xrdsecgsi: fix for correct detection of legacy proxies

This is essentially PR #463 by Mattias Ellert w/ some comments and readjustments.
xrootd · Feb 21, 2017 · f9f5a15 · f9f5a15
1 parent 1c4328c
commit f9f5a15
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/src/XrdCrypto/XrdCryptosslX509.cc b/src/XrdCrypto/XrdCryptosslX509.cc
@@ -357,12 +357,13 @@ void XrdCryptosslX509::CertType()
    if (pxyname) {
       type = kUnknown;
       if ((idx = X509_get_ext_by_NID(cert, NID_proxyCertInfo,-1)) == -1) {
+         int xcp = -1;
          XrdOucString emsg;
-         if (XrdCryptosslX509CheckProxy3(this, emsg) == 0) {
+         if ((xcp = XrdCryptosslX509CheckProxy3(this, emsg)) == 0) {
             type = kProxy;
             pxytype = 3;
             DEBUG("Found GSI 3 proxyCertInfo extension");
-         } else {
+         } else if (xcp == -1) {
             PRINT("ERROR: "<<emsg);
          }
       } else {

diff --git a/src/XrdCrypto/XrdCryptosslgsiAux.cc b/src/XrdCrypto/XrdCryptosslgsiAux.cc
@@ -1328,6 +1328,10 @@ int XrdCryptosslX509FillVOMS(XRDGSI_CONST unsigned char **pp,
 int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *xcpi, XrdOucString &emsg) {
    //
    // Check GSI 3 proxy info extension
+   // Returns:  0 if found
+   //          -1 if found by invalid/not usable,
+   //          -2 if not found (likely a v2 legacy proxy)
+
    EPNAME("X509CheckProxy3");
 
    // Point to the cerificate
@@ -1360,8 +1364,7 @@ int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *xcpi, XrdOucString &emsg) {
          } else {
             PRINT("WARNING: multiple proxyCertInfo extensions found: taking the first");
          }
-      }
-      else if (!strncmp(s, gsiProxyCertInfo_OLD_OID, sizeof(gsiProxyCertInfo_OLD_OID))) {
+      } else if (!strncmp(s, gsiProxyCertInfo_OLD_OID, sizeof(gsiProxyCertInfo_OLD_OID))) {
          if (ext == 0) {
             ext = xext;
             // Now get the extension
@@ -1372,9 +1375,11 @@ int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *xcpi, XrdOucString &emsg) {
          }
       }
    }
+   //
+   // If the extension was not found it is probably a legacy (v2) proxy: signal it
    if (!ext) {
       emsg = "proxyCertInfo extension not found";
-      return -1;
+      return -2;
    }
    if (!pci) {
       emsg = "proxyCertInfo extension could not be deserialized";