35 #include <sys/types.h>
38 #include <openssl/asn1.h>
39 #include <openssl/asn1t.h>
40 #include <openssl/err.h>
41 #include <openssl/evp.h>
42 #include <openssl/pem.h>
43 #include <openssl/rsa.h>
44 #include <openssl/x509v3.h>
61 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
62 sk_X509_EXTENSION_pop_free(ske, X509_EXTENSION_free);
64 sk_pop_free(ske, X509_EXTENSION_free);
67 using EVP_PKEY_ptr = std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)>;
68 using X509_ptr = std::unique_ptr<X509, decltype(&X509_free)>;
69 using X509_NAME_ptr = std::unique_ptr<X509_NAME, decltype(&X509_NAME_free)>;
70 using X509_REQ_ptr = std::unique_ptr<X509_REQ, decltype(&X509_REQ_free)>;
82 #define KEY_USAGE_OID "2.5.29.15"
84 #define SUBJ_ALT_NAME_OID "2.5.29.17"
92 #define XRDGSI_VOMS_ATCAP_OID "1.3.6.1.4.1.8005.100.100.4"
93 #define XRDGSI_VOMS_ACSEQ_OID "1.3.6.1.4.1.8005.100.100.5"
95 #define BIO_PRINT(b,c) \
97 BIO_get_mem_ptr(b, &bptr); \
99 char *s = new char[bptr->length+1]; \
100 memcpy(s, bptr->data, bptr->length); \
101 s[bptr->length] = '\0'; \
105 PRINT("ERROR: "<<c<<" BIO internal buffer undefined!"); \
109 #define BIO_GET_STRING(b,str) \
111 BIO_get_mem_ptr(b, &bptr); \
113 char *s = new char[bptr->length+1]; \
114 memcpy(s, bptr->data, bptr->length); \
115 s[bptr->length] = '\0'; \
119 PRINT("ERROR: GET_STRING: BIO internal buffer undefined!"); \
123 #if OPENSSL_VERSION_NUMBER >= 0x0090800f
124 # define XRDGSI_CONST const
126 # define XRDGSI_CONST
129 #if OPENSSL_VERSION_NUMBER < 0x10100000L
132 if (pkey->type != EVP_PKEY_RSA) {
135 return pkey->pkey.rsa;
141 #if OPENSSL_VERSION_NUMBER < 0x10101000L
144 rc = RSA_check_key(rsa);
148 EVP_PKEY_CTX *ckctx = EVP_PKEY_CTX_new(pkey, 0);
149 rc = EVP_PKEY_check(ckctx);
150 EVP_PKEY_CTX_free(ckctx);
166 ASN1_SEQUENCE(PROXY_CERT_INFO_EXTENSION_OLD) =
168 ASN1_SIMPLE(PROXY_CERT_INFO_EXTENSION, proxyPolicy, PROXY_POLICY),
169 ASN1_EXP_OPT(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint, ASN1_INTEGER, 1)
170 } ASN1_SEQUENCE_END_name(PROXY_CERT_INFO_EXTENSION, PROXY_CERT_INFO_EXTENSION_OLD)
172 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(PROXY_CERT_INFO_EXTENSION, PROXY_CERT_INFO_EXTENSION_OLD, PROXY_CERT_INFO_EXTENSION_OLD)
189 X509_EXTENSION *ext = (X509_EXTENSION *)extdata;
193 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(ext), 1);
196 unsigned char *p = X509_EXTENSION_get_data(ext)->data;
197 PROXY_CERT_INFO_EXTENSION *pci = 0;
199 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
201 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
208 if (pci->pcPathLengthConstraint) {
209 pathlen = ASN1_INTEGER_get(pci->pcPathLengthConstraint);
214 *haspolicy = (pci->proxyPolicy) ? 1 : 0;
232 X509_EXTENSION *ext = (X509_EXTENSION *)extdata;
236 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(ext), 1);
239 unsigned char *p = X509_EXTENSION_get_data(ext)->data;
240 PROXY_CERT_INFO_EXTENSION *pci = 0;
242 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
244 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
249 if (pci->pcPathLengthConstraint) {
250 ASN1_INTEGER_set(pci->pcPathLengthConstraint, pathlen);
274 EPNAME(
"X509CreateProxy");
277 if (!fnc || !fnk || !xp || !kp) {
278 PRINT(
