XRootD
Loading...
Searching...
No Matches
XrdCryptosslgsiAux.cc
Go to the documentation of this file.
1/******************************************************************************/
2/* */
3/* X r d C r y p t o s s l g s i A u x . h h */
4/* */
5/* (c) 2005, G. Ganis / CERN */
6/* */
7/* This file is part of the XRootD software suite. */
8/* */
9/* XRootD is free software: you can redistribute it and/or modify it under */
10/* the terms of the GNU Lesser General Public License as published by the */
11/* Free Software Foundation, either version 3 of the License, or (at your */
12/* option) any later version. */
13/* */
14/* XRootD is distributed in the hope that it will be useful, but WITHOUT */
15/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */
16/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */
17/* License for more details. */
18/* */
19/* You should have received a copy of the GNU Lesser General Public License */
20/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */
21/* COPYING (GPL license). If not, see <http://www.gnu.org/licenses/>. */
22/* */
23/* The copyright holder's institutional names and contributor's names may not */
24/* be used to endorse or promote products derived from this software without */
25/* specific prior written permission of the institution or contributor. */
26/* */
27/******************************************************************************/
28
29/* ************************************************************************** */
30/* */
31/* GSI utility functions */
32/* */
33/* ************************************************************************** */
34#include <cstring>
35#include <sys/types.h>
36#include <sys/stat.h>
37
38#include <openssl/asn1.h>
39#include <openssl/asn1t.h>
40#include <openssl/err.h>
41#include <openssl/evp.h>
42#include <openssl/pem.h>
43#include <openssl/rsa.h>
44#include <openssl/x509v3.h>
45#include <memory>
46
47#include "XrdSut/XrdSutRndm.hh"
48#include "XrdCrypto/XrdCryptogsiX509Chain.hh"
49#include "XrdCrypto/XrdCryptosslAux.hh"
50#include "XrdCrypto/XrdCryptosslRSA.hh"
51#include "XrdCrypto/XrdCryptosslTrace.hh"
52#include "XrdCrypto/XrdCryptosslX509.hh"
53#include "XrdCrypto/XrdCryptosslX509Req.hh"
54
55//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
56// //
57// type aliases to ease use of smart pointers with common ssl structures //
58// //
59//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
60static void stackOfX509ExtensionDelete(STACK_OF(X509_EXTENSION) *ske) {
61 sk_X509_EXTENSION_pop_free(ske, X509_EXTENSION_free);
62}
63using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
64using X509_ptr = std::unique_ptr<X509, decltype(&X509_free)>;
65using X509_NAME_ptr = std::unique_ptr<X509_NAME, decltype(&X509_NAME_free)>;
66using X509_REQ_ptr = std::unique_ptr<X509_REQ, decltype(&X509_REQ_free)>;
67using X509_EXTENSION_ptr = std::unique_ptr<X509_EXTENSION, decltype(&X509_EXTENSION_free)>;
68using PROXY_CERT_INFO_EXTENSION_ptr = std::unique_ptr<PROXY_CERT_INFO_EXTENSION, decltype(&PROXY_CERT_INFO_EXTENSION_free)>;
69using STACK_OF_X509_EXTENSION_ptr = std::unique_ptr<STACK_OF(X509_EXTENSION), decltype(&stackOfX509ExtensionDelete)>;
70
71//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
72// //
73// Extensions OID relevant for proxies //
74// //
75//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
76
77// X509v3 Key Usage: critical
78#define KEY_USAGE_OID "2.5.29.15"
79// X509v3 Subject Alternative Name: must be absent
80#define SUBJ_ALT_NAME_OID "2.5.29.17"
81
82//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
83// //
84// VOMS relevant stuff //
85// //
86//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
87
88#define XRDGSI_VOMS_ATCAP_OID "1.3.6.1.4.1.8005.100.100.4"
89#define XRDGSI_VOMS_ACSEQ_OID "1.3.6.1.4.1.8005.100.100.5"
90
91#define BIO_PRINT(b,c) \
92 BUF_MEM *bptr; \
93 BIO_get_mem_ptr(b, &bptr); \
94 if (bptr) { \
95 char *s = new char[bptr->length+1]; \
96 memcpy(s, bptr->data, bptr->length); \
97 s[bptr->length] = '\0'; \
98 PRINT(c << s); \
99 delete [] s; \
100 } else { \
101 PRINT("ERROR: "<<c<<" BIO internal buffer undefined!"); \
102 } \
103 if (b) BIO_free(b);
104
105#define BIO_GET_STRING(b,str) \
106 BUF_MEM *bptr; \
107 BIO_get_mem_ptr(b, &bptr); \
108 if (bptr) { \
109 char *s = new char[bptr->length+1]; \
110 memcpy(s, bptr->data, bptr->length); \
111 s[bptr->length] = '\0'; \
112 str = s; \
113 delete [] s; \
114 } else { \
115 PRINT("ERROR: GET_STRING: BIO internal buffer undefined!"); \
116 } \
117 if (b) BIO_free(b);
118
119static int XrdCheckRSA (EVP_PKEY *pkey) {
120 int rc;
121 EVP_PKEY_CTX *ckctx = EVP_PKEY_CTX_new(pkey, 0);
122 rc = EVP_PKEY_check(ckctx);
123 EVP_PKEY_CTX_free(ckctx);
124 return rc;
125}
126
127int XrdCryptosslX509Asn1PrintInfo(int tag, int xclass, int constructed, int indent);
128int XrdCryptosslX509FillUnknownExt(const unsigned char **pp, long length);
129int XrdCryptosslX509FillVOMS(const unsigned char **pp,
130 long length, bool &getvat, XrdOucString &vat);
131
132//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
133// //
134// Handlers of the ProxyCertInfo extension following RFC3820 //
135// //
136//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
137
138ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION_OLD) =
139{
140 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY),
141 ASN1_EXP_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint, ASN1_INTEGER, 1)
142} ASN1_SEQUENCE_END_name(PROXY_CERT_INFO_EXTENSION, PROXY_CERT_INFO_EXTENSION_OLD)
143
144IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(PROXY_CERT_INFO_EXTENSION, PROXY_CERT_INFO_EXTENSION_OLD, PROXY_CERT_INFO_EXTENSION_OLD)
145
146//___________________________________________________________________________
147bool XrdCryptosslProxyCertInfo(const void *extdata, int &pathlen, bool *haspolicy)
148{
149 //
150 // Check presence of a proxyCertInfo and retrieve the path length constraint.
151 // Written following RFC3820, examples in openssl-<vers>/crypto source code.
152 // in gridsite code and Globus proxycertinfo.h / .c.
153 // if 'haspolicy' is defined, the existence of a policy field is checked;
154 // the content ignored for the time being.
155
156 // Make sure we got an extension
157 if (!extdata) {
158 return 0;
159 }
160 // Structure the buffer
161 X509_EXTENSION *ext = (X509_EXTENSION *)extdata;
162
163 // Check ProxyCertInfo OID
164 char s[80] = {0};
165 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ext), 1);
166
167 // Now extract the path length constraint, if any
168 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
169 PROXY_CERT_INFO_EXTENSION *pci = 0;
170 if (!strcmp(s, gsiProxyCertInfo_OID))
171 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
172 else if (!strcmp(s, gsiProxyCertInfo_OLD_OID))
173 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
174 if (!pci) {
175 return 0;
176 }
177
178 // Default length is -1, i.e. check disabled
179 pathlen = -1;
180 if (pci->pcPathLengthConstraint) {
181 pathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
182 }
183
184 // If required, check the existence of a policy field
185 if (haspolicy) {
186 *haspolicy = (pci->proxyPolicy) ? 1 : 0;
187 }
188
189 // We are done
190 return 1;
191}
192
193//___________________________________________________________________________
194void XrdCryptosslSetPathLenConstraint(void *extdata, int pathlen)
195{
196 //
197 // Set the patch length constraint valur in proxyCertInfo extension ext
198 // to 'pathlen'.
199
200 // Make sure we got an extension
201 if (!extdata)
202 return;
203 // Structure the buffer
204 X509_EXTENSION *ext = (X509_EXTENSION *)extdata;
205
206 // Check ProxyCertInfo OID
207 char s[80] = {0};
208 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(ext), 1);
209
210 // Now extract the path length constraint, if any
211 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
212 PROXY_CERT_INFO_EXTENSION *pci = 0;
213 if (!strcmp(s, gsiProxyCertInfo_OID))
214 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
215 else if (!strcmp(s, gsiProxyCertInfo_OLD_OID))
216 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
217 if (!pci)
218 return;
219
220 // Set the new length
221 if (pci->pcPathLengthConstraint) {
222 ASN1_INTEGER_set(pci->pcPathLengthConstraint, pathlen);
223 }
224
225 // We are done
226 return;
227}
228
229//____________________________________________________________________________
230int XrdCryptosslX509CreateProxy(const char *fnc, const char *fnk,
231 XrdProxyOpt_t *pxopt,
232 XrdCryptogsiX509Chain *xp, XrdCryptoRSA **kp,
233 const char *fnp)
234{
235 // Create a proxy certificate following the GSI specification (RFC 3820)
236 // for the EEC certificate in file 'fnc', private key in 'fnk'.
