Merge branch 'master' into openssl-1.1

docs/PreReleaseNotes.txt

@@ -8,7 +8,10 @@ Prerelease Notes
 + **New Features**
 
 + **Major bug fixes**
+  * **[XrdCrypto]** Improved determination of X509 certificate type, including proxy version
 
 + **Minor bug fixes**
 
 + **Miscellaneous**
+  * **[XrdSecgsi]** Re-activate xrdgsitest
+  * **[RPM]** Include xrdgsitest in xrootd-client-devel package.

docs/man/xrdgsitest.1

@@ -0,0 +1,173 @@
+.TH xrdgsitest 1 "__VERSION__"
+.SH NAME
+xrdgsitest - test crypto functionality relevant for the GSI implementation
+.SH SYNOPSIS
+.nf
+
+\fBxrdgsitest\fR [\fB-h\fR, \fB--help\fR] [\fB-v\fR, \fB--verbose\fR]
+.fi
+.br
+.ad l
+.SH DESCRIPTION
+The \fBxrdgsitest\fR utility runs a few tests of the crypto functionality implemented in XrdCrypto relevant
+for the XrdSecgsi module, i.e. handling of certificates, proxies, chains, verification and similar actions.
+.br
+.SH OPTIONS
+.B -h, --help
+display help
+.TP
+.B -v, --verbose
+Print very detailed information about the tests.
+
+.SH FILES
+The program needs access to a user certificate file and its private key, and the related CA file(s); the CRL
+is downloaded using the information found in the CA certificate. 
+The location of the files are the standard ones and they can modified by the standard environment variables:
+.TP 3
+X509_USER_CERT  [$HOME/.globus/usercert.pem]       user certificate
+.TP 3
+X509_USER_KEY   [$HOME/.globus/userkey.pem]        user private key
+.TP 3
+X509_USER_PROXY [/tmp/x509up_u<uid>]               user proxy
+.TP 3
+X509_CERT_DIR   [/etc/grid-security/certificates/] CA certificates and CRL directories
+.SH OUTPUT
+The output is a list of PASSED/FAILED test similar to
+.TP
+$ xrdgsitest
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Crypto functionality tests for GSI ----------------------------------------------
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Loading EEC .............................................................  PASSED
+.br
+|| Loading User Proxy ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Recreate the proxy certificate --------------------------------------------------
+.br
+Enter PEM pass phrase:
+.br
+|| Recreating User Proxy ...................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Load CA certificates ------------------------------------------------------------
+.br
+|| Loading CA certificate ..................................................  PASSED
+.br
+|| Loading CA certificate ..................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing ParseFile ---------------------------------------------------------------
+.br
+|| Chain reorder:  .........................................................  PASSED
+.br
+|| Chain verify:  ..........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing ExportChain -------------------------------------------------------------
+.br
+|| Attach to X509ExportChain ...............................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing Chain Import ------------------------------------------------------------
+.br
+|| Chain reorder:  .........................................................  PASSED
+.br
+|| Chain verify:  ..........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing GSI chain import and verification ---------------------------------------
+.br
+|| GSI chain verify:  ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing GSI chain copy ----------------------------------------------------------
+.br
+|| GSI chain verify:  ......................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing Cert verification -------------------------------------------------------
+.br
+|| verify cert: EE signed by CA ............................................  PASSED
+.br
+|| verify cert: PX signed by EE ............................................  PASSED
+.br
+|| verify cert: PX not signed by CA ........................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing request creation --------------------------------------------------------
+.br
+|| Creating request ........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing request signature -------------------------------------------------------
+.br
+|| Check proxyCertInfo extension ...........................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing export of signed proxy --------------------------------------------------
+.br
+|| Saving signed proxy chain to file .......................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing CRL identification ------------------------------------------------------
+.br
+|| Check CRL distribution points extension OK ..............................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+.br
+|| Testing CRL loading -------------------------------------------------------------
+.br
+--2016-12-12 19:31:36--  http://cafiles.cern.ch/cafiles/crl/CERN%20Root%20Certification%20Authority%202.crl
+.br
+Resolving cafiles.cern.ch (cafiles.cern.ch)... 137.138.4.52, 2001:1458:201:96::100:26
+.br
+Connecting to cafiles.cern.ch (cafiles.cern.ch)|137.138.4.52|:80... connected.
+.br
+HTTP request sent, awaiting response... 200 OK
+.br
+Length: 1097 (1.1K) [application/pkix-crl]
+.br
+Saving to: ‘/tmp/5168735f.0.crltmp’
+.br
+
+.br
+/tmp/5168735f.0.crltmp                100%[========================================================================>]   1.07K  --.-KB/s    in 0s      
+.br
+
+.br
+2016-12-12 19:31:36 (383 MB/s) - ‘/tmp/5168735f.0.crltmp’ saved [1097/1097]
+.br
+
+.br
+|| Loading CA1 crl .........................................................  PASSED
+.br
+|| CRL signature OK ........................................................  PASSED
+.br
+|| ---------------------------------------------------------------------------------
+
+.TP
+The result of each test can be interleaved with details when the verbose option is chosen.
+.SH LICENSE
+License terms can be displayed by typing "\fBxrootd -H\fR".
+.SH SUPPORT LEVEL
+The \fBxrdgsitest\fR command is supported by the xrootd collaboration.
+Contact information can be found at
+.ce
+http://xrootd.org/contact.html

