37 #include <sys/types.h>
59 #include <openssl/x509v3.h>
60 #include <openssl/x509.h>
85 static void pdots(
const char *t,
bool ok = 1)
88 unsigned int l = (t) ? strlen (t) : 0;
95 for (; i < np ; i++) { printf(
"."); }
96 printf(
" %s\n", (ok ?
"PASSED" :
"FAILED"));
98 static void pline(
const char *t)
101 unsigned int l = (t) ? strlen (t) : 0;
104 printf(
"|| %s ---", t);
108 for (; i < np ; i++) { printf(
"-"); }
115 printf(
" Basic test program for crypto functionality in relation to GSI.\n");
116 printf(
" The program needs access to a user certificate file and its private key, and the related\n");
117 printf(
" CA file(s); the CRL is downloaded using the information found in the CA certificate.\n");
118 printf(
" The location of the files are the standard ones and they can modified by the standard\n");
119 printf(
" environment variables:\n");
121 printf(
" X509_USER_CERT [$HOME/.globus/usercert.pem] user certificate\n");
122 printf(
" X509_USER_KEY [$HOME/.globus/userkey.pem] user private key\n");
123 printf(
" X509_USER_PROXY [/tmp/x509up_u<uid>] user proxy\n");
124 printf(
" X509_CERT_DIR [/etc/grid-security/certificates/] CA certificates and CRL directories\n");
127 printf(
" xrdgsitest [-v,--verbose] [-h,--help] \n");
129 printf(
" -h, --help Print this screen\n");
130 printf(
" -v, --verbose Dump all details\n");
132 printf(
" The output is a list of PASSED/FAILED test, interleaved with details when the verbose option\n");
133 printf(
" is chosen.\n");
137 int main(
int argc,
char **argv )
141 char cryptomod[64] =
"ssl";
142 char outname[256] = {0};
146 for (; i < argc; i++) {
148 if (!strcmp(argv[i],
"-v") || !strcmp(argv[i],
"--verbose"))
Dbg = 1;
149 if (!strcmp(argv[i],
"-vv"))
Dbg = 2;
151 if (!strcmp(argv[i],
"-h") || !strcmp(argv[i],
"--help"))
Help = 1;
179 int k = strlen(argv[0]);
181 if (p[k] ==
'/')
break;
182 strcpy(outname,p+k+1);
187 pdots(
" Cannot instantiate factory", 0);
194 pline(
"Crypto functionality tests for GSI");
199 struct passwd *pw = getpwuid(geteuid());
201 pdots(
" Could not resolve user info - exit", 0);
204 NOTIFY(
"effective user is : "<<pw->pw_name<<
", $HOME : "<<pw->pw_dir);
209 EEcert +=
"/.globus/usercert.pem";
210 if (getenv(
"X509_USER_CERT"))
EEcert = getenv(
"X509_USER_CERT");
216 pdots(
" Problems loading user EE cert", 0);
218 if (xEE)
pdots(
"Loading EEC", 1);
223 EEkey +=
"/.globus/userkey.pem";
224 if (getenv(
"X509_USER_KEY"))
EEkey = getenv(
"X509_USER_KEY");
229 PXcert += (int) pw->pw_uid;
230 if (getenv(
"X509_USER_PROXY"))
PXcert = getenv(
"X509_USER_PROXY");
236 pdots(
" Problems loading user proxy cert", 0);
238 if (xPX)
pdots(
"Loading User Proxy", 1);
242 pline(
"Recreate the proxy certificate");
247 X509_EXTENSION *ext = 0;
253 pdots(
"Recreating User Proxy", 1);
254 if ((ext = (X509_EXTENSION *)(xPXp->
GetExtension(
"1.3.6.1.4.1.3536.1.222")))) {
255 pdots(
"proxyCertInfo extension OK", 1);
