Added support for robot certificates.

Robot certificates defined by the corresponding IGTF profile are recognized when
a chain is being parsed. A new Gridsite certificate type was added to mark the
robot in the parsed structures. When the client presents a robot certificate,
the Apache module exports a new environment variable (GRST_ROBOT_DN) containg
the corresponding subject name of the robot certificate. A simple command that
outputs information about a given chain was added.

Author: kouril

interface/gridsite.h

@@ -201,6 +201,7 @@ typedef struct { int    type;		/* CA, user, proxy, VOMS, ... */
 #define GRST_CERT_TYPE_EEC   2
 #define GRST_CERT_TYPE_PROXY 3
 #define GRST_CERT_TYPE_VOMS  4
+#define GRST_CERT_TYPE_ROBOT 5
 
 /* a chain of certs, starting from the first CA */
 typedef struct { GRSTx509Cert *firstcert; } GRSTx509Chain;

src/Makefile

@@ -198,7 +198,7 @@ grst_htcp_nossl.lo: grst_htcp.c ../interface/gridsite.h
 
 # now the binary exectuables
 
-gsexec.lo urlencode.lo gridsite-copy.lo findproxyfile.lo showx509exts.lo:
+gsexec.lo urlencode.lo gridsite-copy.lo findproxyfile.lo showx509exts.lo test-chain.lo:
 	$(COMPILE) -DVERSION=\"$(PATCH_VERSION)\" $(MYCFLAGS) \
 	    -o $@ -c $(subst .lo,.c,$@)
 
@@ -220,6 +220,9 @@ urlencode: urlencode.lo libgridsite.la
 htcp: htcp.lo libgridsite.la
 	$(LINK) -o $@ $+ $(CURL_LIBS)
 
+test-chain: test-chain.lo libgridsite.la
+	$(LINK) -o $@ $< -L. -lgridsite -static
+
 htcp-static: htcp.lo libgridsite.a
 	$(LINK) -o $@ -L. $< \
 	    -I/usr/kerberos/include \

src/canl_mod_gridsite.c

@@ -2498,6 +2498,12 @@ void GRST_save_ssl_creds(conn_rec *conn, GRSTx509Chain *grst_chain)
 
             free(encoded);
 
+            ++i;
+          }
+        else if (grst_cert->type == GRST_CERT_TYPE_ROBOT)
+          {
+            apr_table_setn(conn->notes, "GRST_ROBOT_DN", apr_pstrdup(conn->pool, grst_cert->dn));
+            /* I ignore the sslcreds cache here */
             ++i;
           }
       }
@@ -2685,7 +2691,7 @@ static int mod_gridsite_perm_handler(request_rec *r)
                 *destination_prefix = NULL, *destination_translated = NULL,
                 *aclpath = NULL, *grst_cred_valid_0 = NULL, *grst_cred_valid_i,
                 *gridauthpasscode = NULL;
-    const char  *content_type;
+    const char  *content_type, *robot;
     time_t      notbefore, notafter;
     apr_table_t *env;
     apr_finfo_t  cookiefile_info;
@@ -3269,6 +3275,10 @@ static int mod_gridsite_perm_handler(request_rec *r)
              else break;
            }
 
+        robot = apr_table_get(r->connection->notes, "GRST_ROBOT_DN");
+        if (robot)
+            apr_table_setn(env, "GRST_ROBOT_DN", robot);
+
         apr_table_setn(env, "GRST_PERM", apr_psprintf(r->pool, "%d", perm));
 
         if (((mod_gridsite_dir_cfg *) cfg)->requirepasscode == 0)

src/grst_canl_x509.c

@@ -78,12 +78,128 @@
 #define GRST_PROXYCACHE		"/../proxycache/"
 #define GRST_BACKDATE_SECONDS	300
 
+#define END_ENTITY_ROBOT_OID "1.2.840.113612.5.2.3.3.1"
+
 static int GRSTx509CreateProxyRequest_int(char **reqtxt, char **keytxt, 
         char *ocspurl, int keysize);
 static int GRSTx509MakeProxyRequest_int(char **reqtxt, char *proxydir, 
         char *delegation_id, char *user_dn, int keysize);
 static int GRSTx509ProxyKeyMatch(char **pkfile, char *pkdir, STACK_OF(X509) *certstack); 
 