packaging/rhel/xrootd.spec.in

@@ -696,6 +696,7 @@ fi
 
 %files client-devel
 %defattr(-,root,root,-)
+%{_bindir}/xrdgsitest
 %{_includedir}/xrootd/XrdCl
 %{_includedir}/xrootd/XrdClient
 %{_includedir}/xrootd/XrdPosix
@@ -749,6 +750,7 @@ fi
 %{_mandir}/man1/xrdcp-old.1*
 %{_mandir}/man1/xrdfs.1*
 %{_mandir}/man1/xrdgsiproxy.1*
+%{_mandir}/man1/xrdgsitest.1*
 %{_mandir}/man1/xrdstagetool.1*
 
 %files fuse
@@ -831,6 +833,9 @@ fi
 # Changelog
 #-------------------------------------------------------------------------------
 %changelog
+* Tue Dec 13 2016 Gerardo Ganis <gerardo.ganis@cern.ch>
+- Add xrdgsitest to xrootd-client-devel
+
 * Mon Mar 16 2015 Lukasz Janyst <ljanyst@cern.ch>
 - create the python package
 

src/XrdCrypto/XrdCryptoFactory.cc

@@ -355,6 +355,15 @@ XrdCryptoX509SignProxyReq_t XrdCryptoFactory::X509SignProxyReq()
    return 0;
 }
 
+//______________________________________________________________________________
+XrdCryptoX509CheckProxy3_t XrdCryptoFactory::X509CheckProxy3()
+{
+   // Check consistency of a GSI 3 compliant proxy
+
+   ABSTRACTMETHOD("XrdCryptoFactory::X509CheckProxy3");
+   return 0;
+}
+
 //______________________________________________________________________________
 XrdCryptoX509GetVOMSAttr_t XrdCryptoFactory::X509GetVOMSAttr()
 {

src/XrdCrypto/XrdCryptoFactory.hh

@@ -106,6 +106,9 @@ typedef int (*XrdCryptoX509CreateProxyReq_t)(XrdCryptoX509 *,
 // sign a proxy certificate request
 typedef int (*XrdCryptoX509SignProxyReq_t)(XrdCryptoX509 *, XrdCryptoRSA *,
                                            XrdCryptoX509Req *, XrdCryptoX509 **);
+// check consistency of a GSI 3 compliant proxy
+typedef int (*XrdCryptoX509CheckProxy3_t)(XrdCryptoX509 *, XrdOucString &);
+
 // get VOMS attributes
 typedef int (*XrdCryptoX509GetVOMSAttr_t)(XrdCryptoX509 *, XrdOucString &);
 
@@ -178,6 +181,7 @@ public:
    virtual XrdCryptoX509CreateProxy_t X509CreateProxy();
    virtual XrdCryptoX509CreateProxyReq_t X509CreateProxyReq();
    virtual XrdCryptoX509SignProxyReq_t X509SignProxyReq();
+   virtual XrdCryptoX509CheckProxy3_t X509CheckProxy3();
    virtual XrdCryptoX509GetVOMSAttr_t X509GetVOMSAttr();
 
    // Equality operator

src/XrdCrypto/XrdCryptoX509.cc

@@ -246,7 +246,7 @@ bool XrdCryptoX509::Verify(XrdCryptoX509 *)
 }
 
 //_____________________________________________________________________________
-int XrdCryptoX509::DumpExtensions()
+int XrdCryptoX509::DumpExtensions(bool)
 {
    // Dump extensions, if any
    ABSTRACTMETHOD("XrdCryptoX509::DumpExtensions");

src/XrdCrypto/XrdCryptoX509.hh

@@ -75,11 +75,12 @@ public:
 
    // Dump information
    virtual void Dump();
-   virtual int DumpExtensions(); // extensions
+   virtual int DumpExtensions(bool = 0); // extensions
 
    const char *Type(EX509Type t = kUnknown) const
                  { return ((t == kUnknown) ? ctype[type+1] : ctype[t+1]); }
    virtual const char *ParentFile();
+   virtual const char *ProxyType() const { return ""; }
 
    // Key strength
    virtual int BitStrength();

src/XrdCrypto/XrdCryptoX509Chain.cc

@@ -56,7 +56,10 @@ static const char *X509ChainErrStr[] = {
    "extension not found",                // 9
    "signature verification failed",      // 10
    "issuer had no signing rights",       // 11
-   "CA issued by another CA"             // 12
+   "CA issued by another CA",            // 12
+   "invalid or missing EEC",             // 13
+   "too many EEC",                       // 14
+   "invalid proxy"                       // 15
 };
 