237 // A chain containing the proxy certificate and the EEC is returned in 'xp'
238 // and its full RSA key in 'kp'.
239 // The structure pxopt can be used to change the default options about
240 // number of bits for the key, duration validity and max path signature depth.
241 // If 'fpn' is defined, a PEM file is created with, in order, the proxy
242 // certificate, the related private key and the EEC certificate (standard
243 // GSI format).
244 // Policy fields in the CertProxyExtension not yet included.
245 // Return 0 in case of success, < 0 otherwise
246 EPNAME("X509CreateProxy");
247
248 // Make sure the files are specified
249 if (!fnc || !fnk || !xp || !kp) {
250 PRINT("invalid inputs ");
251 return -1;
252 }
253
254 //
255 // Init OpenSSL
256 OpenSSL_add_all_ciphers();
257 OpenSSL_add_all_digests();
258 ERR_load_crypto_strings();
259
260 // Use default options, if not specified
261 int bits = (pxopt && pxopt->bits >= XrdCryptoMinRSABits) ? pxopt->bits : XrdCryptoDefRSABits;
262 int valid = (pxopt) ? pxopt->valid : 43200; // 12 hours
263 int depthlen = (pxopt) ? pxopt->depthlen : -1; // unlimited
264
265 //
266 // Get EEC certificate from fnc
267 X509 *xEEC = 0;
268 FILE *fc = fopen(fnc, "r");
269 if (fc) {
270 // Read out the certificate
271 if (PEM_read_X509(fc, &xEEC, 0, 0)) {
272 DEBUG("EEC certificate loaded from file: "<<fnc);
273 } else {
274 PRINT("unable to load EEC certificate from file: "<<fnc);
275 fclose(fc);
276 return -kErrPX_BadEECfile;
277 }
278 } else {
279 PRINT("EEC certificate cannot be opened (file: "<<fnc<<")");
280 return -kErrPX_BadEECfile;
281 }
282 fclose(fc);
283 // Make sure the certificate is not expired
284 int now = (int)time(0);
285 if (now > XrdCryptosslASN1toUTC(X509_get_notAfter(xEEC))) {
286 PRINT("EEC certificate has expired");
287 X509_free(xEEC);
288 return -kErrPX_ExpiredEEC;
289 }
290
291 //
292 // Get EEC private key from fnk
293 EVP_PKEY *ekEEC = 0;
294 FILE *fk = fopen(fnk, "r");
295 if (fk) {
296 // Read out the private key
297 XrdOucString sbj;
298 XrdCryptosslNameOneLine(X509_get_subject_name(xEEC), sbj);
299 PRINT("Your identity: "<<sbj);
300 if ((PEM_read_PrivateKey(fk, &ekEEC, 0, 0))) {
301 DEBUG("EEC private key loaded from file: "<<fnk);
302 } else {
303 PRINT("unable to load EEC private key from file: "<<fnk);
304 fclose(fk);
305 X509_free(xEEC);
306 return -kErrPX_BadEECfile;
307 }
308 } else {
309 PRINT("EEC private key file cannot be opened (file: "<<fnk<<")");
310 X509_free(xEEC);
311 return -kErrPX_BadEECfile;
312 }
313 fclose(fk);
314 // Check key consistency
315 if (XrdCheckRSA(ekEEC) != 1) {
316 PRINT("inconsistent key loaded");
317 EVP_PKEY_free(ekEEC);
318 X509_free(xEEC);
319 return -kErrPX_BadEECkey;
320 }
321 //
322 // Create a new request
323 X509_REQ *preq = X509_REQ_new();
324 if (!preq) {
325 PRINT("cannot to create cert request");
326 EVP_PKEY_free(ekEEC);
327 X509_free(xEEC);
328 return -kErrPX_NoResources;
329 }
330 //
331 // Create the new PKI for the proxy (exponent 65537)
332 BIGNUM *e = BN_new();
333 if (!e) {
334 PRINT("proxy key could not be generated - return");
335 EVP_PKEY_free(ekEEC);
336 X509_free(xEEC);
337 return -kErrPX_GenerateKey;
338 }
339 BN_set_word(e, 0x10001);
340 EVP_PKEY *ekPX = 0;
341 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, 0);
342 EVP_PKEY_keygen_init(pkctx);
343 EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, bits);
344#if OPENSSL_VERSION_NUMBER >= 0x30000000L
345 EVP_PKEY_CTX_set1_rsa_keygen_pubexp(pkctx, e);
346 BN_free(e);
347#else
348 EVP_PKEY_CTX_set_rsa_keygen_pubexp(pkctx, e);
349#endif
350 EVP_PKEY_keygen(pkctx, &ekPX);
351 EVP_PKEY_CTX_free(pkctx);
352 if (!ekPX) {
353 PRINT("proxy key could not be generated - return");
354 EVP_PKEY_free(ekEEC);
355 X509_free(xEEC);
356 return -kErrPX_GenerateKey;
357 }
358 X509_REQ_set_pubkey(preq, ekPX);
359 //
360 // Generate a serial number. Specification says that this *should*
361 // unique, so we just draw an unsigned random integer
362 unsigned int serial = XrdSutRndm::GetUInt();
363 //
364 // The subject name is the certificate subject + /CN=<rand_uint>
365 // with <rand_uint> is a random unsigned int used also as serial
366 // number.
367 // Duplicate user subject name
368 X509_NAME *psubj = X509_NAME_dup(X509_get_subject_name(xEEC));
369 // Create an entry with the common name
370 unsigned char sn[20] = {0};
371 sprintf((char *)sn, "%d", serial);
372 if (!X509_NAME_add_entry_by_txt(psubj, (char *)"CN", MBSTRING_ASC,
373 sn, -1, -1, 0)) {
374 PRINT("could not add CN - (serial: "<<serial<<", sn: "<<sn<<")");
375 return -kErrPX_SetAttribute;
376 }
377 //
378 // Set the name
379 if (X509_REQ_set_subject_name(preq, psubj) != 1) {
380 PRINT("could not set subject name - return");
381 return -kErrPX_SetAttribute;
382 }
383
384 //
385 // Create the extension CertProxyInfo
386 PROXY_CERT_INFO_EXTENSION *pci = PROXY_CERT_INFO_EXTENSION_new();
387 if (!pci) {
388 PRINT("could not create structure for extension - return");
389 return -kErrPX_NoResources;
390 }
391 pci->proxyPolicy->policyLanguage = OBJ_txt2obj("1.3.6.1.5.5.7.21.1", 1);
392 //
393 // Set the new length
394 if (depthlen > -1) {
395 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
396 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
397 } else {
398 PRINT("could not set the path length contrain");
399 return -kErrPX_SetPathDepth;
400 }
401 }
402
403 //
404 // create extension
405 X509_EXTENSION *ext = X509_EXTENSION_new();
406 if (!ext) {
407 PRINT("could not create extension object");
408 return -kErrPX_NoResources;
409 }
410 // Set extension name.
