Overhaul curl's usage of CAs.

src/XrdCrypto/XrdCryptosslAux.cc

@@ -298,7 +298,7 @@ XrdSutBucket *XrdCryptosslX509ExportChain(XrdCryptoX509Chain *chain,
 }
 
 //____________________________________________________________________________
-int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file)
+int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file, const char *fname)
 {
    // Dump a single X509 certificate to a file in PEM format.
    EPNAME("X509ChainToFile");
@@ -310,7 +310,7 @@ int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file)
    }
 
    if (PEM_write_X509(file, (X509 *)x509->Opaque()) != 1) {
-      DEBUG("error while writing certificate");
+      DEBUG("error while writing certificate " << fname);
       return -1;
    }
 
@@ -465,14 +465,15 @@ int XrdCryptosslX509ParseFile(const char *fname,
       return 0;
    }
 
-   auto retval = XrdCryptosslX509ParseFile(fcer, chain);
+   auto retval = XrdCryptosslX509ParseFile(fcer, chain, fname);
    fclose(fcer);
    return retval;
 }
 
 //____________________________________________________________________________
 int XrdCryptosslX509ParseFile(FILE *fcer,
-                              XrdCryptoX509Chain *chain)
+                              XrdCryptoX509Chain *chain,
+                              const char *fname)
 {
    // Parse content of file 'fname' and add X509 certificates to
    // chain (which must be initialized by the caller).
@@ -516,9 +517,9 @@ int XrdCryptosslX509ParseFile(FILE *fcer,
       rewind(fcer);
       RSA  *rsap = 0;
       if (!PEM_read_RSAPrivateKey(fcer, &rsap, 0, 0)) {
-         DEBUG("no RSA private key found in file");
+         DEBUG("no RSA private key found in file " << fname);
       } else {
-         DEBUG("found a RSA private key in file");
+         DEBUG("found a RSA private key in file " << fname);
          // We need to complete the key: we save it temporarly
          // to a bio and check all the private keys of the
          // loaded certificates 

src/XrdCrypto/XrdCryptosslAux.hh

@@ -59,12 +59,12 @@ bool XrdCryptosslX509VerifyChain(XrdCryptoX509Chain *chain, int &errcode);
 XrdSutBucket *XrdCryptosslX509ExportChain(XrdCryptoX509Chain *c, bool key = 0);
 // chain export to file (proxy file creation)
 int XrdCryptosslX509ChainToFile(XrdCryptoX509Chain *c, const char *fn);
-// export single certificate to file
-extern "C" int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file);
+// export single certificate to file; fname is solely for debug message purposes
+extern "C" int XrdCryptosslX509ToFile(XrdCryptoX509 *x509, FILE *file, const char *fname);
 // certificates from file parsing
 int XrdCryptosslX509ParseFile(const char *fname, XrdCryptoX509Chain *c);
-// certificates from FILE object
-extern "C" int XrdCryptosslX509ParseFile(FILE *file, XrdCryptoX509Chain *c);
+// certificates from FILE object; fname is solely for debug message purposes
+extern "C" int XrdCryptosslX509ParseFile(FILE *file, XrdCryptoX509Chain *c, const char *fname);
 // certificates from bucket parsing
 int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *c);
 // certificates from STACK_OF(X509*)

src/XrdSys/XrdSysFD.hh

@@ -151,6 +151,10 @@ inline int  XrdSysFD_Socketpair(int domain, int type, int protocol, int sfd[2])
                  }
 #endif
 
+// openat is part of POSIX.1-2008; in Linux, BSD, and Solaris
+inline int  XrdSysFD_Openat(int dirfd, const char *pathname, int flags)
+                 {return openat(dirfd, pathname, flags | O_CLOEXEC);}
+
 inline bool XrdSysFD_Yield(int fd)
                   {int fdFlags = fcntl(fd, F_GETFD);
                    if (fdFlags < 0) return false;

src/XrdTpc/XrdTpcNSSSupport.cc

@@ -37,6 +37,7 @@
 #include <curl/curl.h>
 
 #include "XrdSys/XrdSysError.hh"
+#include "XrdSys/XrdSysFD.hh"
 #include "XrdSys/XrdSysPlugin.hh"
 #include "XrdCrypto/XrdCryptoX509Chain.hh"
 #include "XrdCrypto/XrdCryptosslAux.hh"
@@ -82,7 +83,7 @@ class CASet {
     const int m_output_fd;
 
     decltype(&XrdCryptosslX509ToFile) m_x509_to_file_func;
-    int (*m_file_to_x509_func)(FILE *file, XrdCryptoX509Chain *c);
+    int (*m_file_to_x509_func)(FILE *file, XrdCryptoX509Chain *c, const char *fname);
 };
 
 
@@ -92,7 +93,7 @@ CASet::processFile(file_smart_ptr &fp, const std::string &fname)
     XrdCryptoX509Chain chain;
     // Not checking return value here; function returns `0` on error and
     // if no certificate is found.
-    (*m_file_to_x509_func)(fp.get(), &chain);
+    (*m_file_to_x509_func)(fp.get(), &chain, fname.c_str());
 
     auto ca = chain.Begin();
     // Note we purposely leak the outputfp here; we are just borrowing the handle.
@@ -115,7 +116,7 @@ CASet::processFile(file_smart_ptr &fp, const std::string &fname)
         //m_log.Emsg("CAset", "New CA with hash", fname.c_str(), hash_ptr);
         m_known_cas.insert(hash_ptr);
 
-        if ((*m_x509_to_file_func)(ca, outputfp)) {
+        if ((*m_x509_to_file_func)(ca, outputfp, fname.c_str())) {
             m_log.Emsg("CAset", "Failed to write out CA", fname.c_str());
             return false;
         }
@@ -197,7 +198,7 @@ XrdTpcNSSSupport::Maintenance()
     }
     CASet builder(new_file->getFD(), m_log, m_x509_to_file_func, m_file_to_x509_func);
 
-    int fddir = open(m_ca_dir.c_str(), O_DIRECTORY);
+    int fddir = XrdSysFD_Open(m_ca_dir.c_str(), O_DIRECTORY);
     if (fddir < 0) {
         m_log.Emsg("XrdTpc", "Failed to open the CA directory", m_ca_dir.c_str());
         return false;
@@ -214,7 +215,7 @@ XrdTpcNSSSupport::Maintenance()
         //m_log.Emsg("Will parse file for CA certificates", result->d_name);
         if (result->d_type != DT_REG && result->d_type != DT_LNK) {continue;}
         if (result->d_name[0] == '.') {continue;}
-        int fd = openat(fddir, result->d_name, O_RDONLY);
+        int fd = XrdSysFD_Openat(fddir, result->d_name, O_RDONLY);
         if (fd < 0) {
             m_log.Emsg("XrdTpc", "Failed to open certificate file", result->d_name, strerror(errno));
             closedir(dirp);