259 pdots(
"Recreating User Proxy", 0);
269 pline(
"Load CA certificates");
272 if (getenv(
"X509_CERT_DIR"))
CAdir = getenv(
"X509_CERT_DIR");
277 while (!rCAfound && nCA < 5) {
284 pdots(
"Loading CA certificate", 1);
286 pdots(
"Loading CA certificate", 0);
291 if (!strcmp(xCA[nCA]->IssuerHash(), xCA[nCA]->SubjectHash())) {
302 pline(
"Testing ParseFile");
308 if (!(key = chain->
Begin()->
PKI())) {
309 pdots(
"getting PKI", 0);
311 NOTIFY(nci <<
" certificates found parsing file");
321 pdots(
"Chain reorder: ", (rorc != -1));
323 int verc = chain->
Verify(ecod);
324 pdots(
"Chain verify: ", verc);
326 pdots(
"Full CA chain verification", 0);
329 pdots(
"attaching to X509ParseFile", 0);
335 pline(
"Testing ExportChain");
338 if (ExportChain && chain->
End()) {
339 chainbck = (*ExportChain)(chain, 0);
340 pdots(
"Attach to X509ExportChain", 1);
342 pdots(
"Attach to X509ExportChain", 0);
347 pline(
"Testing Chain Import");
349 if (!ParseBucket)
pdots(
"attaching to X509ParseBucket", 0);
353 while (jCA) { CAchain->
PushBack(xCA[--jCA]); }
354 if (ParseBucket && CAchain) {
355 int nci = (*ParseBucket)(chainbck, CAchain);
356 NOTIFY(nci <<
" certificates found parsing bucket");
359 pdots(
"Chain reorder: ", (rorc != -1));
362 int verc = CAchain->
Verify(ecod);
363 pdots(
"Chain verify: ", verc);
365 pdots(
"creating new X509Chain", 0);
371 pline(
"Testing GSI chain import and verification");
375 while (jCA) { GSIchain->
PushBack(xCA[--jCA]); }
376 if (ParseBucket && GSIchain) {
377 int nci = (*ParseBucket)(chainbck, GSIchain);
378 NOTIFY(nci <<
" certificates found parsing bucket");
382 int verc = GSIchain->
Verify(ecod, &vopt);
383 pdots(
"GSI chain verify: ", verc);
387 pdots(
"Creating new gsiX509Chain", 0);
393 pline(
"Testing GSI chain copy");
400 int verc = GSInew->
Verify(ecod, &vopt);
401 if (!verc)
NOTIFY(
"GSI chain copy verify ERROR: "<<GSInew->
LastError());
402 pdots(
"GSI chain verify: ", verc);
405 pdots(
"Creating new gsiX509Chain with copy", 0);
411 pline(
"Testing Cert verification");
417 ok = xEE->
Verify(xCA[jCA]);
418 NOTIFY(
": verify cert: EE signed by CA? " <<ok<<
" ("<<xCA[jCA]->Subject()<<
")");
419 if (ok) xCAref = xCA[jCA];
422 pdots(
"verify cert: EE signed by CA", (xCAref ? 1 : 0));
424 pdots(
"verify cert: PX signed by EE", ok);
428 ok = xPX->
Verify(xCA[jCA]);
429 NOTIFY(
": verify cert: PX signed by CA? " <<ok<<
" ("<<xCA[jCA]->Subject()<<
")");
430 if (!refok && ok) refok = 1;
433 pdots(
"verify cert: PX not signed by CA", !refok);
435 pdots(
"Attaching to X509VerifyCert", 0);
442 pline(
"Testing request creation");
447 pdots(
"Creating request", 1);
450 pdots(
"Creating request", 0);
456 pline(
"Testing request signature");
464 pdots(
"Check proxyCertInfo extension", extok);
466 pdots(
"Signing request", 0);
472 pline(
"Testing export of signed proxy");
481 if (ChainToFile && PXchain) {
483 NOTIFY(