411 ASN1_OBJECT *obj = OBJ_txt2obj(gsiProxyCertInfo_OID, 1);
412 if (!obj || X509_EXTENSION_set_object(ext, obj) != 1) {
413 PRINT("could not set extension name");
414 return -kErrPX_SetAttribute;
415 }
416 // flag as critical
417 if (X509_EXTENSION_set_critical(ext, 1) != 1) {
418 PRINT("could not set extension critical flag");
419 return -kErrPX_SetAttribute;
420 }
421 // Extract data in format for extension
422 int len = i2d_PROXY_CERT_INFO_EXTENSION(pci, 0);
423 unsigned char *data = (unsigned char *) malloc(len);
424 if (!data) {
425 PRINT("could not allocate data field for extension");
426 return -kErrPX_NoResources;
427 }
428 unsigned char *pp = data;
429 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci, &pp)) <= 0) {
430 PRINT("problem converting data for extension");
431 return -kErrPX_Error;
432 }
433 ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
434 if (!os) {
435 PRINT("could not allocate data field for extension");
436 return -kErrPX_NoResources;
437 }
438 if (ASN1_OCTET_STRING_set(os, data, len) == 0) {
439 PRINT("could not allocate data field for extension");
440 return -kErrPX_NoResources;
441 }
442 free(data);
443 if (X509_EXTENSION_set_data(ext, os) == 0) {
444 PRINT("could not allocate data field for extension");
445 return -kErrPX_NoResources;
446 }
447 ASN1_STRING_free(os);
448 // Create a stack
449 STACK_OF(X509_EXTENSION) *esk = sk_X509_EXTENSION_new_null();
450 if (!esk) {
451 PRINT("could not create stack for extensions");
452 return -kErrPX_NoResources;
453 }
454 //
455 // Now we add the new extension
456 if (sk_X509_EXTENSION_push(esk, ext) == 0) {
457 PRINT("could not push the extension in the stack");
458 return -kErrPX_Error;
459 }
460 // Add extension
461 if (!(X509_REQ_add_extensions(preq, esk))) {
462 PRINT("problem adding extension");
463 return -kErrPX_SetAttribute;
464 }
465 //
466 // Sign the request
467 if (!(X509_REQ_sign(preq, ekPX, EVP_sha256()))) {
468 PRINT("problems signing the request");
469 return -kErrPX_Signing;
470 }
471 //
472 // Create new proxy cert
473 X509 *xPX = X509_new();
474 if (!xPX) {
475 PRINT("could not create certificate object for proxies");
476 return -kErrPX_NoResources;
477 }
478
479 // Set version number
480 if (X509_set_version(xPX, 2L) != 1) {
481 PRINT("could not set version");
482 return -kErrPX_SetAttribute;
483 }
484
485 // Set serial number
486 if (ASN1_INTEGER_set(X509_get_serialNumber(xPX), serial) != 1) {
487 PRINT("could not set serial number");
488 return -kErrPX_SetAttribute;
489 }
490
491 // Set subject name
492 if (X509_set_subject_name(xPX, psubj) != 1) {
493 PRINT("could not set subject name");
494 return -kErrPX_SetAttribute;
495 }
496 X509_NAME_free(psubj);
497
498 // Set issuer name
499 if (X509_set_issuer_name(xPX, X509_get_subject_name(xEEC)) != 1) {
500 PRINT("could not set issuer name");
501 return -kErrPX_SetAttribute;
502 }
503
504 // Set public key
505 if (X509_set_pubkey(xPX, ekPX) != 1) {
506 PRINT("could not set issuer name");
507 return -kErrPX_SetAttribute;
508 }
509
510 // Set proxy validity: notBefore now
511 if (!X509_gmtime_adj(X509_get_notBefore(xPX), 0)) {
512 PRINT("could not set notBefore");
513 return -kErrPX_SetAttribute;
514 }
515
516 // Set proxy validity: notAfter expire_secs from now
517 if (!X509_gmtime_adj(X509_get_notAfter(xPX), valid)) {
518 PRINT("could not set notAfter");
519 return -kErrPX_SetAttribute;
520 }
521
522 // First duplicate the extensions of the EE certificate
523#if OPENSSL_VERSION_NUMBER < 0x40000000L
524 X509_EXTENSION *xEECext = 0;
525#else
526 const X509_EXTENSION *xEECext = 0;
527#endif
528 int nEECext = X509_get_ext_count(xEEC);
529 DEBUG("number of extensions found in the original certificate: "<< nEECext);
530 int i = 0;
531 bool haskeyusage = 0;
532 for (i = 0; i< nEECext; i++) {
533 xEECext = X509_get_ext(xEEC, i);
534 char s[256];
535 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xEECext), 1);
536 // Flag key usage extension
537 if (!haskeyusage && !strcmp(s, KEY_USAGE_OID)) haskeyusage = 1;
538 // Skip subject alternative name extension
539 if (!strcmp(s, SUBJ_ALT_NAME_OID)) continue;
540 // Duplicate and add to the stack
541 X509_EXTENSION *xEECextdup = X509_EXTENSION_dup(xEECext);
542 if (X509_add_ext(xPX, xEECextdup, -1) == 0) {
543 PRINT("could not push the extension '"<<s<<"' in the stack");
544 return -kErrPX_Error;
545 }
546 // Notify what we added
547 int crit = X509_EXTENSION_get_critical(xEECextdup);
548 DEBUG("added extension '"<<s<<"', critical: " << crit);
549 }
550
551 // Warn if the critical oen is missing
552 if (!haskeyusage) {
553 PRINT(">>> WARNING: critical extension 'Key Usage' not found in original certificate! ");
554 PRINT(">>> WARNING: this proxy may not be accepted by some parsers. ");
555 }
556
557 // Add the extension
558 if (X509_add_ext(xPX, ext, -1) != 1) {
559 PRINT("could not add extension");
560 return -kErrPX_SetAttribute;
561 }
562
563 //
564 // Sign the certificate
565 if (!(X509_sign(xPX, ekEEC, EVP_sha256()))) {
566 PRINT("problems signing the certificate");
567 return -kErrPX_Signing;
568 }
569
570 // Fill outputs
571 XrdCryptoX509 *xcPX = new XrdCryptosslX509(xPX);
572 if (!xcPX) {
573 PRINT("could not create container for proxy certificate");
574 return -kErrPX_NoResources;
575 }
576 // We need the full key
577 ((XrdCryptosslX509 *)xcPX)->SetPKI((XrdCryptoX509data)ekPX);
578 xp->PushBack(xcPX);
579 XrdCryptoX509 *xcEEC = new XrdCryptosslX509(xEEC);
580 if (!xcEEC) {
581 PRINT("could not create container for EEC certificate");
582 return -kErrPX_NoResources;
583 }
584 xp->PushBack(xcEEC);
585 *kp = new XrdCryptosslRSA(ekPX);
586 if (!(*kp)) {
587 PRINT("could not creatr out PKI");
588 return -kErrPX_NoResources;
589 }
590
591 //
592 // Write to a file if requested
593 int rc = 0;
594 if (fnp) {
595 // Open the file in write mode
596 FILE *fp = fopen(fnp,"w");
597 int ifp = -1;
598 if (!fp) {
599 PRINT("cannot open file to save the proxy certificate (file: "<<fnp<<")");
600 rc = -kErrPX_ProxyFile;
601 }
602 else if ( (ifp = fileno(fp)) == -1) {
603 PRINT("got invalid file descriptor for the proxy certificate (file: "<<
604 fnp<<")");
605 fclose(fp);
606 rc = -kErrPX_ProxyFile;
607 }
608 // Set permissions to 0600
609 else if (fchmod(ifp, 0600) == -1) {
610 PRINT("cannot set permissions on file: "<<fnp<<" (errno: "<<errno<<")");
611 fclose(fp);
612 rc = -kErrPX_ProxyFile;
613 }
614 else if (!rc && PEM_write_X509(fp, xPX) != 1) {
615 PRINT("error while writing proxy certificate");
616 fclose(fp);
617 rc = -kErrPX_ProxyFile;
618 }
619 else if (!rc && PEM_write_PrivateKey(fp, ekPX, 0, 0, 0, 0, 0) != 1) {
620 PRINT("error while writing proxy private key");
621 fclose(fp);
622 rc = -kErrPX_ProxyFile;
623 }
624 else if (!rc && PEM_write_X509(fp, xEEC) != 1) {
625 PRINT("error while writing EEC certificate");
626 fclose(fp);
627 rc = -kErrPX_ProxyFile;
628 }
629 else
630 fclose(fp);
631 // Change
632 }
633
634 // Cleanup
635 EVP_PKEY_free(ekEEC);
636 X509_REQ_free(preq);
637 sk_X509_EXTENSION_free(esk);
638
639 // We are done
640 return rc;
641}
642
643//____________________________________________________________________________
644int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *xcpi,
645 XrdCryptoX509Req **xcro, XrdCryptoRSA **kcro)
646{
647 // Create a proxy certificate request following the GSI specification
648 // (RFC 3820) for the proxy certificate 'xpi'.
649 // The proxy certificate is returned in 'xpo' and its full RSA key in 'kpo'.
650 // Policy fields in the CertProxyExtension not yet included.
651 // Return 0 in case of success, < 0 otherwise
652 EPNAME("X509CreateProxyReq");
653
654 // Make sure we got an proxy certificate as input
655 if (!xcpi || !(xcpi->Opaque())) {
656 PRINT("input proxy certificate not specified");
657 return -1;
658 }
659
660 // Point to the cerificate
661 X509 *xpi = (X509 *)(xcpi->Opaque());
662
663 // Make sure the certificate is not expired
664 if (!(xcpi->IsValid())) {
665 PRINT("EEC certificate has expired");
666 return -kErrPX_ExpiredEEC;
667 }
668
669 // These will be assigned dynamically allocated ssl structures later.