+static char *
+asn1_string2string(ASN1_STRING *str)
+{
+	BIO *bio;
+	int len, ret;
+	char *result = NULL;
+
+	bio = BIO_new(BIO_s_mem());
+	if (bio == NULL)
+		return NULL;
+
+	ASN1_STRING_print_ex(bio, str, ASN1_STRFLGS_RFC2253);
+
+	len = BIO_pending(bio);
+	if (len <= 0)
+		goto end;
+
+	result = calloc(1, len + 1);
+	if (result == NULL)
+		goto end;
+
+	ret = BIO_read(bio, result, len);
+	if (ret != len) {
+		free(result);
+		result = NULL;
+		goto end;
+	}
+
+end:
+	if (bio)
+		BIO_free(bio);
+
+	return result;
+}
+
+static int
+is_robot_subject(const char *p)
+{
+	if (strlen(p) <= 6)
+		return 0;
+
+	if (strncmp(p, "Robot", 5) != 0)
+		return 0;
+
+	if (('0' <= p[5] && p[5] <= '9') ||
+		('A' <= p[5] && p[5] <= 'Z') ||
+		('a' <= p[5] && p[5] <= 'z'))
+		return 0;
+
+	return 1;
+}
+
+static int
+is_robot_certificate(X509 *cert)
+{
+	int i, ret, found;
+	char *p;
+	char buf[64];
+	X509_NAME_ENTRY *ne;
+	X509_NAME *subject;
+	ASN1_STRING *value;
+	CERTIFICATEPOLICIES *policies = NULL;
+	POLICYINFO *policy;
+
+	subject = X509_get_subject_name(cert);
+	if (subject == NULL)
+		return 0;
+
+	found = 0;
+	i = -1;
+	while ((i = X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) {
+		ne = X509_NAME_get_entry(subject, i);
+		value = X509_NAME_ENTRY_get_data(ne);
+		p = asn1_string2string(value);
+		if (p == NULL)
+			continue;
+		ret = is_robot_subject(p);
+		free(p);
+		if (ret == 1) {
+			found = 1;
+			break;
+		}
+	}
+	if (!found)
+		return 0;
+
+	policies = X509_get_ext_d2i(cert, NID_certificate_policies, &i, NULL);
+	if (policies == NULL)
+		return 0;
+	found = 0;
+	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
+		policy = sk_POLICYINFO_value(policies, i);
+		memset(buf, 0, sizeof(buf));
+		OBJ_obj2txt(buf, sizeof(buf), policy->policyid, 1);
+		if (strcmp(buf, END_ENTITY_ROBOT_OID) == 0) {
+			found = 1;
+			break;
+		}
+	}
+	if (!found)
+		return 0;
+
+	return 1;
+}
+
+static GRSTx509Cert *
+add_grst_cred(GRSTx509Cert *last_cred)
+{
+	GRSTx509Cert *cert;
+
+	cert = calloc(1, sizeof(*cert));
+	return cert;
+}
+
 int
 GRSTasn1FindField(const char *oid, char *coords,
         char *asn1string,
@@ -856,24 +972,29 @@ static int GRSTx509ChainVomsAdd(GRSTx509Cert **grst_cert,
 
              if (itag > -1)
                {
-                 (*grst_cert)->next = malloc(sizeof(GRSTx509Cert));
-                 *grst_cert = (*grst_cert)->next;
-                 bzero(*grst_cert, sizeof(GRSTx509Cert));
-               
-                 (*grst_cert)->notbefore = time1_time;
-                 (*grst_cert)->notafter  = time2_time;
-                 ret = asprintf(&((*grst_cert)->value), "%.*s",
+                 GRSTx509Cert *cred;
+
+                 cred = add_grst_cred(*grst_cert);
+                 if (cred == NULL)
+                     return GRST_RET_FAILED;
+
+                 cred->notbefore = time1_time;
+                 cred->notafter  = time2_time;
+                 ret = asprintf(&cred->value, "%.*s",
                                 taglist[itag].length,
                                 &asn1string[taglist[itag].start+
                                 taglist[itag].headerlength]);
-                 if (ret == -1)
+                 if (ret == -1) {
+                     free(cred);
                      return GRST_RET_FAILED;
-                                      
-                 (*grst_cert)->errors = chain_errors; /* ie may be invalid */
-                 (*grst_cert)->type = GRST_CERT_TYPE_VOMS;
-                 (*grst_cert)->issuer = strdup(acvomsdn);
-                 (*grst_cert)->dn = strdup(user_cert->dn);
-		 (*grst_cert)->delegation = delegation;
+                 }
+                 cred->errors = chain_errors; /* ie may be invalid */
+                 cred->type = GRST_CERT_TYPE_VOMS;
+                 cred->issuer = strdup(acvomsdn);
+                 cred->dn = strdup(user_cert->dn);
+                 cred->delegation = delegation;
+                 (*grst_cert)->next = cred;
+                 (*grst_cert) = cred;
                }
              else break;
            }
@@ -906,6 +1027,7 @@ int GRSTx509ChainLoad(GRSTx509Chain **chain,
    X509_EXTENSION *ex;
    time_t now;
    GRSTx509Cert *grst_cert, *new_grst_cert, *user_cert = NULL;
+   int is_robot = 0;
 
    GRSTerrorLog(GRST_LOG_DEBUG, "GRSTx509ChainLoadCheck() starts");
 