": problems saving signed proxy chain to file: "<<
PPXcert);
484 pdots(
"Saving signed proxy chain to file", 0);
486 pdots(
"Saving signed proxy chain to file", 1);
489 pdots(
"Creating new X509Chain", 0);
495 pline(
"Testing CRL identification");
496 X509_EXTENSION *crlext = 0;
498 if ((crlext = (X509_EXTENSION *)xCAref->
GetExtension(
"crlDistributionPoints"))) {
499 pdots(
"Check CRL distribution points extension OK", 1);
501 pdots(
"Getting extension", 0);
507 pline(
"Testing CRL loading");
511 pdots(
"Loading CA1 crl", 1);
513 bool crlsig = 0, xsig = 0;
514 for (jCA = 0; jCA <= nCA; jCA++) {
515 xsig = xCRL1->
Verify(xCA[jCA]);
516 NOTIFY(
": CRL signature OK? "<<xsig<<
" ("<<xCA[jCA]->Subject()<<
")");
517 if (!crlsig && xsig) crlsig = 1;
519 pdots(
"CRL signature OK", crlsig);
522 NOTIFY(
": SN: 25 revoked? "<<snrev);
525 NOTIFY(
": SN: 32 revoked? "<<snrev);
527 pdots(
"Loading CA1 crl", 0);
void XrdCryptoSetTrace(kXR_int32 trace)
#define cryptoTRACE_Debug
int(* XrdCryptoX509ChainToFile_t)(XrdCryptoX509Chain *, const char *)
#define gsiProxyCertInfo_OID
int(* XrdCryptoX509ParseBucket_t)(XrdSutBucket *, XrdCryptoX509Chain *)
bool(* XrdCryptoX509VerifyCert_t)(XrdCryptoX509 *c, XrdCryptoX509 *r)
XrdSutBucket *(* XrdCryptoX509ExportChain_t)(XrdCryptoX509Chain *, bool)
int(* XrdCryptoX509ParseFile_t)(const char *fname, XrdCryptoX509Chain *, const char *)
XrdCryptoX509ParseFile_t ParseFile
int main(int argc, char **argv)
static void pline(const char *t)
static XrdSysLogger Logger
XrdCryptoFactory * gCryptoFactory
static XrdSysError eDest(0,"gsitest_")
static void pdots(const char *t, bool ok=1)
void XrdSutSetTrace(kXR_int32 trace)
virtual XrdCryptoX509ParseBucket_t X509ParseBucket()
virtual XrdCryptoX509CreateProxyReq_t X509CreateProxyReq()
virtual XrdCryptoX509 * X509(const char *cf, const char *kf=0)
virtual void SetTrace(kXR_int32 trace)
virtual XrdCryptoX509ParseFile_t X509ParseFile()
virtual XrdCryptoX509CreateProxy_t X509CreateProxy()
virtual XrdCryptoX509ChainToFile_t X509ChainToFile()
virtual XrdCryptoX509Crl * X509Crl(const char *crlfile, int opt=0)
static XrdCryptoFactory * GetCryptoFactory(const char *factoryname)
virtual XrdCryptoX509SignProxyReq_t X509SignProxyReq()
virtual XrdCryptoX509ExportChain_t X509ExportChain()
virtual XrdCryptoX509VerifyCert_t X509VerifyCert()
virtual XrdCryptoRSAdata Opaque()
virtual bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
XrdCryptoX509 * End() const
void PushBack(XrdCryptoX509 *c)
const char * LastError() const
virtual bool IsRevoked(int serialnumber, int when)
virtual bool Verify(XrdCryptoX509 *ref)
virtual bool Verify(XrdCryptoX509 *ref)
virtual XrdCryptoX509data GetExtension(const char *oid)
virtual void SetPKI(XrdCryptoX509data pki)
virtual XrdCryptoRSA * PKI()
virtual const char * IssuerHash(int)
bool Verify(EX509ChainErr &e, x509ChainVerifyOpt_t *vopt=0)
const char * c_str() const
XrdSysLogger * logger(XrdSysLogger *lp=0)