"invalid inputs ");
284 OpenSSL_add_all_ciphers();
285 OpenSSL_add_all_digests();
286 ERR_load_crypto_strings();
290 int valid = (pxopt) ? pxopt->
valid : 43200;
291 int depthlen = (pxopt) ? pxopt->
depthlen : -1;
296 FILE *fc =
fopen(fnc,
"r");
299 if (PEM_read_X509(fc, &xEEC, 0, 0)) {
300 DEBUG(
"EEC certificate loaded from file: "<<fnc);
302 PRINT(
"unable to load EEC certificate from file: "<<fnc);
307 PRINT(
"EEC certificate cannot be opened (file: "<<fnc<<
")");
312 int now = (int)time(0);
314 PRINT(
"EEC certificate has expired");
322 FILE *fk =
fopen(fnk,
"r");
327 PRINT(
"Your identity: "<<sbj);
328 if ((PEM_read_PrivateKey(fk, &ekEEC, 0, 0))) {
329 DEBUG(
"EEC private key loaded from file: "<<fnk);
331 PRINT(
"unable to load EEC private key from file: "<<fnk);
337 PRINT(
"EEC private key file cannot be opened (file: "<<fnk<<
")");
344 PRINT(
"inconsistent key loaded");
345 EVP_PKEY_free(ekEEC);
351 X509_REQ *preq = X509_REQ_new();
353 PRINT(
"cannot to create cert request");
354 EVP_PKEY_free(ekEEC);
360 BIGNUM *e = BN_new();
362 PRINT(
"proxy key could not be generated - return");
363 EVP_PKEY_free(ekEEC);
367 BN_set_word(e, 0x10001);
369 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, 0);
370 EVP_PKEY_keygen_init(pkctx);
371 EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, bits);
372 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
373 EVP_PKEY_CTX_set1_rsa_keygen_pubexp(pkctx, e);
376 EVP_PKEY_CTX_set_rsa_keygen_pubexp(pkctx, e);
378 EVP_PKEY_keygen(pkctx, &ekPX);
379 EVP_PKEY_CTX_free(pkctx);
381 PRINT(
"proxy key could not be generated - return");
382 EVP_PKEY_free(ekEEC);
386 X509_REQ_set_pubkey(preq, ekPX);
396 X509_NAME *psubj = X509_NAME_dup(X509_get_subject_name(xEEC));
398 unsigned char sn[20] = {0};
399 sprintf((
char *)sn,
"%d", serial);
400 if (!X509_NAME_add_entry_by_txt(psubj, (
char *)
"CN", MBSTRING_ASC,
402 PRINT(
"could not add CN - (serial: "<<serial<<
", sn: "<<sn<<
")");
407 if (X509_REQ_set_subject_name(preq, psubj) != 1) {
408 PRINT(
"could not set subject name - return");
414 PROXY_CERT_INFO_EXTENSION *pci = PROXY_CERT_INFO_EXTENSION_new();
416 PRINT(
"could not create structure for extension - return");
419 pci->proxyPolicy->policyLanguage = OBJ_txt2obj(
"1.3.6.1.5.5.7.21.1", 1);
423 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
424 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
426 PRINT(
"could not set the path length contrain");
433 X509_EXTENSION *ext = X509_EXTENSION_new();
435 PRINT(
"could not create extension object");
440 if (!obj || X509_EXTENSION_set_object(ext, obj) != 1) {
441 PRINT(
"could not set extension name");
445 if (X509_EXTENSION_set_critical(ext, 1) != 1) {
446 PRINT(
"could not set extension critical flag");
450 X509_EXTENSION_get_data(ext)->length = i2d_PROXY_CERT_INFO_EXTENSION(pci, 0);
451 if (!(X509_EXTENSION_get_data(ext)->data = (
unsigned char *)malloc(X509_EXTENSION_get_data(ext)->length+1))) {
452 PRINT(
"could not allocate data field for extension");
455 unsigned char *pp = X509_EXTENSION_get_data(ext)->data;
456 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci, &pp)) <= 0) {
457 PRINT(
"problem converting data for extension");
