[XrdCrypto][XrdHttp] Extract DN from user (proxy, multi-proxy) certif…

…icate and properly handle the gridmap-file functionality when accessing through HTTP Conflicts: src/XrdHttp/XrdHttpProtocol.cc src/XrdHttp/XrdHttpProtocol.hh
xrootd · Jul 2, 2020 · e003bba · e003bba
1 parent f972b52
commit e003bba
Show file tree

Hide file tree

Showing 11 changed files with 307 additions and 186 deletions.
diff --git a/src/XrdCrypto/XrdCryptoFactory.cc b/src/XrdCrypto/XrdCryptoFactory.cc
@@ -314,6 +314,16 @@ XrdCryptoX509ParseFile_t XrdCryptoFactory::X509ParseFile()
    return 0;
 }
 
+//______________________________________________________________________________
+XrdCryptoX509ParseStack_t XrdCryptoFactory::X509ParseStack()
+{
+   // Return an instance of an implementation of a function
+   // to parse a stack supposed to contain for X509 certificates.
+
+   ABSTRACTMETHOD("XrdCryptoFactory::X509ParseStack");
+   return 0;
+}
+
 //______________________________________________________________________________
 XrdCryptoX509ParseBucket_t XrdCryptoFactory::X509ParseBucket()
 {

diff --git a/src/XrdCrypto/XrdCryptoFactory.hh b/src/XrdCrypto/XrdCryptoFactory.hh
@@ -55,6 +55,7 @@ class XrdCryptoX509Chain;
 class XrdCryptogsiX509Chain;
 class XrdCryptoX509Crl;
 class XrdCryptoX509Req;
+class XrdTlsPeerCerts;
 
 //
 // Prototypes for some Utility Functions
@@ -79,6 +80,11 @@ typedef int (*XrdCryptoX509ChainToFile_t)(XrdCryptoX509Chain *, const char *);
 // certificates from file parsing
 typedef int (*XrdCryptoX509ParseFile_t)(const char *fname,
                                         XrdCryptoX509Chain *);
+
+// certificates from STACK_OF(X509*)
+typedef int (*XrdCryptoX509ParseStack_t)(void* ssl_conn,
+                                         XrdCryptoX509Chain *c);
+
 // certificates from bucket parsing
 typedef int (*XrdCryptoX509ParseBucket_t)(XrdSutBucket *,
                                           XrdCryptoX509Chain *);
@@ -173,6 +179,7 @@ public:
    virtual XrdCryptoX509VerifyCert_t X509VerifyCert();
    virtual XrdCryptoX509VerifyChain_t X509VerifyChain();
    virtual XrdCryptoX509ParseFile_t X509ParseFile();
+   virtual XrdCryptoX509ParseStack_t X509ParseStack();
    virtual XrdCryptoX509ParseBucket_t X509ParseBucket();
    virtual XrdCryptoX509ExportChain_t X509ExportChain();
    virtual XrdCryptoX509ChainToFile_t X509ChainToFile();

diff --git a/src/XrdCrypto/XrdCryptoX509Chain.cc b/src/XrdCrypto/XrdCryptoX509Chain.cc
@@ -308,6 +308,8 @@ void XrdCryptoX509Chain::PushBack(XrdCryptoX509 *c)
          end->SetNext(nc);
       end = nc;
       size++;
+   } else if (c) {
+      delete c;
    }
 
    // Search for the effective CA (the last one, in case of subCAs)

diff --git a/src/XrdCrypto/XrdCryptosslAux.cc b/src/XrdCrypto/XrdCryptosslAux.cc
@@ -43,6 +43,7 @@
 #include "XrdCrypto/XrdCryptosslX509.hh"
 #include "XrdCrypto/XrdCryptosslTrace.hh"
 #include <openssl/pem.h>
+#include <openssl/ssl.h>
 
 // Error code from verification set by verify callback function
 static int gErrVerifyChain = 0;
@@ -376,6 +377,65 @@ int XrdCryptosslX509ChainToFile(XrdCryptoX509Chain *ch, const char *fn)
    return 0;
 }
 