670 // They use type aliases for unique_ptr, to ease use of a smart pointer.
671 //
672 EVP_PKEY_ptr ekro(nullptr, &EVP_PKEY_free);
673 X509_EXTENSION_ptr ext(nullptr, &X509_EXTENSION_free);
674 X509_NAME_ptr psubj(nullptr, &X509_NAME_free);
675 X509_REQ_ptr xro(nullptr, &X509_REQ_free);
676 PROXY_CERT_INFO_EXTENSION_ptr pci(nullptr, &PROXY_CERT_INFO_EXTENSION_free);
677 STACK_OF_X509_EXTENSION_ptr esk(nullptr, &stackOfX509ExtensionDelete);
678
679 //
680 // Create a new request
681 xro.reset(X509_REQ_new());
682 if (!xro) {
683 PRINT("cannot to create cert request");
684 return -kErrPX_NoResources;
685 }
686 //
687 // Use same num of bits as the signing certificate,
688 // but no less than the minimum RSA bits (2048)
689 ekro.reset(X509_get_pubkey(xpi));
690 int bits = EVP_PKEY_bits(ekro.get());
691 ekro = nullptr;
692
693 bits = (bits < XrdCryptoMinRSABits) ? XrdCryptoDefRSABits : bits;
694 //
695 // Create the new PKI for the proxy (exponent 65537)
696 BIGNUM *e = BN_new();
697 if (!e) {
698 PRINT("proxy key could not be generated - return");
699 return -kErrPX_GenerateKey;
700 }
701 BN_set_word(e, 0x10001);
702 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, 0);
703 EVP_PKEY_keygen_init(pkctx);
704 EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, bits);
705#if OPENSSL_VERSION_NUMBER >= 0x30000000L
706 EVP_PKEY_CTX_set1_rsa_keygen_pubexp(pkctx, e);
707 BN_free(e);
708#else
709 EVP_PKEY_CTX_set_rsa_keygen_pubexp(pkctx, e);
710#endif
711 {
712 EVP_PKEY *tmppk = nullptr;
713 EVP_PKEY_keygen(pkctx, &tmppk);
714 ekro.reset(tmppk);
715 }
716 EVP_PKEY_CTX_free(pkctx);
717 //
718 // Set the key into the request
719 if (!ekro) {
720 PRINT("proxy key could not be generated - return");
721 return -kErrPX_GenerateKey;
722 }
723 X509_REQ_set_pubkey(xro.get(), ekro.get());
724 //
725 // Generate a serial number. Specification says that this *should*
726 // unique, so we just draw an unsigned random integer
727 unsigned int serial = XrdSutRndm::GetUInt();
728 //
729 // The subject name is the certificate subject + /CN=<rand_uint>
730 // with <rand_uint> is a random unsigned int used also as serial
731 // number.
732 // Duplicate user subject name
733 psubj.reset(X509_NAME_dup(X509_get_subject_name(xpi)));
734 if (xcro && *xcro && *((int *)(*xcro)) <= 10100) {
735 // Delete existing proxy CN addition; for backward compatibility
736 int ne = X509_NAME_entry_count(psubj.get());
737 if (ne >= 0) {
738 X509_NAME_ENTRY *cne = X509_NAME_delete_entry(psubj.get(), ne-1);
739 if (cne) {
740 X509_NAME_ENTRY_free(cne);
741 } else {
742 DEBUG("problems modifying subject name");
743 }
744 }
745 *xcro = 0;
746 }
747 // Create an entry with the common name
748 unsigned char sn[20] = {0};
749 sprintf((char *)sn, "%d", serial);
750 if (!X509_NAME_add_entry_by_txt(psubj.get(), (char *)"CN", MBSTRING_ASC,
751 sn, -1, -1, 0)) {
752 PRINT("could not add CN - (serial: "<<serial<<", sn: "<<sn<<")");
753 return -kErrPX_SetAttribute;
754 }
755 //
756 // Set the name
757 if (X509_REQ_set_subject_name(xro.get(), psubj.get()) != 1) {
758 PRINT("could not set subject name - return");
759 return -kErrPX_SetAttribute;
760 }
761 psubj = nullptr;
762 //
763 // Create the extension CertProxyInfo
764 pci.reset(PROXY_CERT_INFO_EXTENSION_new());
765 if (!pci) {
766 PRINT("could not create structure for extension - return");
767 return -kErrPX_NoResources;
768 }
769 pci->proxyPolicy->policyLanguage = OBJ_txt2obj("1.3.6.1.5.5.7.21.1", 1);
770 //
771 // Create a stack
772 esk.reset(sk_X509_EXTENSION_new_null());
773 if (!esk) {
774 PRINT("could not create stack for extensions");
775 return -kErrPX_NoResources;
776 }
777 //
778 // Get signature path depth from present proxy
779#if OPENSSL_VERSION_NUMBER < 0x40000000L
780 X509_EXTENSION *xpiext = 0;
781#else
782 const X509_EXTENSION *xpiext = 0;
783#endif
784 int npiext = X509_get_ext_count(xpi);
785 int i = 0;
786 bool haskeyusage = 0;
787 int indepthlen = -1;
788 for (i = 0; i< npiext; i++) {
789 xpiext = X509_get_ext(xpi, i);
790 char s[256];
791 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
792 // Flag key usage extension
793 if (!haskeyusage && !strcmp(s, KEY_USAGE_OID)) haskeyusage = 1;
794 // Skip subject alternative name extension
795 if (!strcmp(s, SUBJ_ALT_NAME_OID)) continue;
796 // Get signature path depth from present proxy
797 if (!strcmp(s, gsiProxyCertInfo_OID) ||
798 !strcmp(s, gsiProxyCertInfo_OLD_OID)) {
799 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xpiext));
800 PROXY_CERT_INFO_EXTENSION *inpci = 0;
801 if (!strcmp(s, gsiProxyCertInfo_OID))
802 inpci = d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(xpiext)));
803 else
804 inpci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(xpiext)));
805 if (inpci &&
806 inpci->pcPathLengthConstraint)
807 indepthlen = ASN1_INTEGER_get(inpci->pcPathLengthConstraint);
808 DEBUG("IN depth length: "<<indepthlen);
809 PROXY_CERT_INFO_EXTENSION_free(inpci);
810 } else {
811 // Duplicate and add to the stack
812 X509_EXTENSION *xpiextdup = X509_EXTENSION_dup(xpiext);
813 if (sk_X509_EXTENSION_push(esk.get(), xpiextdup) == 0) {
814 PRINT("could not push the extension '"<<s<<"' in the stack");
815 X509_EXTENSION_free(xpiextdup);
816 return -kErrPX_Error;
817 }
818 // Notify what we added
819 int crit = X509_EXTENSION_get_critical(xpiextdup);
820 DEBUG("added extension '"<<s<<"', critical: " << crit);
821 }
822 // Do not free the extension: its owned by the certificate
823 xpiext = 0;
824 }
825 //
826 // Warn if the critical oen is missing
827 if (!haskeyusage) {
828 PRINT(">>> WARNING: critical extension 'Key Usage' not found in original certificate! ");
829 PRINT(">>> WARNING: this proxy may not be accepted by some parsers. ");
830 }
831 //
832 // Set the new length
833 if (indepthlen > -1) {
834 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
835 int depthlen = (indepthlen > 0) ? (indepthlen-1) : 0;
836 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
837 } else {
838 PRINT("could not set the path length contrain");
839 return -kErrPX_SetPathDepth;
840 }
841 }
842 //
843 // create extension
844 ext.reset(X509_EXTENSION_new());
845 if (!ext) {
846 PRINT("could not create extension object");
847 return -kErrPX_NoResources;
848 }
849 // Extract data in format for extension
850 int len = i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), 0);
851 unsigned char *data = (unsigned char *) malloc(len);
852 if (!data) {
853 PRINT("could not allocate data field for extension");
854 return -kErrPX_NoResources;
855 }
856 unsigned char *pp = data;
857 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), &pp)) <= 0) {
858 PRINT("problem converting data for extension");
859 return -kErrPX_Error;
860 }
861 ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
862 if (!os) {
863 PRINT("could not allocate data field for extension");
864 return -kErrPX_NoResources;
865 }
866 if (ASN1_OCTET_STRING_set(os, data, len) == 0) {
867 PRINT("could not allocate data field for extension");
868 return -kErrPX_NoResources;
869 }
870 free(data);
871 if (X509_EXTENSION_set_data(ext.get(), os) == 0) {
872 PRINT("could not allocate data field for extension");
873 return -kErrPX_NoResources;
874 }
875 ASN1_STRING_free(os);
876 pci = nullptr;
877
878 // Set extension name.