461 STACK_OF(X509_EXTENSION) *esk = sk_X509_EXTENSION_new_null();
463 PRINT(
"could not create stack for extensions");
468 if (sk_X509_EXTENSION_push(esk, ext) == 0) {
469 PRINT(
"could not push the extension in the stack");
473 if (!(X509_REQ_add_extensions(preq, esk))) {
474 PRINT(
"problem adding extension");
479 if (!(X509_REQ_sign(preq, ekPX, EVP_sha256()))) {
480 PRINT(
"problems signing the request");
485 X509 *xPX = X509_new();
487 PRINT(
"could not create certificate object for proxies");
492 if (X509_set_version(xPX, 2L) != 1) {
493 PRINT(
"could not set version");
498 if (ASN1_INTEGER_set(X509_get_serialNumber(xPX), serial) != 1) {
499 PRINT(
"could not set serial number");
504 if (X509_set_subject_name(xPX, psubj) != 1) {
505 PRINT(
"could not set subject name");
508 X509_NAME_free(psubj);
511 if (X509_set_issuer_name(xPX, X509_get_subject_name(xEEC)) != 1) {
512 PRINT(
"could not set issuer name");
517 if (X509_set_pubkey(xPX, ekPX) != 1) {
518 PRINT(
"could not set issuer name");
523 if (!X509_gmtime_adj(X509_get_notBefore(xPX), 0)) {
524 PRINT(
"could not set notBefore");
529 if (!X509_gmtime_adj(X509_get_notAfter(xPX), valid)) {
530 PRINT(
"could not set notAfter");
535 X509_EXTENSION *xEECext = 0;
536 int nEECext = X509_get_ext_count(xEEC);
537 DEBUG(
"number of extensions found in the original certificate: "<< nEECext);
539 bool haskeyusage = 0;
540 for (i = 0; i< nEECext; i++) {
541 xEECext = X509_get_ext(xEEC, i);
543 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xEECext), 1);
545 if (!haskeyusage && !strcmp(s,
KEY_USAGE_OID)) haskeyusage = 1;
549 X509_EXTENSION *xEECextdup = X509_EXTENSION_dup(xEECext);
550 if (X509_add_ext(xPX, xEECextdup, -1) == 0) {
551 PRINT(
"could not push the extension '"<<s<<
"' in the stack");
555 int crit = X509_EXTENSION_get_critical(xEECextdup);
556 DEBUG(
"added extension '"<<s<<
"', critical: " << crit);
561 PRINT(
">>> WARNING: critical extension 'Key Usage' not found in original certificate! ");
562 PRINT(
">>> WARNING: this proxy may not be accepted by some parsers. ");
566 if (X509_add_ext(xPX, ext, -1) != 1) {
567 PRINT(
"could not add extension");
573 if (!(X509_sign(xPX, ekEEC, EVP_sha256()))) {
574 PRINT(
"problems signing the certificate");
581 PRINT(
"could not create container for proxy certificate");
589 PRINT(
"could not create container for EEC certificate");
595 PRINT(
"could not creatr out PKI");
604 FILE *fp =
fopen(fnp,
"w");
607 PRINT(
"cannot open file to save the proxy certificate (file: "<<fnp<<
")");
610 else if ( (ifp = fileno(fp)) == -1) {
611 PRINT(
"got invalid file descriptor for the proxy certificate (file: "<<
617 else if (fchmod(ifp, 0600) == -1) {
618 PRINT(
"cannot set permissions on file: "<<fnp<<
" (errno: "<<errno<<
")");
622 else if (!rc && PEM_write_X509(fp, xPX) != 1) {
623 PRINT(
"error while writing proxy certificate");
627 else if (!rc && PEM_write_PrivateKey(fp, ekPX, 0, 0, 0, 0, 0) != 1) {
628 PRINT(
"error while writing proxy private key");
632 else if (!rc && PEM_write_X509(fp, xEEC) != 1) {
633 PRINT(
"error while writing EEC certificate");
643 EVP_PKEY_free(ekEEC);
645 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
646 sk_X509_EXTENSION_free(esk);
664 EPNAME(
"X509CreateProxyReq");