+//______________________________________________________________________________
+int XrdCryptosslX509ParseStack(void* ssl_conn, XrdCryptoX509Chain *chain)
+{
+   EPNAME("X509ParseStack");
+   SSL* ssl = (SSL*) ssl_conn;
+   int nci = 0;
+   // Make sure we got a chain where to add the certificates
+   if (!chain) {
+      DEBUG("chain undefined: can do nothing");
+      return nci;
+   }
+
+   STACK_OF(X509) *st_x509 = SSL_get_peer_cert_chain(ssl);
+   // NOTE: SSL_get_peer_certificate increments the refcount;
+   // we must free it or pass along ownership.
+   X509 *peer_cert = SSL_get_peer_certificate(ssl);
+
+   if (peer_cert) {
+     XrdCryptoX509 *c = new XrdCryptosslX509(peer_cert);
+
+     if (c) {
+       chain->PushBack(c);
+       nci ++;
+     } else {
+       X509_free(peer_cert);
+     }
+   }
+
+   if (!st_x509) {
+     return nci;
+   }
+
+   for (int i=0; i < sk_X509_num(st_x509); i++) {
+      X509 *cert = sk_X509_value(st_x509, i);
+      XrdCryptoX509 *c = new XrdCryptosslX509(cert);
+
+      if (c) {
+         // The SSL_get_peer_chain method does not increment the
+         // refcount; the XrdCryptoX509 object assumes it owns
+         // the X509* but also does not increment the refcount.
+         // Hence, we increment manually.
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
+         CRYPTO_add(&(cert->references), 1, CRYPTO_LOCK_X509);
+#else
+         X509_up_ref(cert);
+#endif
+         chain->PushBack(c);
+      } else {
+         X509_free(cert);
+         DEBUG("could not create certificate: memory exhausted?");
+         chain->Reorder();
+         return nci;
+      }
+      nci ++;
+   }
+   chain->Reorder();
+   return nci;
+}
+
 //____________________________________________________________________________
 int XrdCryptosslX509ParseFile(const char *fname,
                               XrdCryptoX509Chain *chain)

diff --git a/src/XrdCrypto/XrdCryptosslAux.hh b/src/XrdCrypto/XrdCryptosslAux.hh
@@ -41,6 +41,9 @@
 
 #define kSslKDFunDefLen  24
 
+//! Froward declaration
+class XrdTlsPeerCerts;
+
 //
 // Password-Based Key Derivation Function 2, specified in PKCS #5
 //
@@ -60,6 +63,8 @@ int XrdCryptosslX509ChainToFile(XrdCryptoX509Chain *c, const char *fn);
 int XrdCryptosslX509ParseFile(const char *fname, XrdCryptoX509Chain *c);
 // certificates from bucket parsing
 int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *c);
+// certificates from STACK_OF(X509*)
+int XrdCryptosslX509ParseStack(void* ssl, XrdCryptoX509Chain *chain);
 //
 // Function to convert from ASN1 time format into UTC since Epoch (Jan 1, 1970) 
 time_t XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1);

diff --git a/src/XrdCrypto/XrdCryptosslFactory.cc b/src/XrdCrypto/XrdCryptosslFactory.cc
@@ -477,6 +477,15 @@ XrdCryptoX509ParseFile_t XrdCryptosslFactory::X509ParseFile()
    return &XrdCryptosslX509ParseFile;
 }
 
+//______________________________________________________________________________
+XrdCryptoX509ParseStack_t XrdCryptosslFactory::X509ParseStack()
+{
+   // Return an instance of an implementation of a function
+   // to parse a file supposed to contain for X509 certificates.
+
+   return &XrdCryptosslX509ParseStack;
+}
+
 //______________________________________________________________________________
 XrdCryptoX509ParseBucket_t XrdCryptosslFactory::X509ParseBucket()
 {

diff --git a/src/XrdCrypto/XrdCryptosslFactory.hh b/src/XrdCrypto/XrdCryptosslFactory.hh
@@ -95,6 +95,7 @@ public:
    XrdCryptoX509VerifyCert_t X509VerifyCert();
    XrdCryptoX509VerifyChain_t X509VerifyChain();
    XrdCryptoX509ParseFile_t X509ParseFile();
+   XrdCryptoX509ParseStack_t X509ParseStack();
    XrdCryptoX509ParseBucket_t X509ParseBucket();
    XrdCryptoX509ExportChain_t X509ExportChain();
    XrdCryptoX509ChainToFile_t X509ChainToFile();

diff --git a/src/XrdHttp.cmake b/src/XrdHttp.cmake
@@ -24,6 +24,7 @@ if( BUILD_HTTP )
     ${LIB_XRD_HTTP_UTILS}
     SHARED
     XrdHttp/XrdHttpProtocol.cc    XrdHttp/XrdHttpProtocol.hh
+    XrdHttp/XrdHttpSecurity.cc
     XrdHttp/XrdHttpReq.cc         XrdHttp/XrdHttpReq.hh
                                   XrdHttp/XrdHttpSecXtractor.hh
     XrdHttp/XrdHttpExtHandler.cc  XrdHttp/XrdHttpExtHandler.hh