secgsi: improve verification of certificate chains

In particular detection of invalid proxy certificates;
(in accordance to RFC 3820 and RFC 3821).

src/XrdCrypto/XrdCryptoX509Chain.cc

@@ -56,7 +56,10 @@ static const char *X509ChainErrStr[] = {
    "extension not found",                // 9
    "signature verification failed",      // 10
    "issuer had no signing rights",       // 11
-   "CA issued by another CA"             // 12
+   "CA issued by another CA",            // 12
+   "invalid or missing EEC",             // 13
+   "too many EEC",                       // 14
+   "invalid proxy"                       // 15
 };
 
 //___________________________________________________________________________

src/XrdCrypto/XrdCryptoX509Chain.hh

@@ -92,7 +92,8 @@ public:
    enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA,
                         kNoCertificate, kInvalidType, kInvalidNames,
                         kRevoked, kExpired, kMissingExtension,
-                        kVerifyFail, kInvalidSign, kCANotAutoSigned };
+                        kVerifyFail, kInvalidSign, kCANotAutoSigned,
+                        kNoEEC, kTooManyEEC, kInvalidProxy };
 
    // In case or error
    const char         *X509ChainError(EX509ChainErr e);

src/XrdCrypto/XrdCryptogsiX509Chain.cc

@@ -101,20 +101,49 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
    if (plen > -1)
       plen -= 1;
    //
-   // Check the end-point entity (or sub-CA) certificate
-   while (node->Next() && strcmp(node->Next()->Cert()->Type(), "Proxy")) {
+   // Check sub-CA's certificate, if any
+   while (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kCA) {
       xsig = xcer;
       node = node->Next();
       xcer = node->Cert();
-      if (!XrdCryptoX509Chain::Verify(errcode, "EEC or sub-CA: ",
-                                      XrdCryptoX509::kUnknown,
+      if (!XrdCryptoX509Chain::Verify(errcode, "Sub-CA: ",
+                                      XrdCryptoX509::kCA,
                                       when, xcer, xsig, crl))
          return 0;
       //
       // Update the max path depth len
       if (plen > -1)
          plen -= 1;
    }
+   //
+   // Check the end-point entity certificate
+   if (node->Next() && node->Next()->Cert()->type != XrdCryptoX509::kEEC) {
+      errcode = kNoEEC;
+      lastError = X509ChainError(errcode);
+      return 0;
+   }
+
+   //
+   // Check the end-point entity certificate
+   xsig = xcer;
+   node = node->Next();
+   xcer = node->Cert();
+   if (!XrdCryptoX509Chain::Verify(errcode, "EEC: ",
+                                   XrdCryptoX509::kUnknown,
+                                   when, xcer, xsig, crl))
+      return 0;
+   //
+   // Update the max path depth len
+   if (plen > -1)
+      plen -= 1;
+
+   //
+   // Only one end-point entity certificate
+   if (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kEEC) {
+      errcode = kTooManyEEC;
+      lastError = X509ChainError(errcode);
+      return 0;
+   }
 
    //
    // There are proxy certificates
@@ -125,6 +154,14 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
       // Attache to certificate
       xcer = node->Cert();
 
+      //
+      // Must be a recognized proxy certificate
+      if (xcer && xcer->type != XrdCryptoX509::kProxy) {
+         errcode = kInvalidProxy;
+         lastError = X509ChainError(errcode);
+         return 0;
+      }
+
       // Proxy subject name must follow some rules
       if (!SubjectOK(errcode, xcer))
          return 0;
@@ -163,7 +200,6 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
    return 1;
 }
 
-
 //___________________________________________________________________________
 bool XrdCryptogsiX509Chain::SubjectOK(EX509ChainErr &errcode, XrdCryptoX509 *xcer)
 {