667 if (!xcpi || !(xcpi->
Opaque())) {
668 PRINT(
"input proxy certificate not specified");
673 X509 *xpi = (X509 *)(xcpi->
Opaque());
677 PRINT(
"EEC certificate has expired");
693 xro.reset(X509_REQ_new());
695 PRINT(
"cannot to create cert request");
701 ekro.reset(X509_get_pubkey(xpi));
702 int bits = EVP_PKEY_bits(ekro.get());
708 BIGNUM *e = BN_new();
710 PRINT(
"proxy key could not be generated - return");
713 BN_set_word(e, 0x10001);
714 EVP_PKEY_CTX *pkctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, 0);
715 EVP_PKEY_keygen_init(pkctx);
716 EVP_PKEY_CTX_set_rsa_keygen_bits(pkctx, bits);
717 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
718 EVP_PKEY_CTX_set1_rsa_keygen_pubexp(pkctx, e);
721 EVP_PKEY_CTX_set_rsa_keygen_pubexp(pkctx, e);
724 EVP_PKEY *tmppk =
nullptr;
725 EVP_PKEY_keygen(pkctx, &tmppk);
728 EVP_PKEY_CTX_free(pkctx);
732 PRINT(
"proxy key could not be generated - return");
735 X509_REQ_set_pubkey(xro.get(), ekro.get());
745 psubj.reset(X509_NAME_dup(X509_get_subject_name(xpi)));
746 if (xcro && *xcro && *((
int *)(*xcro)) <= 10100) {
748 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
749 int ne = X509_NAME_entry_count(psubj.get());
751 int ne = psubj->entries->num;
754 X509_NAME_ENTRY *cne = X509_NAME_delete_entry(psubj.get(), ne-1);
756 X509_NAME_ENTRY_free(cne);
758 DEBUG(
"problems modifying subject name");
764 unsigned char sn[20] = {0};
765 sprintf((
char *)sn,
"%d", serial);
766 if (!X509_NAME_add_entry_by_txt(psubj.get(), (
char *)
"CN", MBSTRING_ASC,
768 PRINT(
"could not add CN - (serial: "<<serial<<
", sn: "<<sn<<
")");
773 if (X509_REQ_set_subject_name(xro.get(), psubj.get()) != 1) {
774 PRINT(
"could not set subject name - return");
780 pci.reset(PROXY_CERT_INFO_EXTENSION_new());
782 PRINT(
"could not create structure for extension - return");
785 pci->proxyPolicy->policyLanguage = OBJ_txt2obj(
"1.3.6.1.5.5.7.21.1", 1);
788 esk.reset(sk_X509_EXTENSION_new_null());
790 PRINT(
"could not create stack for extensions");
795 X509_EXTENSION *xpiext = 0;
796 int npiext = X509_get_ext_count(xpi);
798 bool haskeyusage = 0;
800 for (i = 0; i< npiext; i++) {
801 xpiext = X509_get_ext(xpi, i);
803 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
805 if (!haskeyusage && !strcmp(s,
KEY_USAGE_OID)) haskeyusage = 1;
811 unsigned char *p = X509_EXTENSION_get_data(xpiext)->data;
812 PROXY_CERT_INFO_EXTENSION *inpci = 0;
814 inpci = d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(xpiext)->length);
816 inpci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(xpiext)->length);
818 inpci->pcPathLengthConstraint)
819 indepthlen = ASN1_INTEGER_get(inpci->pcPathLengthConstraint);
820 DEBUG(
"IN depth length: "<<indepthlen);
821 PROXY_CERT_INFO_EXTENSION_free(inpci);
824 X509_EXTENSION *xpiextdup = X509_EXTENSION_dup(xpiext);
825 if (sk_X509_EXTENSION_push(esk.get(), xpiextdup) == 0) {
826 PRINT(
"could not push the extension '"<<s<<
"' in the stack");
827 X509_EXTENSION_free(xpiextdup);
831 int crit = X509_EXTENSION_get_critical(xpiextdup);
832 DEBUG(
"added extension '"<<s<<
"', critical: " << crit);
840 PRINT(
">>> WARNING: critical extension 'Key Usage' not found in original certificate! ");
841 PRINT(