879 ASN1_OBJECT *obj = OBJ_txt2obj(gsiProxyCertInfo_OID, 1);
880 if (!obj || X509_EXTENSION_set_object(ext.get(), obj) != 1) {
881 PRINT("could not set extension name");
882 ASN1_OBJECT_free(obj);
883 return -kErrPX_SetAttribute;
884 }
885 ASN1_OBJECT_free(obj);
886 obj = 0;
887
888 // flag as critical
889 if (X509_EXTENSION_set_critical(ext.get(), 1) != 1) {
890 PRINT("could not set extension critical flag");
891 return -kErrPX_SetAttribute;
892 }
893 if (sk_X509_EXTENSION_push(esk.get(), ext.get()) == 0) {
894 PRINT("could not push the extension in the stack");
895 return -kErrPX_Error;
896 }
897 // ext resource now owned by esk
898 ext.release();
899
900 // Add extensions
901 if (!(X509_REQ_add_extensions(xro.get(), esk.get()))) {
902 PRINT("problem adding extension");
903 return -kErrPX_SetAttribute;
904 }
905 //
906 // Sign the request
907 if (!(X509_REQ_sign(xro.get(), ekro.get(), EVP_sha256()))) {
908 PRINT("problems signing the request");
909 return -kErrPX_Signing;
910 }
911
912 // Prepare output
913 *xcro = new XrdCryptosslX509Req(xro.get());
914 *kcro = new XrdCryptosslRSA(ekro.get());
915
916 // xro, ekro resoruce now owned by *xcro and *kcro
917 xro.release();
918 ekro.release();
919
920 // We are done
921 return 0;
922}
923
924
925//____________________________________________________________________________
926int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *xcpi, XrdCryptoRSA *kcpi,
927 XrdCryptoX509Req *xcri, XrdCryptoX509 **xcpo)
928{
929 // Sign a proxy certificate request.
930 // Return 0 in case of success, < 0 otherwise
931 EPNAME("X509SignProxyReq");
932
933 // Make sure we got the right inputs
934 if (!xcpi || !kcpi || !xcri || !xcpo) {
935 PRINT("invalid inputs");
936 return -1;
937 }
938
939 // Make sure the certificate is not expired
940 int timeleft = xcpi->NotAfter() - (int)time(0);
941 if (timeleft < 0) {
942 PRINT("EEC certificate has expired");
943 return -kErrPX_ExpiredEEC;
944 }
945 // Point to the cerificate
946 X509 *xpi = (X509 *)(xcpi->Opaque());
947
948 // Check key consistency
949 if (kcpi->status != XrdCryptoRSA::kComplete) {
950 PRINT("inconsistent key loaded");
951 return -kErrPX_BadEECkey;
952 }
953
954 // These will be assigned dynamically allocated ssl structures later.
955 // They use type aliases for unique_ptr, to ease use of a smart pointer.
956 //
957 EVP_PKEY_ptr ekpi(nullptr, &EVP_PKEY_free);
958 X509_ptr xpo(nullptr, &X509_free);
959 X509_EXTENSION_ptr ext(nullptr, &X509_EXTENSION_free);
960 PROXY_CERT_INFO_EXTENSION_ptr pci(nullptr, &PROXY_CERT_INFO_EXTENSION_free);
961 STACK_OF_X509_EXTENSION_ptr xrisk(nullptr, &stackOfX509ExtensionDelete);
962
963 // Point to the cerificate
964#if OPENSSL_VERSION_NUMBER >= 0x30000000L
965 ekpi.reset(EVP_PKEY_dup((EVP_PKEY *)(kcpi->Opaque())));
966 if (!ekpi) {
967 PRINT("could not create a EVP_PKEY * instance - return");
968 return -kErrPX_NoResources;
969 }
970#else
971 RSA *kpi = EVP_PKEY_get0_RSA((EVP_PKEY *)(kcpi->Opaque()));
972 //
973 // Set the key into the request
974 ekpi.reset(EVP_PKEY_new());
975 if (!ekpi) {
976 PRINT("could not create a EVP_PKEY * instance - return");
977 return -kErrPX_NoResources;
978 }
979 EVP_PKEY_set1_RSA(ekpi.get(), kpi);
980#endif
981
982 // Get request in raw form
983 X509_REQ *xri = (X509_REQ *)(xcri->Opaque());
984
985 // Extract subject names
986 XrdOucString psbj, rsbj;
987 XrdCryptosslNameOneLine(X509_get_subject_name(xpi), psbj);
988 XrdCryptosslNameOneLine(X509_REQ_get_subject_name(xri), rsbj);
989 if (psbj.length() <= 0 || rsbj.length() <= 0) {
990 PRINT("names undefined");
991 return -kErrPX_BadNames;
992 }
993
994 // Check the subject name: the new proxy one must be in the form
995 // '<issuer subject> + /CN=<serial>'
996 XrdOucString neecp(psbj);
997 XrdOucString neecr(rsbj,0,rsbj.rfind("/CN=")-1);
998 if (neecr.length() <= 0 || neecr.length() <= 0 || neecp != neecr) {
999 if (xcri->Version() <= 10100) {
1000 // Support previous format
1001 neecp.erase(psbj.rfind("/CN="));
1002 if (neecr.length() <= 0 || neecr.length() <= 0 || neecp != neecr) {
1003 PRINT("Request subject not in the form '<EEC subject> + /CN=<serial>'");
1004 PRINT(" Versn: "<<xcri->Version());
1005 PRINT(" Proxy: "<<neecp);
1006 PRINT(" SubRq: "<<neecr);
1007 return -kErrPX_BadNames;
1008 }
1009 } else {
1010 PRINT("Request subject not in the form '<issuer subject> + /CN=<serial>'");
1011 PRINT(" Versn: "<<xcri->Version());
1012 PRINT(" Proxy: "<<neecp);
1013 PRINT(" SubRq: "<<neecr);
1014 return -kErrPX_BadNames;
1015 }
1016 }
1017
1018 // Extract serial number
1019 XrdOucString sserial(rsbj,rsbj.rfind("/CN=")+4);
1020 unsigned int serial = (unsigned int)(strtol(sserial.c_str(), 0, 10));
1021 //
1022 // Create new proxy cert
1023 xpo.reset(X509_new());
1024 if (!xpo) {
1025 PRINT("could not create certificate object for proxies");
1026 return -kErrPX_NoResources;
1027 }
1028
1029 // Set version number
1030 if (X509_set_version(xpo.get(), 2L) != 1) {
1031 PRINT("could not set version");
1032 return -kErrPX_SetAttribute;
1033 }
1034
1035 // Set serial number
1036 if (ASN1_INTEGER_set(X509_get_serialNumber(xpo.get()), serial) != 1) {
1037 PRINT("could not set serial number");
1038 return -kErrPX_SetAttribute;
1039 }
1040
1041 // Set subject name
1042 if (X509_set_subject_name(xpo.get(), X509_REQ_get_subject_name(xri)) != 1) {
1043 PRINT("could not set subject name");
1044 return -kErrPX_SetAttribute;
1045 }
1046
1047 // Set issuer name
1048 if (X509_set_issuer_name(xpo.get(), X509_get_subject_name(xpi)) != 1) {
1049 PRINT("could not set issuer name");
1050 return -kErrPX_SetAttribute;
1051 }
1052
1053 // Set public key
1054 if (X509_set_pubkey(xpo.get(), X509_REQ_get_pubkey(xri)) != 1) {
