Functions
grst_x509.c File Reference

Functions

int GRSTx509NameCmp (char *a, char *b)
 Compare X509 Distinguished Name strings.
int GRSTx509KnownCriticalExts (X509 *cert)
 Check critical extensions.
int GRSTx509IsCA (X509 *cert)
 Check if certificate can be used as a CA to sign standard X509 certs.
int GRSTx509ChainFree (GRSTx509Chain *chain)
int GRSTx509ChainLoadCheck (GRSTx509Chain **chain, STACK_OF(X509)*certstack, X509 *lastcert, char *capath, char *vomsdir)
 Check certificate chain for GSI proxy acceptability.
int GRSTx509CheckChain (int *first_non_ca, X509_STORE_CTX *ctx)
 Check certificate chain for GSI proxy acceptability.
int GRSTx509VerifyCallback (int ok, X509_STORE_CTX *ctx)
 Example VerifyCallback routine.
int GRSTx509ParseVomsExt (int *lastcred, int maxcreds, size_t credlen, char *creds, time_t time1_time, time_t time2_time, X509_EXTENSION *ex, char *ucuserdn, char *ucissuerdn, char *ucserial, char *vomsdir)
 Get the VOMS attributes in the given extension.
int GRSTx509GetVomsCreds (int *lastcred, int maxcreds, size_t credlen, char *creds, X509 *usercert, STACK_OF(X509)*certstack, char *vomsdir)
 Get the VOMS attributes in the extensions to the given cert stack.
GRSTgaclCredGRSTx509CompactToCred (char *grst_cred)
 Turn a Compact Cred line into a GRSTgaclCred object.
int GRSTx509CompactCreds (int *lastcred, int maxcreds, size_t credlen, char *creds, STACK_OF(X509)*certstack, char *vomsdir, X509 *peercert)
 Get the credentials in an X509 cert/GSI proxy, including any VOMS.
char * GRSTx509FindProxyFileName (void)
 Find proxy file name of the current user.
int GRSTx509MakeProxyCert (char **proxychain, FILE *debugfp, char *reqtxt, char *cert, char *key, int minutes)
 Make a GSI Proxy chain from a request, certificate and private key.
char * GRSTx509CachedProxyFind (char *proxydir, char *delegation_id, char *user_dn)
 Find a proxy file in the proxy cache.
char * GRSTx509CachedProxyKeyFind (char *proxydir, char *delegation_id, char *user_dn)
 Find a temporary proxy private key file in the proxy cache.
int GRSTx509CreateProxyRequest (char **reqtxt, char **keytxt, char *ocspurl)
 Create a X.509 request for a GSI proxy and its private key.
int GRSTx509MakeProxyRequest (char **reqtxt, char *proxydir, char *delegation_id, char *user_dn)
 Make and store a X.509 request for a GSI proxy.
int GRSTx509ProxyDestroy (char *proxydir, char *delegation_id, char *user_dn)
 Destroy stored GSI proxy files.
int GRSTx509ProxyGetTimes (char *proxydir, char *delegation_id, char *user_dn, time_t *start, time_t *finish)
 Get start and finish validity times of stored GSI proxy file.
int GRSTx509StringToChain (STACK_OF(X509)**certstack, char *certstring)
 Create a stack of X509 certificate from a PEM-encoded string.
char * GRSTx509MakeDelegationID (void)
 Returns a Delegation ID based on hash of GRST_CRED_0, ...
char * GRSTx509MakeProxyFileName (char *delegation_id, STACK_OF(X509)*certstack)
 Return the short file name for the given delegation_id and user_dn.
int GRSTx509CacheProxy (char *proxydir, char *delegation_id, char *user_dn, char *proxychain)
 Store a GSI proxy chain in the proxy cache, along with the private key.

Function Documentation

char* GRSTx509CachedProxyFind ( char *  proxydir,
char *  delegation_id,
char *  user_dn 
)

Find a proxy file in the proxy cache.

Returns the full path and file name of proxy file associated with given delegation ID and user DN.

Return a pointer to a malloc'd string with the full path of the proxy file corresponding to the given delegation_id, or NULL if not found.

char* GRSTx509CachedProxyKeyFind ( char *  proxydir,
char *  delegation_id,
char *  user_dn 
)

Find a temporary proxy private key file in the proxy cache.

Returns the full path and file name of the private key file associated with given delegation ID and user DN.

Return a pointer to a malloc'd string with the full path of the private proxy key corresponding to the given delegation_id, or NULL if not found.

int GRSTx509CacheProxy ( char *  proxydir,
char *  delegation_id,
char *  user_dn,
char *  proxychain 
)

Store a GSI proxy chain in the proxy cache, along with the private key.

Returns GRST_RET_OK on success, non-zero otherwise. The existing private key with the same delegation ID and user DN is moved out of the temporary cache.

int GRSTx509ChainFree ( GRSTx509Chain chain)
int GRSTx509ChainLoadCheck ( GRSTx509Chain **  chain,
STACK_OF(X509)*  certstack,
X509 *  lastcert,
char *  capath,
char *  vomsdir 
)

Check certificate chain for GSI proxy acceptability.

Returns GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

int GRSTx509CheckChain ( int first_non_ca,
X509_STORE_CTX *  ctx 
)

Check certificate chain for GSI proxy acceptability.

