1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
/**
* Copyright (c) Members of the EGEE Collaboration. 2004-2010.
* See http://www.eu-egee.org/partners/ for details on the copyright
* holders.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*
* Authors:
* 2004-
* Oscar Koeroo <okoeroo@nikhef.nl>
* NIKHEF Amsterdam, the Netherlands
* <grid-mw-security@nikhef.nl>
*
*/
#define _GNU_SOURCE
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/bio.h>
#include <openssl/des.h>
#include <openssl/rand.h>
#include <openssl/buffer.h>
#include <openssl/objects.h>
#include <openssl/asn1.h>
#define L_ERROR 0 /* errors */
#define L_WARN 1 /* all unusual */
#define L_INFO 2 /* all status changes etc. */
#define L_DEBUG 3 /* all, including trace */
int log_level = 1;
char *fileName = NULL;
void Log( int msg_level, const char *msg, ...);
void Error( const char *operation, const char *msg, ...);
void print_usage( void );
/// ASN1 time string (in a char *) to time_t
/**
* (Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if
* necessary)
*/
time_t grid_asn1TimeToTimeT(char *asn1time, size_t len);
/// Check if certificate can be used as a CA to sign standard X509 certs
/*
* Return 1 if true; 0 if not.
*/
int grid_x509IsCA(X509 *cert);
int grid_X509_empty_callback(char *buf, int buf_size, int verify, void *cb_tmp);
#define PROXYCERTINFO_OID "1.3.6.1.5.5.7.1.14"
#define OLD_PROXYCERTINFO_OID "1.3.6.1.4.1.3536.1.222"
unsigned long grid_X509_knownCriticalExts(X509 *cert);
unsigned long grid_readProxy( char *filename, STACK_OF(X509) **certstack, EVP_PKEY **pkey );
#if OPENSSL_VERSION_NUMBER < 0x00908000L
/* We change the default callback to use our wrapper and discard errors
due to GSI proxy chains (ie where users certs act as CAs) */
int grid_X509_check_issued_wrapper(X509_STORE_CTX *ctx,X509 *x,X509 *issuer);
#endif
unsigned long grid_verifyProxy( STACK_OF(X509) *certstack );
static int grid_X509_verify_callback(int ok, X509_STORE_CTX *ctx);
unsigned long grid_verifyCert( char * CA_DIR, STACK_OF(X509) *certstack );
unsigned long grid_verifyPrivateKey( STACK_OF(X509) *certstack, EVP_PKEY *pkey );
|