1055 PRINT("could not set public key");
1056 return -kErrPX_SetAttribute;
1057 }
1058
1059 // Set proxy validity: notBefore now
1060 if (!X509_gmtime_adj(X509_get_notBefore(xpo.get()), 0)) {
1061 PRINT("could not set notBefore");
1062 return -kErrPX_SetAttribute;
1063 }
1064
1065 // Set proxy validity: notAfter timeleft from now
1066 if (!X509_gmtime_adj(X509_get_notAfter(xpo.get()), timeleft)) {
1067 PRINT("could not set notAfter");
1068 return -kErrPX_SetAttribute;
1069 }
1070
1071 //
1072 // Get signature path depth from input proxy
1073#if OPENSSL_VERSION_NUMBER < 0x40000000L
1074 X509_EXTENSION *xpiext = 0, *xriext = 0;
1075#else
1076 const X509_EXTENSION *xpiext = 0, *xriext = 0;
1077#endif
1078 int npiext = X509_get_ext_count(xpi);
1079 int i = 0;
1080 bool haskeyusage = 0;
1081 int indepthlen = -1;
1082 for (i = 0; i< npiext; i++) {
1083 xpiext = X509_get_ext(xpi, i);
1084 char s[256] = {0};
1085 const ASN1_OBJECT *obj = X509_EXTENSION_get_object(xpiext);
1086 if (obj)
1087 OBJ_obj2txt(s, sizeof(s), obj, 1);
1088 if (!strcmp(s, gsiProxyCertInfo_OID) ||
1089 !strcmp(s, gsiProxyCertInfo_OLD_OID)) {
1090 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xpiext));
1091 PROXY_CERT_INFO_EXTENSION *inpci = 0;
1092 if (!strcmp(s, gsiProxyCertInfo_OID))
1093 inpci = d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(xpiext)));
1094 else
1095 inpci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(xpiext)));
1096 if (inpci &&
1097 inpci->pcPathLengthConstraint)
1098 indepthlen = ASN1_INTEGER_get(inpci->pcPathLengthConstraint);
1099 DEBUG("IN depth length: "<<indepthlen);
1100 PROXY_CERT_INFO_EXTENSION_free(inpci);
1101 }
1102 // Flag key usage extension
1103 if (!haskeyusage && !strcmp(s, KEY_USAGE_OID)) haskeyusage = 1;
1104 // Fail if a subject alternative name extension is found
1105 if (!strcmp(s, SUBJ_ALT_NAME_OID)) {
1106 PRINT("subject alternative name extension not allowed! Skipping request");
1107 return -kErrPX_BadExtension;
1108 }
1109 // Attach to ProxyCertInfo extension if any
1110 if (!strcmp(s, gsiProxyCertInfo_OID) ||
1111 !strcmp(s, gsiProxyCertInfo_OLD_OID)) {
1112 if (xriext) {
1113 PRINT("more than one ProxyCertInfo extension! Skipping request");
1114 return -kErrPX_BadExtension;
1115 }
1116 xriext = xpiext;
1117 } else {
1118 // Duplicate and add to the stack
1119 X509_EXTENSION *xpiextdup = X509_EXTENSION_dup(xpiext);
1120 if (X509_add_ext(xpo.get(), xpiextdup, -1) == 0) {
1121 PRINT("could not push the extension '"<<s<<"' in the stack");
1122 X509_EXTENSION_free( xpiextdup );
1123 return -kErrPX_Error;
1124 }
1125 // Notify what we added
1126 int crit = X509_EXTENSION_get_critical(xpiextdup);
1127 DEBUG("added extension '"<<s<<"', critical: " << crit);
1128 X509_EXTENSION_free( xpiextdup );
1129 }
1130 // Do not free the extension: its owned by the certificate
1131 xpiext = 0;
1132 }
1133
1134 //
1135 // Get signature path depth from the request
1136 xrisk.reset(X509_REQ_get_extensions(xri));
1137 //
1138 // There must be at most one extension
1139 int nriext = sk_X509_EXTENSION_num(xrisk.get());
1140 if (nriext == 0 || !haskeyusage) {
1141 PRINT("wrong extensions in request: "<< nriext<<", "<<haskeyusage);
1142 return -kErrPX_BadExtension;
1143 }
1144 //
1145 // Get the content
1146 int reqdepthlen = -1;
1147 if (xriext) {
1148 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xriext));
1149 PROXY_CERT_INFO_EXTENSION *reqpci =
1150 d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(xriext)));
1151 if (reqpci &&
1152 reqpci->pcPathLengthConstraint)
1153 reqdepthlen = ASN1_INTEGER_get(reqpci->pcPathLengthConstraint);
1154 PROXY_CERT_INFO_EXTENSION_free(reqpci);
1155 }
1156 DEBUG("REQ depth length: "<<reqdepthlen);
1157
1158 // We allow max indepthlen-1
1159 int outdepthlen = (reqdepthlen < indepthlen) ? reqdepthlen :
1160 (indepthlen - 1);
1161 //
1162 // Create the extension CertProxyInfo
1163 pci.reset(PROXY_CERT_INFO_EXTENSION_new());
1164 if (!pci) {
1165 PRINT("could not create structure for extension - return");
1166 return -kErrPX_NoResources;
1167 }
1168 pci->proxyPolicy->policyLanguage = OBJ_txt2obj("1.3.6.1.5.5.7.21.1", 1);
1169 //
1170 // Set the new length
1171 if (outdepthlen > -1) {
1172 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
1173 int depthlen = (outdepthlen > 0) ? (outdepthlen-1) : 0;
1174 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
1175 } else {
1176 PRINT("could not set the path length contrain");
1177 return -kErrPX_SetPathDepth;
1178 }
1179 }
1180 // create extension
1181 ext.reset(X509_EXTENSION_new());
1182 if (!ext) {
1183 PRINT("could not create extension object");
1184 return -kErrPX_NoResources;
1185 }
1186 // Extract data in format for extension
1187 int len = i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), 0);
1188 unsigned char *data = (unsigned char *) malloc(len);
1189 if (!data) {
1190 PRINT("could not allocate data field for extension");
1191 return -kErrPX_NoResources;
1192 }
1193 unsigned char *pp = data;
1194 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), &pp)) <= 0) {
1195 PRINT("problem converting data for extension");
1196 return -kErrPX_Error;
1197 }
1198 ASN1_OCTET_STRING *os = ASN1_OCTET_STRING_new();
1199 if (!os) {
1200 PRINT("could not allocate data field for extension");
1201 return -kErrPX_NoResources;
1202 }
1203 if (ASN1_OCTET_STRING_set(os, data, len) == 0) {
1204 PRINT("could not allocate data field for extension");
1205 return -kErrPX_NoResources;
1206 }
1207 free(data);
1208 if (X509_EXTENSION_set_data(ext.get(), os) == 0) {
1209 PRINT("could not allocate data field for extension");
1210 return -kErrPX_NoResources;
1211 }
1212 ASN1_STRING_free(os);
1213 pci = nullptr;
1214
1215 // Set extension name.