">>> WARNING: this proxy may not be accepted by some parsers. ");
845 if (indepthlen > -1) {
846 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
847 int depthlen = (indepthlen > 0) ? (indepthlen-1) : 0;
848 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
850 PRINT(
"could not set the path length contrain");
856 ext.reset(X509_EXTENSION_new());
858 PRINT(
"could not create extension object");
862 X509_EXTENSION_get_data(ext.get())->length = i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), 0);
863 if (!(X509_EXTENSION_get_data(ext.get())->data = (
unsigned char *)malloc(X509_EXTENSION_get_data(ext.get())->length+1))) {
864 PRINT(
"could not allocate data field for extension");
867 unsigned char *pp = X509_EXTENSION_get_data(ext.get())->data;
868 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), &pp)) <= 0) {
869 PRINT(
"problem converting data for extension");
876 if (!obj || X509_EXTENSION_set_object(ext.get(), obj) != 1) {
877 PRINT(
"could not set extension name");
878 ASN1_OBJECT_free(obj);
881 ASN1_OBJECT_free(obj);
885 if (X509_EXTENSION_set_critical(ext.get(), 1) != 1) {
886 PRINT(
"could not set extension critical flag");
889 if (sk_X509_EXTENSION_push(esk.get(), ext.get()) == 0) {
890 PRINT(
"could not push the extension in the stack");
897 if (!(X509_REQ_add_extensions(xro.get(), esk.get()))) {
898 PRINT(
"problem adding extension");
903 if (!(X509_REQ_sign(xro.get(), ekro.get(), EVP_sha256()))) {
904 PRINT(
"problems signing the request");
927 EPNAME(
"X509SignProxyReq");
930 if (!xcpi || !kcpi || !xcri || !xcpo) {
931 PRINT(
"invalid inputs");
936 int timeleft = xcpi->
NotAfter() - (int)time(0);
938 PRINT(
"EEC certificate has expired");
942 X509 *xpi = (X509 *)(xcpi->
Opaque());
946 PRINT(
"inconsistent key loaded");
960 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
961 ekpi.reset(EVP_PKEY_dup((EVP_PKEY *)(kcpi->
Opaque())));
963 PRINT(
"could not create a EVP_PKEY * instance - return");
970 ekpi.reset(EVP_PKEY_new());
972 PRINT(
"could not create a EVP_PKEY * instance - return");
975 EVP_PKEY_set1_RSA(ekpi.get(), kpi);
979 X509_REQ *xri = (X509_REQ *)(xcri->
Opaque());
986 PRINT(
"names undefined");
994 if (neecr.length() <= 0 || neecr.length() <= 0 || neecp != neecr) {
995 if (xcri->
Version() <= 10100) {
997 neecp.erase(psbj.
rfind(
"/CN="));
998 if (neecr.length() <= 0 || neecr.length() <= 0 || neecp != neecr) {
999 PRINT(
"Request subject not in the form '<EEC subject> + /CN=<serial>'");
1001 PRINT(
" Proxy: "<<neecp);
1002 PRINT(
" SubRq: "<<neecr);
1006 PRINT(
"Request subject not in the form '<issuer subject> + /CN=<serial>'");
1008 PRINT(
" Proxy: "<<neecp);
1009 PRINT(
" SubRq: "<<neecr);
1016 unsigned int serial = (
unsigned int)(strtol(sserial.c_str(), 0, 10));
1019 xpo.reset(X509_new());
1021 PRINT(
"could not create certificate object for proxies");
1026 if (X509_set_version(xpo.get(), 2L) != 1) {
1027 PRINT(
"could not set version");
1032 if (ASN1_INTEGER_set(X509_get_serialNumber(xpo.get()), serial) != 1) {
1033 PRINT(
"could not set serial number");
1038 if (X509_set_subject_name(xpo.get(), X509_REQ_get_subject_name(xri)) != 1) {
1039 PRINT(
"could not set subject name");
1044 if (X509_set_issuer_name(xpo.get(), X509_get_subject_name(xpi)) != 1) {
