_srcdir)/LICENSE USERDOC_FILES = $(APIDOC_FILES) spec=spec/voms-all.spec -deb_comp="libvomsapi1 voms-dev voms-clients voms-server" +deb_comp="libvomsapi1 voms-dev voms-server" rpmbuild_dir=@WORKDIR@/rpmbuild debbuild_dir=@WORKDIR@/debbuild diff --git a/src/Makefile.am b/src/Makefile.am index 08c878ae..03da5812 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -9,7 +9,6 @@ SUBDIRS = \ ac \ api \ utils \ - client \ server \ install \ replica From bbe4e61788a900614aa7803ef8c4413c3a29496d Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Tue, 29 Sep 2020 07:26:34 +0000 Subject: [PATCH 12/16] Some .gitignore hygiene --- .gitignore | 20 +++++++++++++++++++- src/.gitignore | 23 +++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index acc01d52..fa51e160 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,27 @@ /aclocal.m4 /configure /autom4te.cache -/Makefile.in +/config.log +/config.status /.project /.cproject /.settings /.test +/.vscode /INSTALL +Makefile.in +Makefile +/aux +/m4/* +!/m4/glite.m4 +!/m4/voms.m4 +!/m4/wsdl2h.m4 +!/m4/acinclude.m4 +!/m4/Makefile.am +/libtool +.libs +.deps +*.la +*.lo +*.o +/testsuite/SuiteConfig diff --git a/src/.gitignore b/src/.gitignore index 9dec7808..072186b5 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -1 +1,24 @@ /autogen +/api/ccapi/voms-2.0.pc +/replica/voms_install_replica +/server/VOMSAC.h +/server/soapC.cpp +/server/soapClient.cpp +/server/soapClientLib.cpp +/server/soapServer.cpp +/server/soapServerLib.cpp +/server/soapStub.h +/server/soapH.h +/server/voms +/server/vomsSOAP.nsmap +/server/vomsSOAP.GetAttributeCertificate.req.xml +/server/vomsSOAP.GetAttributeCertificate.res.xml +/install/mysql2oracle +/install/sysconfig-voms +/install/upgrade1to2 +/install/voms.start +/install/voms_install_db +/utils/voms-proxy-destroy +/utils/voms-proxy-fake +/utils/voms-proxy-info +/utils/voms-verify From 25fe8ece573f45bf8ec167d10194c12003941499 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Tue, 29 Sep 2020 07:37:39 +0000 Subject: [PATCH 13/16] INSTALL is generated --- INSTALL | 365 -------------------------------------------------------- 1 file changed, 365 deletions(-) delete mode 100644 INSTALL diff --git a/INSTALL b/INSTALL deleted file mode 100644 index 7d1c323b..00000000 --- a/INSTALL +++ /dev/null @@ -1,365 +0,0 @@ -Installation Instructions -************************* - -Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, -2006, 2007, 2008, 2009 Free Software Foundation, Inc. - - Copying and distribution of this file, with or without modification, -are permitted in any medium without royalty provided the copyright -notice and this notice are preserved. This file is offered as-is, -without warranty of any kind. - -Basic Installation -================== - - Briefly, the shell commands `./configure; make; make install' should -configure, build, and install this package. The following -more-detailed instructions are generic; see the `README' file for -instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented -below. The lack of an optional feature in a given package is not -necessarily a bug. More recommendations for GNU packages can be found -in *note Makefile Conventions: (standards)Makefile Conventions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. Caching is -disabled by default to prevent problems with accidental use of stale -cache files. - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You need `configure.ac' if -you want to change it or regenerate `configure' using a newer version -of `autoconf'. - - The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. - - Running `configure' might take a while. While running, it prints - some messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package, generally using the just-built uninstalled binaries. - - 4. Type `make install' to install the programs and any data files and - documentation. When installing into a prefix owned by root, it is - recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root - privileges. - - 5. Optionally, type `make installcheck' to repeat any self-tests, but - this time using the binaries in their final installed location. - This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required - root privileges, verifies that the installation completed - correctly. - - 6. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - - 7. Often, you can also type `make uninstall' to remove the installed - files again. In practice, not all packages have tested that - uninstallation works correctly, even though it is required by the - GNU Coding Standards. - - 8. Some packages, particularly those that use Automake, provide `make - distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. - This target is generally not run by end users. - -Compilers and Options -===================== - - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c99 CFLAGS=-g LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you can use GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. - - With a non-GNU `make', it is safer to compile the package for one -architecture at a time in the source code directory. After you have -installed the package for one architecture, use `make distclean' before -reconfiguring for another architecture. - - On MacOS X 10.5 and later systems, you can create libraries and -executables that work on multiple system types--known as "fat" or -"universal" binaries--by specifying multiple `-arch' options to the -compiler but only a single `-arch' option to the preprocessor. Like -this: - - ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CPP="gcc -E" CXXCPP="g++ -E" - - This is not guaranteed to produce working output in all cases, you -may have to build one architecture at a time and combine the results -using the `lipo' tool if you have problems. - -Installation Names -================== - - By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an -absolute file name. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses -PREFIX as the prefix for installing programs and libraries. -Documentation and other data files still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory -specifications that were not explicitly provided. - - The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or -both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without -having to reconfigure or recompile. - - The first method involves providing an override variable for each -affected directory. For example, `make install -prefix=/alternate/directory' will choose an alternate location for all -directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and -does not work on platforms that have drive letters. On the other hand, -it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. - -Optional Features -================= - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - - Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure ---enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure ---disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. - -Particular systems -================== - - On HP-UX, the default C compiler is not ANSI C compatible. If GNU -CC is not installed, it is recommended to use the following options in -order to use an ANSI C compiler: - - ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" - -and if that doesn't work, install pre-built binaries of GCC for HP-UX. - - On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot -parse its `' header file. The option `-nodtk' can be used as -a workaround. If GNU CC is not installed, it is therefore recommended -to try - - ./configure CC="cc" - -and if that doesn't work, try - - ./configure CC="cc -nodtk" - - On Solaris, don't put `/usr/ucb' early in your `PATH'. This -directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. - - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: - - ./configure --prefix=/boot/common - -Specifying the System Type -========================== - - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS - KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - - Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -causes the specified `gcc' to be used as the C compiler (unless it is -overridden in the site shell script). - -Unfortunately, this technique does not work for `CONFIG_SHELL' due to -an Autoconf bug. Until the bug is fixed you can use this workaround: - - CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash - -`configure' Invocation -====================== - - `configure' recognizes the following options to control how it -operates. - -`--help' -`-h' - Print a summary of all of the options to `configure', and exit. - -`--help=short' -`--help=recursive' - Print a summary of the options unique to this package's - `configure', and exit. The `short' variant lists options used - only in the top level, while the `recursive' variant lists options - also present in any nested packages. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: - for more details, including other options available for fine-tuning - the installation locations. - -`--no-create' -`-n' - Run the configure checks, but stop before creating any output - files. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. - From 4984d10f269c1c41030bb39df971541e61a05985 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Tue, 29 Sep 2020 12:32:13 +0200 Subject: [PATCH 14/16] Ignore LaTeX artifacts --- doc/.gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/.gitignore b/doc/.gitignore index acc81528..0429c875 100644 --- a/doc/.gitignore +++ b/doc/.gitignore @@ -1 +1,3 @@ /apidoc +/AC-RFC.* +!/AC-RFC.tex \ No newline at end of file From 4c56c6f2a6936e12b38aed0f4d1be9438f750c5d Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Tue, 6 Oct 2020 13:54:04 +0000 Subject: [PATCH 15/16] Ignore shell wrapper of voms-proxy-init --- src/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/src/.gitignore b/src/.gitignore index 072186b5..404285eb 100644 --- a/src/.gitignore +++ b/src/.gitignore @@ -22,3 +22,4 @@ /utils/voms-proxy-fake /utils/voms-proxy-info /utils/voms-verify +/client/voms-proxy-init From 7d327086f48563318d158c4c94c59437bf97b540 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Tue, 6 Oct 2020 14:04:01 +0000 Subject: [PATCH 16/16] Use native openssl for authorityKeyIdentifier Fix https://issues.infn.it/jira/browse/VOMS-875 (for the part about incompatible AC) --- src/ac/extensions.c | 25 +------------------------ src/ac/write.c | 18 ++++++------------ 2 files changed, 7 insertions(+), 36 deletions(-) diff --git a/src/ac/extensions.c b/src/ac/extensions.c index d482293b..6eac744b 100644 --- a/src/ac/extensions.c +++ b/src/ac/extensions.c @@ -233,47 +233,25 @@ int initEx(void) { X509V3_EXT_METHOD *targets; X509V3_EXT_METHOD *avail; - X509V3_EXT_METHOD *auth; X509V3_EXT_METHOD *acseq; X509V3_EXT_METHOD *certseq; X509V3_EXT_METHOD *attribs; avail = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); targets = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); - auth = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); acseq = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); certseq = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); attribs = (X509V3_EXT_METHOD *)OPENSSL_malloc(sizeof(X509V3_EXT_METHOD)); - if (!avail || !targets || !auth || !acseq || !certseq || !attribs) { + if (!avail || !targets || !acseq || !certseq || !attribs) { OPENSSL_free(avail); OPENSSL_free(targets); - OPENSSL_free(auth); OPENSSL_free(acseq); OPENSSL_free(certseq); OPENSSL_free(attribs); return 0; } -#ifndef VOMS_USE_OPENSSL_EXT_CODE - memset(auth, 0, sizeof(*auth)); - - auth->ext_nid = OBJ_txt2nid("authorityKeyIdentifier"); - - auth->ext_flags = 0; - auth->ext_new = (X509V3_EXT_NEW) AUTHORITY_KEYID_new; - auth->ext_free = (X509V3_EXT_FREE)AUTHORITY_KEYID_free; - auth->d2i = (X509V3_EXT_D2I) d2i_AUTHORITY_KEYID; - auth->i2d = (X509V3_EXT_I2D) i2d_AUTHORITY_KEYID; - auth->i2s = (X509V3_EXT_I2S) authkey_i2s; - auth->s2i = (X509V3_EXT_S2I) authkey_s2i; - auth->v2i = (X509V3_EXT_V2I) NULL; - auth->r2i = (X509V3_EXT_R2I) NULL; - auth->i2v = (X509V3_EXT_I2V) NULL; - auth->i2r = (X509V3_EXT_I2R) NULL; - - X509V3_EXT_add(auth); - memset(avail, 0, sizeof(*avail)); avail->ext_nid = OBJ_txt2nid("noRevAvail"); avail->ext_flags = 0; @@ -303,7 +281,6 @@ int initEx(void) targets->v2i = (X509V3_EXT_V2I) NULL; targets->r2i = (X509V3_EXT_R2I) NULL; targets->i2r = (X509V3_EXT_I2R) NULL; -#endif X509V3_EXT_add(targets); diff --git a/src/ac/write.c b/src/ac/write.c index 7050caed..8575e951 100644 --- a/src/ac/write.c +++ b/src/ac/write.c @@ -55,19 +55,13 @@ void add_no_rev_avail_ext(AC *ac) { int add_authority_key_id_ext(AC *ac, X509* issuer_cert) { - // Copy akid extension from issuer_cert - int ext_loc = X509_get_ext_by_NID(issuer_cert, NID_authority_key_identifier, -1); - - if (ext_loc == -1){ - return 1; + X509V3_CTX ctx; + X509V3_set_ctx(&ctx, issuer_cert, NULL, NULL, NULL, 0); + X509_EXTENSION* ext = X509V3_EXT_conf(NULL, &ctx, "authorityKeyIdentifier", "keyid:always"); + if (!ext) { + return AC_ERR_NO_EXTENSION; } - - X509_EXTENSION *akid = X509_get_ext(issuer_cert, ext_loc); - - assert( akid != NULL ); - - X509v3_add_ext(&ac->acinfo->exts, akid, -1); - + sk_X509_EXTENSION_push(ac->acinfo->exts, ext); return 0; }