1216 ASN1_OBJECT *obj = OBJ_txt2obj(gsiProxyCertInfo_OID, 1);
1217 if (!obj || X509_EXTENSION_set_object(ext.get(), obj) != 1) {
1218 PRINT("could not set extension name");
1219 ASN1_OBJECT_free( obj );
1220 return -kErrPX_SetAttribute;
1221 }
1222 ASN1_OBJECT_free( obj );
1223 obj = 0;
1224
1225 // flag as critical
1226 if (X509_EXTENSION_set_critical(ext.get(), 1) != 1) {
1227 PRINT("could not set extension critical flag");
1228 return -kErrPX_SetAttribute;
1229 }
1230
1231 // Add the extension (adds a copy of the extension)
1232 if (X509_add_ext(xpo.get(), ext.get(), -1) == 0) {
1233 PRINT("could not add extension");
1234 return -kErrPX_SetAttribute;
1235 }
1236
1237 //
1238 // Sign the certificate
1239 if (!(X509_sign(xpo.get(), ekpi.get(), EVP_sha256()))) {
1240 PRINT("problems signing the certificate");
1241 return -kErrPX_Signing;
1242 }
1243
1244 ekpi = nullptr;
1245 ext = nullptr;
1246
1247 // Prepare outputs
1248 *xcpo = new XrdCryptosslX509(xpo.get());
1249
1250 // xpo resource is now owned by the *xcpo
1251 xpo.release();
1252
1253 // We are done
1254 return 0;
1255}
1256
1257//____________________________________________________________________________
1258int XrdCryptosslX509GetVOMSAttr(XrdCryptoX509 *xcpi, XrdOucString &vat)
1259{
1260 // Get VOMS attributes from the certificate, if present
1261 // Return 0 in case of success, 1 if VOMS info is not available, < 0 if any
1262 // error occurred
1263 EPNAME("X509GetVOMSAttr");
1264
1265 int rc = -1;
1266 // Make sure we got the right inputs
1267 if (!xcpi) {
1268 PRINT("invalid inputs");
1269 return rc;
1270 }
1271
1272 // Point to the cerificate
1273 X509 *xpi = (X509 *)(xcpi->Opaque());
1274
1275 rc = 1;
1276 bool getvat = 0;
1277 // Go through the extensions
1278#if OPENSSL_VERSION_NUMBER < 0x40000000L
1279 X509_EXTENSION *xpiext = 0;
1280#else
1281 const X509_EXTENSION *xpiext = 0;
1282#endif
1283 int npiext = X509_get_ext_count(xpi);
1284 int i = 0;
1285 for (i = 0; i< npiext; i++) {
1286 xpiext = X509_get_ext(xpi, i);
1287 char s[256];
1288 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
1289 // Notify what we found
1290 DEBUG("found extension '"<<s<<"'");
1291 if (strcmp(s, XRDGSI_VOMS_ACSEQ_OID)) continue;
1292 // This is the VOMS extension we are interested for
1293 rc = 0;
1294 const unsigned char *pp = ASN1_STRING_get0_data(X509_EXTENSION_get_data(xpiext));
1295 long length = ASN1_STRING_length(X509_EXTENSION_get_data(xpiext));
1296 int ret = XrdCryptosslX509FillVOMS(&pp, length, getvat, vat);
1297 DEBUG("ret: " << ret << " - vat: " << vat);
1298 }
1299
1300 // Done
1301 return rc;
1302}
1303
1304//____________________________________________________________________________
1305int XrdCryptosslX509FillVOMS(const unsigned char **pp,
1306 long length, bool &getvat, XrdOucString &vat)
1307{
1308 // Look recursively for the VOMS attributes
1309 // Return 2 if found, 1 if to continue searching, 0 to stop
1310 EPNAME("X509FillVOMS");
1311
1312 const unsigned char *p,*ep,*tot,*op,*opp;
1313 long len;
1314 int tag, xclass, ret = 0;
1315 int /*nl,*/ hl,j,r;
1316 ASN1_OBJECT *o = 0;
1317 ASN1_OCTET_STRING *os = 0;
1318
1319 bool gotvat = 0;
1320 p = *pp;
1321 tot = p + length;
1322 op = p - 1;
1323 while ((p < tot) && (op < p)) {
1324 op = p;
1325 j = ASN1_get_object(&p, &len, &tag, &xclass, length);
1326#ifdef LINT
1327 j = j;
1328#endif
1329 if (j & 0x80) {
1330 PRINT("ERROR: error in encoding");
1331 ret = 0;
1332 goto end;
1333 }
1334 hl = (p-op);
1335 length -= hl;
1336 /* if j == 0x21 it is a constructed indefinite length object */
1337
1338 if (j & V_ASN1_CONSTRUCTED) {
1339 ep = p + len;
1340 if (len > length) {
1341 PRINT("ERROR:CONST: length is greater than " <<length);
1342 ret=0;
1343 goto end;
1344 }
1345 if ((j == 0x21) && (len == 0)) {
1346 for (;;) {
1347 r = XrdCryptosslX509FillVOMS(&p, (long)(tot-p), getvat, vat);
1348 if (r == 0) {
1349 ret = 0;
1350 goto end;
1351 }
1352 if ((r == 2) || (p >= tot))
1353 break;
1354 }
1355 } else {
1356 while (p < ep) {
1357 r = XrdCryptosslX509FillVOMS(&p, (long)len, getvat, vat);
1358 if (r == 0) {
1359 ret = 0;
1360 goto end;
1361 }
1362 }
1363 }
1364 } else {
1365 // nl = 0;
1366 if (tag == V_ASN1_OBJECT) {
1367 opp = op;
1368 if (d2i_ASN1_OBJECT(&o, &opp, len+hl)) {
1369 BIO *mem = BIO_new(BIO_s_mem());
1370 i2a_ASN1_OBJECT(mem, o);
1371 XrdOucString objstr;
1372 BIO_GET_STRING(mem, objstr);
1373 // Looking for the right extension ...
1374 if (objstr == XRDGSI_VOMS_ATCAP_OID || objstr == "idatcap") getvat = 1;
1375 DEBUG("AOBJ:"<<objstr<< " (getvat: "<<getvat<<")");
1376 } else {
1377 PRINT("ERROR:AOBJ: BAD OBJECT");
1378 }
1379 } else if (tag == V_ASN1_OCTET_STRING) {
1380 int i, printable = 1;
1381 opp = op;
1382 os = d2i_ASN1_OCTET_STRING(0, &opp, len + hl);
1383 if (os && ASN1_STRING_length(os) > 0) {
1384 opp = ASN1_STRING_get0_data(os);
1385 // Testing whether the octet string is printable
1386 for (i=0; i < ASN1_STRING_length(os); i++) {
1387 if (( (opp[i] < ' ') && (opp[i] != '\n') &&
1388 (opp[i] != '\r') && (opp[i] != '\t')) || (opp[i] > '~')) {
1389 printable = 0;
1390 break;
1391 }
1392 }
1393 if (printable) {
1394 // Printable string: it may be what we need
1395 if (getvat) {
1396 if (vat.length() > 0) vat += ",";
1397 vat += (const char *)opp;
1398 gotvat = 1;
1399 }
1400 DEBUG("OBJS:" << (const char *)opp << " (len: " << ASN1_STRING_length(os) << ")");
1401 }
1402 }
1403 if (os) {
1404 ASN1_OCTET_STRING_free(os);
1405 os = 0;
1406 }
1407 }
1408
1409 p += len;
1410 if ((tag == V_ASN1_EOC) && (xclass == 0)) {
1411 ret = 2; /* End of sequence */
1412 goto end;
1413 }
1414 }
1415 length -= len;
1416 }
1417 ret = 1;
1418 if (gotvat) {
1419 getvat = 0;
1420 ret = 2;
1421 }
1422end:
1423 if (o) ASN1_OBJECT_free(o);
1424 if (os) ASN1_OCTET_STRING_free(os);
1425 *pp = p;
1426 DEBUG("ret: "<<ret<<" - getvat: "<<getvat);
1427
1428 return ret;
1429}
1430
1431//____________________________________________________________________________
1432int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *xcpi, XrdOucString &emsg) {
1433 //
1434 // Check GSI 3 proxy info extension
1435 // Returns: 0 if found
1436 // -1 if found by invalid/not usable,
1437 // -2 if not found (likely a v2 legacy proxy)
1438
1439 EPNAME("X509CheckProxy3");
1440
1441 // Point to the cerificate
1442 X509 *cert = (X509 *)(xcpi->Opaque());
1443
1444 // Are there any extension?