1045 PRINT(
"could not set issuer name");
1050 if (X509_set_pubkey(xpo.get(), X509_REQ_get_pubkey(xri)) != 1) {
1051 PRINT(
"could not set public key");
1056 if (!X509_gmtime_adj(X509_get_notBefore(xpo.get()), 0)) {
1057 PRINT(
"could not set notBefore");
1062 if (!X509_gmtime_adj(X509_get_notAfter(xpo.get()), timeleft)) {
1063 PRINT(
"could not set notAfter");
1069 X509_EXTENSION *xpiext = 0, *xriext = 0;
1070 int npiext = X509_get_ext_count(xpi);
1072 bool haskeyusage = 0;
1073 int indepthlen = -1;
1074 for (i = 0; i< npiext; i++) {
1075 xpiext = X509_get_ext(xpi, i);
1077 ASN1_OBJECT *obj = X509_EXTENSION_get_object(xpiext);
1079 OBJ_obj2txt(s,
sizeof(s), obj, 1);
1082 unsigned char *p = X509_EXTENSION_get_data(xpiext)->data;
1083 PROXY_CERT_INFO_EXTENSION *inpci = 0;
1085 inpci = d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(xpiext)->length);
1087 inpci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(xpiext)->length);
1089 inpci->pcPathLengthConstraint)
1090 indepthlen = ASN1_INTEGER_get(inpci->pcPathLengthConstraint);
1091 DEBUG(
"IN depth length: "<<indepthlen);
1092 PROXY_CERT_INFO_EXTENSION_free(inpci);
1095 if (!haskeyusage && !strcmp(s,
KEY_USAGE_OID)) haskeyusage = 1;
1098 PRINT(
"subject alternative name extension not allowed! Skipping request");
1105 PRINT(
"more than one ProxyCertInfo extension! Skipping request");
1111 X509_EXTENSION *xpiextdup = X509_EXTENSION_dup(xpiext);
1112 if (X509_add_ext(xpo.get(), xpiextdup, -1) == 0) {
1113 PRINT(
"could not push the extension '"<<s<<
"' in the stack");
1114 X509_EXTENSION_free( xpiextdup );
1118 int crit = X509_EXTENSION_get_critical(xpiextdup);
1119 DEBUG(
"added extension '"<<s<<
"', critical: " << crit);
1120 X509_EXTENSION_free( xpiextdup );
1128 xrisk.reset(X509_REQ_get_extensions(xri));
1131 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
1132 int nriext = sk_X509_EXTENSION_num(xrisk.get());
1134 int nriext = sk_num(xrisk.get());
1136 if (nriext == 0 || !haskeyusage) {
1137 PRINT(
"wrong extensions in request: "<< nriext<<
", "<<haskeyusage);
1142 int reqdepthlen = -1;
1144 unsigned char *p = X509_EXTENSION_get_data(xriext)->data;
1145 PROXY_CERT_INFO_EXTENSION *reqpci =
1146 d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(xriext)->length);
1148 reqpci->pcPathLengthConstraint)
1149 reqdepthlen = ASN1_INTEGER_get(reqpci->pcPathLengthConstraint);
1150 PROXY_CERT_INFO_EXTENSION_free(reqpci);
1152 DEBUG(
"REQ depth length: "<<reqdepthlen);
1155 int outdepthlen = (reqdepthlen < indepthlen) ? reqdepthlen :
1159 pci.reset(PROXY_CERT_INFO_EXTENSION_new());
1161 PRINT(
"could not create structure for extension - return");
1164 pci->proxyPolicy->policyLanguage = OBJ_txt2obj(
"1.3.6.1.5.5.7.21.1", 1);
1167 if (outdepthlen > -1) {
1168 if ((pci->pcPathLengthConstraint = ASN1_INTEGER_new())) {
1169 int depthlen = (outdepthlen > 0) ? (outdepthlen-1) : 0;
1170 ASN1_INTEGER_set(pci->pcPathLengthConstraint, depthlen);
1172 PRINT(
"could not set the path length contrain");
1177 ext.reset(X509_EXTENSION_new());
1179 PRINT(
"could not create extension object");
1183 X509_EXTENSION_get_data(ext.get())->length = i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), 0);
