From a16c82958a43401e577c4ce1265ae4173df2c4f5 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Mon, 17 Apr 2023 18:30:54 +0200 Subject: [PATCH 1/2] Remove unused header --- src/XrdCrypto/XrdCryptosslgsiAux.hh | 102 ---------------------------- src/XrdHeaders.cmake | 1 - src/XrdUtils.cmake | 2 +- 3 files changed, 1 insertion(+), 104 deletions(-) delete mode 100644 src/XrdCrypto/XrdCryptosslgsiAux.hh diff --git a/src/XrdCrypto/XrdCryptosslgsiAux.hh b/src/XrdCrypto/XrdCryptosslgsiAux.hh deleted file mode 100644 index aac394370e3..00000000000 --- a/src/XrdCrypto/XrdCryptosslgsiAux.hh +++ /dev/null @@ -1,102 +0,0 @@ -#ifndef __CRYPTO_SSLGSIAUX_H__ -#define __CRYPTO_SSLGSIAUX_H__ -/******************************************************************************/ -/* */ -/* X r d C r y p t o s s l g s i A u x . h h */ -/* */ -/* (c) 2005, G. Ganis / CERN */ -/* */ -/* This file is part of the XRootD software suite. */ -/* */ -/* XRootD is free software: you can redistribute it and/or modify it under */ -/* the terms of the GNU Lesser General Public License as published by the */ -/* Free Software Foundation, either version 3 of the License, or (at your */ -/* option) any later version. */ -/* */ -/* XRootD is distributed in the hope that it will be useful, but WITHOUT */ -/* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or */ -/* FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public */ -/* License for more details. */ -/* */ -/* You should have received a copy of the GNU Lesser General Public License */ -/* along with XRootD in a file called COPYING.LESSER (LGPL license) and file */ -/* COPYING (GPL license). If not, see . */ -/* */ -/* The copyright holder's institutional names and contributor's names may not */ -/* be used to endorse or promote products derived from this software without */ -/* specific prior written permission of the institution or contributor. */ -/* */ -/******************************************************************************/ - -/* ************************************************************************** */ -/* */ -/* GSI utility functions */ -/* */ -/* ************************************************************************** */ -#include "XrdCrypto/XrdCryptosslgsiX509Chain.hh" -#include "XrdCrypto/XrdCryptoX509Req.hh" -#include "XrdCrypto/XrdCryptoRSA.hh" -#include "XrdOuc/XrdOucString.hh" - -// The OID of the extension -#define gsiProxyCertInfo_OLD_OID "1.3.6.1.4.1.3536.1.222" -#define gsiProxyCertInfo_OID "1.3.6.1.5.5.7.1.14" - -// -// Function to check presence of a proxyCertInfo and retrieve the path length -// constraint. Written following RFC3820 and examples in openssl-/crypto -// source code. Extracts the policy field but ignores it contents. -bool XrdSslgsiProxyCertInfo(const void *ext, int &pathlen, bool *haspolicy = 0); -void XrdSslgsiSetPathLenConstraint(void *ext, int pathlen); - -// -// Proxies -// -typedef struct { - int bits; // Number of bits in the RSA key [512] - int valid; // Duration validity in secs [43200 (12 hours)] - int depthlen; // Maximum depth of the path of proxy certificates - // that can signed by this proxy certificates - // [-1 (== unlimited)] -} XrdProxyOpt_t; -// -// Create proxy certificates -int XrdSslgsiX509CreateProxy(const char *, const char *, XrdProxyOpt_t *, - XrdCryptosslgsiX509Chain *, XrdCryptoRSA **, const char *); -// -// Create a proxy certificate request -int XrdSslgsiX509CreateProxyReq(XrdCryptoX509 *, - XrdCryptoX509Req **, XrdCryptoRSA **); -// -// Sign a proxy certificate request -int XrdSslgsiX509SignProxyReq(XrdCryptoX509 *, XrdCryptoRSA *, - XrdCryptoX509Req *, XrdCryptoX509 **); -// -// Dump extensions -int XrdSslgsiX509DumpExtensions(XrdCryptoX509 *); -// -// Get VOMS attributes, if any -int