1445 int numext = X509_get_ext_count(cert);
1446 if (numext <= 0) {
1447 emsg = "certificate has got no extensions";
1448 return -1;
1449 }
1450 TRACE(ALL,"certificate has "<<numext<<" extensions");
1451
1452#if OPENSSL_VERSION_NUMBER < 0x40000000L
1453 X509_EXTENSION *ext = 0;
1454#else
1455 const X509_EXTENSION *ext = 0;
1456#endif
1457 PROXY_CERT_INFO_EXTENSION *pci = 0;
1458 for (int i = 0; i < numext; i++) {
1459 // Get the extension
1460#if OPENSSL_VERSION_NUMBER < 0x40000000L
1461 X509_EXTENSION *xext = X509_get_ext(cert, i);
1462#else
1463 const X509_EXTENSION *xext = X509_get_ext(cert, i);
1464#endif
1465 // We are looking for gsiProxyCertInfo_OID ("1.3.6.1.5.5.7.1.14")
1466 // or gsiProxyCertInfo_OLD_OID ("1.3.6.1.4.1.3536.1.222")
1467 char s[256];
1468 OBJ_obj2txt(s, sizeof(s), X509_EXTENSION_get_object(xext), 1);
1469 DEBUG(i << ": got: "<< s);
1470 if (!strncmp(s, gsiProxyCertInfo_OID, sizeof(gsiProxyCertInfo_OID))) {
1471 if (ext == 0) {
1472 ext = xext;
1473 // Now get the extension
1474 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
1475 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
1476 } else {
1477 PRINT("WARNING: multiple proxyCertInfo extensions found: taking the first");
1478 }
1479 } else if (!strncmp(s, gsiProxyCertInfo_OLD_OID, sizeof(gsiProxyCertInfo_OLD_OID))) {
1480 if (ext == 0) {
1481 ext = xext;
1482 // Now get the extension
1483 const unsigned char *p = ASN1_STRING_get0_data(X509_EXTENSION_get_data(ext));
1484 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, &p, ASN1_STRING_length(X509_EXTENSION_get_data(ext)));
1485 } else {
1486 PRINT("WARNING: multiple proxyCertInfo extensions found: taking the first");
1487 }
1488 }
1489 }
1490 //
1491 // If the extension was not found it is probably a legacy (v2) proxy: signal it
1492 if (!ext) {
1493 emsg = "proxyCertInfo extension not found";
1494 return -2;
1495 }
1496 if (!pci) {
1497 emsg = "proxyCertInfo extension could not be deserialized";
1498 return -1;
1499 }
1500
1501 // Check if there is a policy
1502 if ((pci->proxyPolicy) == 0) {
1503 emsg = "could not access policy from proxyCertInfo extension";
1504 return -1;
1505 }
1506
1507 if ((pci->proxyPolicy->policyLanguage) == 0) {
1508 emsg = "could not access policy language from proxyCertInfo extension";
1509 return -1;
1510 }
1511
1512 // Done
1513 return 0;
1514}
DEBUG
#define DEBUG(x)
Definition XrdBwmTrace.hh:54
EPNAME
#define EPNAME(x)
Definition XrdBwmTrace.hh:56
XrdCryptoMinRSABits
#define XrdCryptoMinRSABits
Definition XrdCryptoAux.hh:52
XrdCryptoDefRSABits
#define XrdCryptoDefRSABits
Definition XrdCryptoAux.hh:53
gsiProxyCertInfo_OID
#define gsiProxyCertInfo_OID
Definition XrdCryptoFactory.hh:94
gsiProxyCertInfo_OLD_OID
#define gsiProxyCertInfo_OLD_OID
Definition XrdCryptoFactory.hh:93
XrdProxyOpt_t
Definition XrdCryptoFactory.hh:100
XrdCryptoX509data
void * XrdCryptoX509data
Definition XrdCryptoX509.hh:43
XrdCryptosslASN1toUTC
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
Definition XrdCryptosslAux.cc:675
XrdCryptosslNameOneLine
void XrdCryptosslNameOneLine(const X509_NAME *nm, XrdOucString &s)
Definition XrdCryptosslAux.cc:736
XrdCryptosslSetPathLenConstraint
void XrdCryptosslSetPathLenConstraint(void *ext, int pathlen)
kErrPX_ProxyFile
#define kErrPX_ProxyFile
Definition XrdCryptosslAux.hh:120
kErrPX_BadExtension
#define kErrPX_BadExtension
Definition XrdCryptosslAux.hh:123
XrdCryptosslX509CheckProxy3
int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &)
kErrPX_SetAttribute
#define kErrPX_SetAttribute
Definition XrdCryptosslAux.hh:116
kErrPX_Signing
#define kErrPX_Signing
Definition XrdCryptosslAux.hh:118
XrdCryptosslX509SignProxyReq
int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *, XrdCryptoRSA *, XrdCryptoX509Req *, XrdCryptoX509 **)
kErrPX_BadNames
#define kErrPX_BadNames
Definition XrdCryptosslAux.hh:121
kErrPX_Error
#define kErrPX_Error
Definition XrdCryptosslAux.hh:111
XrdCryptosslProxyCertInfo
bool XrdCryptosslProxyCertInfo(const void *ext, int &pathlen, bool *haspolicy=0)
kErrPX_NoResources
#define kErrPX_NoResources
Definition XrdCryptosslAux.hh:115
XrdCryptosslX509CreateProxyReq
int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *, XrdCryptoX509Req **, XrdCryptoRSA **)
XrdCryptosslX509CreateProxy
int XrdCryptosslX509CreateProxy(const char *, const char *, XrdProxyOpt_t *, XrdCryptogsiX509Chain *, XrdCryptoRSA **, const char *)
XrdCryptosslX509GetVOMSAttr
int XrdCryptosslX509GetVOMSAttr(XrdCryptoX509 *, XrdOucString &)
kErrPX_GenerateKey
#define kErrPX_GenerateKey
Definition XrdCryptosslAux.hh:119
kErrPX_SetPathDepth
#define kErrPX_SetPathDepth
Definition XrdCryptosslAux.hh:117
kErrPX_ExpiredEEC
#define kErrPX_ExpiredEEC
Definition XrdCryptosslAux.hh:114
kErrPX_BadEECfile
#define kErrPX_BadEECfile
Definition XrdCryptosslAux.hh:112
kErrPX_BadEECkey
#define kErrPX_BadEECkey
Definition XrdCryptosslAux.hh:113
PRINT
#define PRINT(y)
Definition XrdCryptosslTrace.hh:39
XrdCheckRSA
static int XrdCheckRSA(EVP_PKEY *pkey)
Definition XrdCryptosslgsiAux.cc:119
EVP_PKEY_ptr
std::unique_ptr< EVP_PKEY, decltype(&EVP_PKEY_free)> EVP_PKEY_ptr
Definition XrdCryptosslgsiAux.cc:63
BIO_GET_STRING
#define BIO_GET_STRING(b, str)
Definition XrdCryptosslgsiAux.cc:105
XrdCryptosslX509FillUnknownExt
int XrdCryptosslX509FillUnknownExt(const unsigned char **pp, long length)
KEY_USAGE_OID
#define KEY_USAGE_OID
Definition XrdCryptosslgsiAux.cc:78
stackOfX509ExtensionDelete
static void stackOfX509ExtensionDelete(STACK_OF(X509_EXTENSION) *ske)
Definition XrdCryptosslgsiAux.cc:60
XRDGSI_VOMS_ATCAP_OID
#define XRDGSI_VOMS_ATCAP_OID
Definition XrdCryptosslgsiAux.cc:88
XrdCryptosslX509Asn1PrintInfo
int XrdCryptosslX509Asn1PrintInfo(int tag, int xclass, int constructed, int indent)
XrdCryptosslX509FillVOMS
int XrdCryptosslX509FillVOMS(const unsigned char **pp, long length, bool &getvat, XrdOucString &vat)
XRDGSI_VOMS_ACSEQ_OID
#define XRDGSI_VOMS_ACSEQ_OID
Definition XrdCryptosslgsiAux.cc:89
SUBJ_ALT_NAME_OID
#define SUBJ_ALT_NAME_OID
Definition XrdCryptosslgsiAux.cc:80
STACK_OF_X509_EXTENSION_ptr
std::unique_ptr< STACK_OF(X509_EXTENSION), decltype(&stackOfX509ExtensionDelete)> STACK_OF_X509_EXTENSION_ptr
Definition XrdCryptosslgsiAux.cc:69
X509_ptr
std::unique_ptr< X509, decltype(&X509_free)> X509_ptr
Definition XrdCryptosslgsiAux.cc:64
X509_NAME_ptr
std::unique_ptr< X509_NAME, decltype(&X509_NAME_free)> X509_NAME_ptr
Definition XrdCryptosslgsiAux.cc:65
X509_EXTENSION_ptr
std::unique_ptr< X509_EXTENSION, decltype(&X509_EXTENSION_free)> X509_EXTENSION_ptr
Definition XrdCryptosslgsiAux.cc:67
PROXY_CERT_INFO_EXTENSION_ptr
std::unique_ptr< PROXY_CERT_INFO_EXTENSION, decltype(&PROXY_CERT_INFO_EXTENSION_free)> PROXY_CERT_INFO_EXTENSION_ptr
Definition XrdCryptosslgsiAux.cc:68
X509_REQ_ptr
std::unique_ptr< X509_REQ, decltype(&X509_REQ_free)> X509_REQ_ptr
Definition XrdCryptosslgsiAux.cc:66
fclose
int fclose(FILE *stream)
Definition XrdPosixPreload.cc:173
fopen
#define fopen(a, b)
Definition XrdPosix.hh:54
emsg
int emsg(int rc, char *msg)
Definition XrdSectestServer.cc:309
TRACE
#define TRACE(act, x)
Definition XrdTrace.hh:63
XrdCryptoRSA::status
ERSAStatus status
Definition XrdCryptoRSA.hh:58
XrdCryptoRSA::Opaque
virtual XrdCryptoRSAdata Opaque()
Definition XrdCryptoRSA.cc:51
XrdCryptoX509Chain::PushBack
void PushBack(XrdCryptoX509 *c)
Definition XrdCryptoX509Chain.cc:298
XrdCryptoX509Req::Opaque
virtual XrdCryptoX509Reqdata Opaque()
Definition XrdCryptoX509Req.cc:85
XrdCryptoX509::Opaque
virtual XrdCryptoX509data Opaque()
Definition XrdCryptoX509.cc:181
XrdCryptoX509::IsValid
virtual bool IsValid(int when=0)
Definition XrdCryptoX509.cc:105
XrdCryptoX509::NotAfter
virtual time_t NotAfter()
Definition XrdCryptoX509.cc:133
XrdOucString::rfind
int rfind(const char c, int start=STR_NPOS)
Definition XrdOucString.hh:285
XrdOucString::length
int length() const
Definition XrdOucString.hh:279
XrdSutRndm::GetUInt
static unsigned int GetUInt()
Definition XrdSutRndm.cc:247