1184 if (!(X509_EXTENSION_get_data(ext.get())->data = (
unsigned char *)malloc(X509_EXTENSION_get_data(ext.get())->length+1))) {
1185 PRINT(
"could not allocate data field for extension");
1188 unsigned char *pp = X509_EXTENSION_get_data(ext.get())->data;
1189 if ((i2d_PROXY_CERT_INFO_EXTENSION(pci.get(), &pp)) <= 0) {
1190 PRINT(
"problem converting data for extension");
1197 if (!obj || X509_EXTENSION_set_object(ext.get(), obj) != 1) {
1198 PRINT(
"could not set extension name");
1199 ASN1_OBJECT_free( obj );
1202 ASN1_OBJECT_free( obj );
1206 if (X509_EXTENSION_set_critical(ext.get(), 1) != 1) {
1207 PRINT(
"could not set extension critical flag");
1212 if (X509_add_ext(xpo.get(), ext.get(), -1) == 0) {
1213 PRINT(
"could not add extension");
1219 if (!(X509_sign(xpo.get(), ekpi.get(), EVP_sha256()))) {
1220 PRINT(
"problems signing the certificate");
1243 EPNAME(
"X509GetVOMSAttr");
1248 PRINT(
"invalid inputs");
1253 X509 *xpi = (X509 *)(xcpi->
Opaque());
1258 X509_EXTENSION *xpiext = 0;
1259 int npiext = X509_get_ext_count(xpi);
1261 for (i = 0; i< npiext; i++) {
1262 xpiext = X509_get_ext(xpi, i);
1264 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xpiext), 1);
1266 DEBUG(
"found extension '"<<s<<
"'");
1271 long length = X509_EXTENSION_get_data(xpiext)->length;
1273 DEBUG(
"ret: " << ret <<
" - vat: " << vat);
1290 int tag, xclass, ret = 0;
1293 ASN1_OCTET_STRING *os = 0;
1299 while ((p < tot) && (op < p)) {
1301 j = ASN1_get_object(&p, &len, &tag, &xclass, length);
1306 PRINT(
"ERROR: error in encoding");
1314 if (j & V_ASN1_CONSTRUCTED) {
1317 PRINT(
"ERROR:CONST: length is greater than " <<length);
1321 if ((j == 0x21) && (len == 0)) {
1328 if ((r == 2) || (p >= tot))
1342 if (tag == V_ASN1_OBJECT) {
1344 if (d2i_ASN1_OBJECT(&o, &opp, len+hl)) {
1345 BIO *mem = BIO_new(BIO_s_mem());
1346 i2a_ASN1_OBJECT(mem, o);
1351 DEBUG(
"AOBJ:"<<objstr<<
" (getvat: "<<getvat<<
")");
1353 PRINT(
"ERROR:AOBJ: BAD OBJECT");
1355 }
else if (tag == V_ASN1_OCTET_STRING) {
1356 int i, printable = 1;
1358 os = d2i_ASN1_OCTET_STRING(0, &opp, len + hl);
1359 if (os && os->length > 0) {
1362 for (i=0; i<os->length; i++) {
1363 if (( (opp[i] <
' ') && (opp[i] !=
'\n') &&
1364 (opp[i] !=
'\r') && (opp[i] !=
'\t')) || (opp[i] >
'~')) {
1372 if (vat.
length() > 0) vat +=
",";
1373 vat += (
const char *)opp;
1376 DEBUG(
"OBJS:" << (
const char *)opp <<
" (len: "<<os->length<<
")");
1380 ASN1_OCTET_STRING_free(os);
1386 if ((tag == V_ASN1_EOC) && (xclass == 0)) {
1399 if (o) ASN1_OBJECT_free(o);
1400 if (os) ASN1_OCTET_STRING_free(os);
1402 DEBUG(
"ret: "<<ret<<
" - getvat: "<<getvat);
1415 EPNAME(
"X509CheckProxy3");
1418 X509 *cert = (X509 *)(xcpi->
Opaque());
1421 int numext = X509_get_ext_count(cert);
1423 emsg =
"certificate has got no extensions";
1426 TRACE(ALL,
"certificate has "<<numext<<
" extensions");
1428 X509_EXTENSION *ext = 0;
1429 PROXY_CERT_INFO_EXTENSION *pci = 0;
1430 for (
int i = 0; i < numext; i++) {
1432 X509_EXTENSION *xext = X509_get_ext(cert, i);
1436 OBJ_obj2txt(s,
sizeof(s), X509_EXTENSION_get_object(xext), 1);
1437 DEBUG(i <<
": got: "<< s);
1442 unsigned char *p = X509_EXTENSION_get_data(ext)->data;