 //___________________________________________________________________________

src/XrdCrypto/XrdCryptoX509Chain.hh

@@ -92,7 +92,8 @@ public:
    enum EX509ChainErr { kNone = 0, kInconsistent, kTooMany, kNoCA,
                         kNoCertificate, kInvalidType, kInvalidNames,
                         kRevoked, kExpired, kMissingExtension,
-                        kVerifyFail, kInvalidSign, kCANotAutoSigned };
+                        kVerifyFail, kInvalidSign, kCANotAutoSigned,
+                        kNoEEC, kTooManyEEC, kInvalidProxy };
 
    // In case or error
    const char         *X509ChainError(EX509ChainErr e);

src/XrdCrypto/XrdCryptogsiX509Chain.cc

@@ -101,20 +101,49 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
    if (plen > -1)
       plen -= 1;
    //
-   // Check the end-point entity (or sub-CA) certificate
-   while (node->Next() && strcmp(node->Next()->Cert()->Type(), "Proxy")) {
+   // Check sub-CA's certificate, if any
+   while (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kCA) {
       xsig = xcer;
       node = node->Next();
       xcer = node->Cert();
-      if (!XrdCryptoX509Chain::Verify(errcode, "EEC or sub-CA: ",
-                                      XrdCryptoX509::kUnknown,
+      if (!XrdCryptoX509Chain::Verify(errcode, "Sub-CA: ",
+                                      XrdCryptoX509::kCA,
                                       when, xcer, xsig, crl))
          return 0;
       //
       // Update the max path depth len
       if (plen > -1)
          plen -= 1;
    }
+   //
+   // Check the end-point entity certificate
+   if (node->Next() && node->Next()->Cert()->type != XrdCryptoX509::kEEC) {
+      errcode = kNoEEC;
+      lastError = X509ChainError(errcode);
+      return 0;
+   }
+
+   //
+   // Check the end-point entity certificate
+   xsig = xcer;
+   node = node->Next();
+   xcer = node->Cert();
+   if (!XrdCryptoX509Chain::Verify(errcode, "EEC: ",
+                                   XrdCryptoX509::kUnknown,
+                                   when, xcer, xsig, crl))
+      return 0;
+   //
+   // Update the max path depth len
+   if (plen > -1)
+      plen -= 1;
+
+   //
+   // Only one end-point entity certificate
+   if (node->Next() && node->Next()->Cert()->type == XrdCryptoX509::kEEC) {
+      errcode = kTooManyEEC;
+      lastError = X509ChainError(errcode);
+      return 0;
+   }
 
    //
    // There are proxy certificates
@@ -125,6 +154,14 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
       // Attache to certificate
       xcer = node->Cert();
 
+      //
+      // Must be a recognized proxy certificate
+      if (xcer && xcer->type != XrdCryptoX509::kProxy) {
+         errcode = kInvalidProxy;
+         lastError = X509ChainError(errcode);
+         return 0;
+      }
+
       // Proxy subject name must follow some rules
       if (!SubjectOK(errcode, xcer))
          return 0;
@@ -164,7 +201,6 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
    return 1;
 }
 
-
 //___________________________________________________________________________
 bool XrdCryptogsiX509Chain::SubjectOK(EX509ChainErr &errcode, XrdCryptoX509 *xcer)
 {

src/XrdCrypto/XrdCryptosslAux.hh

@@ -83,6 +83,8 @@ int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *,
 // Sign a proxy certificate request
 int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *, XrdCryptoRSA *,
                               XrdCryptoX509Req *, XrdCryptoX509 **);
+// Check a proxy certificate GSI 3
+int XrdCryptosslX509CheckProxy3(XrdCryptoX509 *, XrdOucString &);
 // Get VOMS attributes, if any
 int XrdCryptosslX509GetVOMSAttr(XrdCryptoX509 *, XrdOucString &);
 

src/XrdCrypto/XrdCryptosslFactory.cc

@@ -499,6 +499,14 @@ XrdCryptoX509SignProxyReq_t XrdCryptosslFactory::X509SignProxyReq()
    return &XrdCryptosslX509SignProxyReq;
 }
 
+//______________________________________________________________________________
+XrdCryptoX509CheckProxy3_t XrdCryptosslFactory::X509CheckProxy3()
+{
+   // Check consistency of a GSI 3 compliant proxy
+
+   return &XrdCryptosslX509CheckProxy3;
+}
+
 //______________________________________________________________________________
 XrdCryptoX509GetVOMSAttr_t XrdCryptosslFactory::X509GetVOMSAttr()
 {

src/XrdCrypto/XrdCryptosslFactory.hh

@@ -103,6 +103,7 @@ public:
    XrdCryptoX509CreateProxy_t X509CreateProxy();
    XrdCryptoX509CreateProxyReq_t X509CreateProxyReq();
    XrdCryptoX509SignProxyReq_t X509SignProxyReq();
+   XrdCryptoX509CheckProxy3_t X509CheckProxy3();
    XrdCryptoX509GetVOMSAttr_t X509GetVOMSAttr();
 
    // Required SSL mutexes.