@@ -1094,6 +1216,7 @@ int GRSTx509ChainLoad(GRSTx509Chain **chain,
                     user_cert = new_grst_cert;
                     new_grst_cert->delegation 
                        = (lastcert == NULL) ? i : i + 1;
+                    is_robot = is_robot_certificate(cert);
                   }
               } 
             else 
@@ -1170,6 +1293,18 @@ int GRSTx509ChainLoad(GRSTx509Chain **chain,
       } /* end of for loop */
 
    if (cacert != NULL) X509_free(cacert);
+
+   if (is_robot) {
+	   GRSTx509Cert *cred;
+
+	   cred = add_grst_cred(grst_cert);
+	   if (cred == NULL)
+		   return GRST_RET_FAILED;
+	   cred->type = GRST_CERT_TYPE_ROBOT;
+	   cred->dn = strdup(user_cert->dn);
+	   grst_cert->next = cred;
+	   grst_cert = cred;
+   }
 
    return GRST_RET_OK;
 }

src/test-chain.c

@@ -0,0 +1,113 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <getopt.h>
+#include <openssl/err.h>
+
+#include <gridsite.h>
+
+int main(int argc, char *argv[])
+{
+	FILE *fp = NULL;
+	int ret = 0;
+	int ptrlen, i;
+	char *ptr, *tmp, *p;
+	char c;
+	char *chain = argv[1];
+	STACK_OF(X509) *x509_certstack;
+	char *vomsdir = "/etc/grid-security/vomsdir";
+	char *capath = "/etc/grid-security/certificates";
+	GRSTx509Cert *grst_cert = NULL;
+	GRSTx509Chain *grst_chain = NULL;
+
+	fp = fopen(chain, "r");
+	if (fp == NULL) {
+		fprintf(stderr, "Failed to open %s: %s\n", chain, strerror(errno));
+		ret = 1;
+		goto end;
+	}
+
+	ptrlen = 4096;
+	ptr = malloc(ptrlen);
+	i = 0;
+	while ((c = fgetc(fp)) != EOF) {
+		ptr[i] = c;
+		++i;
+
+		if (i >= ptrlen) {
+			ptrlen += 4096;
+			tmp = realloc(ptr, ptrlen);
+			if (tmp == NULL) {
+				fprintf(stderr, "Not enough memory, exiting\n");
+				free(ptr);
+				ret = 1;
+				goto end;
+			}
+			ptr = tmp;
+		}
+	}
+	fclose(fp);
+	fp = NULL;
+	ptr[i] = '\0';
+
+	ret = GRSTx509StringToChain(&x509_certstack, ptr);
+	free(ptr);
+	if (ret != GRST_RET_OK || x509_certstack == NULL) {
+		fprintf(stderr, "Failed to parse proxy file for certificate chain\n");
+		ret = 1;
+		goto end;
+	}
+
+	ret = GRSTx509ChainLoadCheck(&grst_chain, x509_certstack, NULL,
+                                   capath, vomsdir);
+	if ((ret != GRST_RET_OK) ||
+		 (grst_chain == NULL) || (grst_chain->firstcert == NULL)) {
+			fprintf(stderr, "Failed parsing certificate chain\n");
+			ret = 1;
+			goto end;
+	}
+
+	grst_cert = grst_chain->firstcert;
+	for (i=0; grst_cert != NULL; grst_cert = grst_cert->next, ++i) {
+		if      (grst_cert->type == GRST_CERT_TYPE_CA)    p = "(CA) ";
+		else if (grst_cert->type == GRST_CERT_TYPE_EEC)   p = "(EEC) ";
+		else if (grst_cert->type == GRST_CERT_TYPE_PROXY) p = "(PC) ";
+		else if (grst_cert->type == GRST_CERT_TYPE_VOMS)  p = "(AC) ";
+		else if (grst_cert->type == GRST_CERT_TYPE_ROBOT) p = "(ROBOT) ";
+		else p = "";
+
+		printf("%d %s%s\n", i, p,
+                  (grst_cert->type == GRST_CERT_TYPE_VOMS)
+                    ? grst_cert->value : grst_cert->dn);
+
+		printf(" Status     : %d ( %s%s%s%s%s%s)\n", grst_cert->errors,
+                 (grst_cert->errors == 0) ? "OK " : "",
+                 (grst_cert->errors & GRST_CERT_BAD_FORMAT) ? "BAD_FORMAT ":"",
+                 (grst_cert->errors & GRST_CERT_BAD_CHAIN)  ? "BAD_CHAIN ":"",
+                 (grst_cert->errors & GRST_CERT_BAD_SIG)    ? "BAD_SIG ":"",
+                 (grst_cert->errors & GRST_CERT_BAD_TIME)   ? "BAD_TIME ":"",
+                 (grst_cert->errors & GRST_CERT_BAD_OCSP)   ? "BAD_OCSP ":"");
+
+		printf(" Start      : %s",   ctime(&(grst_cert->notbefore)));
+		printf(" Finish     : %s",   ctime(&(grst_cert->notafter)));
+		printf(" Delegation : %d\n", grst_cert->delegation);
+
+		if (grst_cert->type == GRST_CERT_TYPE_VOMS) {
+			printf(" User DN    : %s\n", grst_cert->dn);
+			printf(" VOMS DN    : %s\n\n", grst_cert->issuer);
+		} else {
+			printf(" Serial     : %s\n", grst_cert->serial);
+			printf(" Issuer     : %s\n\n", grst_cert->issuer);
+		}
+	}
+	GRSTx509ChainFree(grst_chain);
+
+	ret = 0;
+
+end:
+	if (fp)
+		fclose(fp);
+
+	return ret;
+}