XrdSslgsiX509GetVOMSAttr(XrdCryptoX509 *, XrdOucString &); -// -// Check GSI 3 proxy info extension -int XrdSslgsiX509CheckProxy3(XrdCryptoX509 *, XrdOucString &); - -/******************************************************************************/ -/* E r r o r s i n P r o x y M a n i p u l a t i o n s */ -/******************************************************************************/ -#define kErrPX_Error 1 // Generic error condition -#define kErrPX_BadEECfile 2 // Absent or bad EEC cert or key file -#define kErrPX_BadEECkey 3 // Inconsistent EEC key -#define kErrPX_ExpiredEEC 4 // EEC is expired -#define kErrPX_NoResources 5 // Unable to create new objects -#define kErrPX_SetAttribute 6 // Unable to set a certificate attribute -#define kErrPX_SetPathDepth 7 // Unable to set path depth -#define kErrPX_Signing 8 // Problems signing -#define kErrPX_GenerateKey 9 // Problem generating the RSA key -#define kErrPX_ProxyFile 10 // Problem creating / updating proxy file -#define kErrPX_BadNames 11 // Names in certificates are bad -#define kErrPX_BadSerial 12 // Problems resolving serial number -#define kErrPX_BadExtension 13 // Problems with the extensions - -#endif - diff --git a/src/XrdHeaders.cmake b/src/XrdHeaders.cmake index ee1db07411a..0570d07b7b2 100644 --- a/src/XrdHeaders.cmake +++ b/src/XrdHeaders.cmake @@ -175,7 +175,6 @@ if( NOT XRDCL_ONLY ) XrdCrypto/XrdCryptoX509Crl.hh XrdCrypto/XrdCryptoX509Req.hh XrdCrypto/XrdCryptoRSA.hh - XrdCrypto/XrdCryptosslgsiAux.hh XrdSut/XrdSutAux.hh XrdSut/XrdSutBucket.hh diff --git a/src/XrdUtils.cmake b/src/XrdUtils.cmake index 05b4146d92b..025b800f295 100644 --- a/src/XrdUtils.cmake +++ b/src/XrdUtils.cmake @@ -83,7 +83,7 @@ set ( XrdCryptoSources XrdCrypto/XrdCryptoX509Chain.cc XrdCrypto/XrdCryptoX509Chain.hh XrdCrypto/XrdCryptosslRSA.cc XrdCrypto/XrdCryptosslRSA.hh XrdCrypto/XrdCryptoRSA.cc XrdCrypto/XrdCryptoRSA.hh - XrdCrypto/XrdCryptosslgsiAux.cc XrdCrypto/XrdCryptosslgsiAux.hh + XrdCrypto/XrdCryptosslgsiAux.cc XrdCrypto/XrdCryptosslX509Req.cc XrdCrypto/XrdCryptosslX509Req.hh XrdCrypto/XrdCryptoX509Req.cc XrdCrypto/XrdCryptoX509Req.hh XrdCrypto/XrdCryptoAux.cc XrdCrypto/XrdCryptoAux.hh From 73fe6ddc60a062838ef49c31ce50820920a3be95 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Mon, 17 Apr 2023 18:33:45 +0200 Subject: [PATCH 2/2] Use consistently SHA-256 for signatures (fix for issue #1992) --- src/XrdCrypto/XrdCryptosslgsiAux.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/XrdCrypto/XrdCryptosslgsiAux.cc b/src/XrdCrypto/XrdCryptosslgsiAux.cc index 09edd44229d..cef86cb1f0f 100644 --- a/src/XrdCrypto/XrdCryptosslgsiAux.cc +++ b/src/XrdCrypto/XrdCryptosslgsiAux.cc @@ -455,7 +455,7 @@ int XrdCryptosslX509CreateProxy(const char *fnc, const char *fnk, } // // Sign the request - if (!(X509_REQ_sign(preq, ekPX, EVP_sha1()))) { + if (!(X509_REQ_sign(preq, ekPX, EVP_sha256()))) { PRINT("problems signing the request"); return -kErrPX_Signing; } @@ -549,7 +549,7 @@ int XrdCryptosslX509CreateProxy(const char *fnc, const char *fnk, // // Sign the certificate - if (!(X509_sign(xPX, ekEEC, EVP_sha1()))) { + if (!(X509_sign(xPX, ekEEC, EVP_sha256()))) { PRINT("problems signing the certificate"); return -kErrPX_Signing; } @@ -851,7 +851,7 @@ int XrdCryptosslX509CreateProxyReq(XrdCryptoX509 *xcpi, } // // Sign the request - if (!(X509_REQ_sign(xro, ekro, EVP_sha1()))) { + if (!(X509_REQ_sign(xro, ekro, EVP_sha256()))) { PRINT("problems signing the request"); return -kErrPX_Signing; } @@ -1155,7 +1155,7 @@ int XrdCryptosslX509SignProxyReq(XrdCryptoX509 *xcpi, XrdCryptoRSA *kcpi, // // Sign the certificate - if (!(X509_sign(xpo, ekpi, EVP_sha1()))) { + if (!(X509_sign(xpo, ekpi, EVP_sha256()))) { PRINT("problems signing the certificate"); return -kErrPX_Signing; }