1443 pci = d2i_PROXY_CERT_INFO_EXTENSION(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
1445 PRINT(
"WARNING: multiple proxyCertInfo extensions found: taking the first");
1451 unsigned char *p = X509_EXTENSION_get_data(ext)->data;
1452 pci = d2i_PROXY_CERT_INFO_EXTENSION_OLD(0, (
XRDGSI_CONST unsigned char **)(&p), X509_EXTENSION_get_data(ext)->length);
1454 PRINT(
"WARNING: multiple proxyCertInfo extensions found: taking the first");
1461 emsg =
"proxyCertInfo extension not found";
1465 emsg =
"proxyCertInfo extension could not be deserialized";
1470 if ((pci->proxyPolicy) == 0) {
1471 emsg =
"could not access policy from proxyCertInfo extension";
1475 if ((pci->proxyPolicy->policyLanguage) == 0) {
1476 emsg =
"could not access policy language from proxyCertInfo extension";
#define XrdCryptoMinRSABits
#define XrdCryptoDefRSABits
#define gsiProxyCertInfo_OID
#define gsiProxyCertInfo_OLD_OID
void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s)
time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
void XrdCryptosslSetPathLenConstraint(void *ext, int pathlen)
#define kErrPX_BadExtension
int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &)
#define kErrPX_SetAttribute
int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *, XrdCryptoRSA *, XrdCryptoX509Req *, XrdCryptoX509 **)
bool XrdCryptosslProxyCertInfo(const void *ext, int &pathlen, bool *haspolicy=0)
#define kErrPX_NoResources
int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *, XrdCryptoX509Req **, XrdCryptoRSA **)
int XrdCryptosslX509CreateProxy(const char *, const char *, XrdProxyOpt_t *, XrdCryptogsiX509Chain *, XrdCryptoRSA **, const char *)
int XrdCryptosslX509GetVOMSAttr(XrdCryptoX509 *, XrdOucString &)
#define kErrPX_GenerateKey
#define kErrPX_SetPathDepth
#define kErrPX_ExpiredEEC
#define kErrPX_BadEECfile
static int XrdCheckRSA(EVP_PKEY *pkey)
std::unique_ptr< EVP_PKEY, decltype(&EVP_PKEY_free)> EVP_PKEY_ptr
int XrdCryptosslX509FillUnknownExt(XRDGSI_CONST unsigned char **pp, long length)
#define BIO_GET_STRING(b, str)
static void stackOfX509ExtensionDelete(STACK_OF(X509_EXTENSION) *ske)
int XrdCryptosslX509FillVOMS(XRDGSI_CONST unsigned char **pp, long length, bool &getvat, XrdOucString &vat)
#define XRDGSI_VOMS_ATCAP_OID
int XrdCryptosslX509Asn1PrintInfo(int tag, int xclass, int constructed, int indent)
#define XRDGSI_VOMS_ACSEQ_OID
#define SUBJ_ALT_NAME_OID
std::unique_ptr< STACK_OF(X509_EXTENSION), decltype(&stackOfX509ExtensionDelete)> STACK_OF_X509_EXTENSION_ptr
std::unique_ptr< X509, decltype(&X509_free)> X509_ptr
std::unique_ptr< X509_NAME, decltype(&X509_NAME_free)> X509_NAME_ptr
std::unique_ptr< X509_EXTENSION, decltype(&X509_EXTENSION_free)> X509_EXTENSION_ptr
static RSA * EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
std::unique_ptr< PROXY_CERT_INFO_EXTENSION, decltype(&PROXY_CERT_INFO_EXTENSION_free)> PROXY_CERT_INFO_EXTENSION_ptr
std::unique_ptr< X509_REQ, decltype(&X509_REQ_free)> X509_REQ_ptr
int emsg(int rc, char *msg)
virtual XrdCryptoRSAdata Opaque()
void PushBack(XrdCryptoX509 *c)
virtual XrdCryptoX509Reqdata Opaque()
virtual XrdCryptoX509data Opaque()
virtual bool IsValid(int when=0)
virtual time_t NotAfter()
int rfind(const char c, int start=STR_NPOS)
static unsigned int GetUInt()