Returns X509_V_OK/GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

Inspired by GSIcheck written by Mike Jones, SVE, Manchester Computing, The University of Manchester.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

We do not check chain links between certs here: this is done by GRST_check_issued/X509_check_issued in mod_ssl's ssl_engine_init.c

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

int GRSTx509CompactCreds ( int lastcred,
int  maxcreds,
size_t  credlen,
char *  creds,
STACK_OF(X509)*  certstack,
char *  vomsdir,
X509 *  peercert 
)

Get the credentials in an X509 cert/GSI proxy, including any VOMS.

Credentials are placed in Compact Creds string array at *creds.

Function returns GRST_RET_OK on success, or GRST_RET_FAILED if some inconsistency found in certificate.

GRSTgaclCred* GRSTx509CompactToCred ( char *  grst_cred)

Turn a Compact Cred line into a GRSTgaclCred object.

Returns pointer to created GRSTgaclCred or NULL or failure.

int GRSTx509CreateProxyRequest ( char **  reqtxt,
char **  keytxt,
char *  ocspurl 
)

Create a X.509 request for a GSI proxy and its private key.

Returns GRST_RET_OK on success, non-zero otherwise. Request string and private key are PEM encoded strings

char* GRSTx509FindProxyFileName ( void  )

Find proxy file name of the current user.

Return a string with the proxy file name or NULL if not present. This function does not check if the proxy has expired.

int GRSTx509GetVomsCreds ( int lastcred,
int  maxcreds,
size_t  credlen,
char *  creds,
X509 *  usercert,
STACK_OF(X509)*  certstack,
char *  vomsdir 
)

Get the VOMS attributes in the extensions to the given cert stack.

Puts any VOMS credentials found into the Compact Creds string array starting at *creds. Always returns GRST_RET_OK.

int GRSTx509IsCA ( X509 *  cert)

Check if certificate can be used as a CA to sign standard X509 certs.

Return GRST_RET_OK if true; GRST_RET_FAILED if not.

int GRSTx509KnownCriticalExts ( X509 *  cert)

Check critical extensions.

Returning GRST_RET_OK if all of extensions are known to us or OpenSSL; GRST_REF_FAILED otherwise.

Since this function relies on functionality (X509_supported_extension) introduced in 0.9.7, then we do nothing and report an error (GRST_RET_FAILED) if one of the associated defines (X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) is absent.

char* GRSTx509MakeDelegationID ( void  )

Returns a Delegation ID based on hash of GRST_CRED_0, ...

Returns a malloc'd string with Delegation ID made by SHA1-hashing the values of the compact credentials exported by mod_gridsite

int GRSTx509MakeProxyCert ( char **  proxychain,
FILE *  debugfp,
char *  reqtxt,
char *  cert,
char *  key,
int  minutes 
)

Make a GSI Proxy chain from a request, certificate and private key.

The proxy chain is returned in *proxychain. If debugfp is non-NULL, errors are output to that file pointer. The proxy will expired in the given number of minutes starting from the current time.

char* GRSTx509MakeProxyFileName ( char *  delegation_id,
STACK_OF(X509)*  certstack 
)

Return the short file name for the given delegation_id and user_dn.

Returns a malloc'd string with the short file name (no paths) that derived from the hashed delegation_id and user_dn

File name is SHA1_HASH(DelegationID)+"-"+SHA1_HASH(DN) where DN is DER encoded version of user_dn with any trailing CN=proxy removed Hashes are the most significant 8 bytes, in lowercase hexadecimal.

int GRSTx509MakeProxyRequest ( char **  reqtxt,
char *  proxydir,
char *  delegation_id,
char *  user_dn 
)

Make and store a X.509 request for a GSI proxy.

Returns GRST_RET_OK on success, non-zero otherwise. Request string is PEM encoded, and the key is stored in the temporary cache under proxydir

int GRSTx509NameCmp ( char *  a,
char *  b 
)

Compare X509 Distinguished Name strings.

This function attempts to do with string representations what would ideally be done with OIDs/values. In particular, we equate "/Email=" == "/emailAddress=" to deal with this important change between OpenSSL 0.9.6 and 0.9.7. Other than that, it is currently the same as ordinary strcasecmp(3) (for consistency with EDG/LCG/EGEE gridmapdir case insensitivity.)

int GRSTx509ParseVomsExt ( int lastcred,
int  maxcreds,
size_t  credlen,
char *  creds,
time_t  time1_time,
time_t  time2_time,
X509_EXTENSION *  ex,
char *  ucuserdn,
char *  ucissuerdn,
char *  ucserial,
char *  vomsdir 
)

Get the VOMS attributes in the given extension.

Puts any VOMS credentials found into the Compact Creds string array starting at *creds. Always returns GRST_RET_OK - even for invalid credentials, which are just ignored.

int GRSTx509ProxyDestroy ( char *  proxydir,
char *  delegation_id,
char *  user_dn 
)

Destroy stored GSI proxy files.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the private key or cert chain were not found.)

int GRSTx509ProxyGetTimes ( char *  proxydir,
char *  delegation_id,
char *  user_dn,
time_t *  start,
time_t *  finish 
)

Get start and finish validity times of stored GSI proxy file.

Returns GRST_RET_OK on success, non-zero otherwise. (Including GRST_RET_NO_SUCH_FILE if the cert chain was not found.)

int GRSTx509StringToChain ( STACK_OF(X509)**  certstack,
char *  certstring 
)

Create a stack of X509 certificate from a PEM-encoded string.

Creates a dynamically allocated stack of X509 certificate objects by walking through the PEM-encoded X509 certificates.

Returns GRST_RET_OK on success, non-zero otherwise.

int GRSTx509VerifyCallback ( int  ok,
X509_STORE_CTX *  ctx 
)

Example VerifyCallback routine.