/usr/include/arc/credential/CertUtil.h is in nordugrid-arc-dev 4.2.0-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 | #ifndef __ARC_CERTUTIL_H__
#define __ARC_CERTUTIL_H__
#include <string>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/stack.h>
#include <arc/credential/Proxycertinfo.h>
namespace ArcCredential {
#define PROXYCERTINFO_V3 "1.3.6.1.4.1.3536.1.222"
#ifdef HAVE_OPENSSL_PROXY
#define PROXYCERTINFO_V4 "1.3.6.1.5.5.7.1.1400"
#else
#define PROXYCERTINFO_V4 "1.3.6.1.5.5.7.1.14"
#endif
#define PROXYCERTINFO_OPENSSL "1.3.6.1.5.5.7.1.14"
/// Certificate Types
/** \ingroup credential */
typedef enum {
/** A end entity certificate */
CERT_TYPE_EEC,
/** A CA certificate */
CERT_TYPE_CA,
/** A X.509 Proxy Certificate Profile (pre-RFC) compliant impersonation proxy */
CERT_TYPE_GSI_3_IMPERSONATION_PROXY,
/** A X.509 Proxy Certificate Profile (pre-RFC) compliant independent proxy */
CERT_TYPE_GSI_3_INDEPENDENT_PROXY,
/** A X.509 Proxy Certificate Profile (pre-RFC) compliant limited proxy */
CERT_TYPE_GSI_3_LIMITED_PROXY,
/** A X.509 Proxy Certificate Profile (pre-RFC) compliant restricted proxy */
CERT_TYPE_GSI_3_RESTRICTED_PROXY,
/** A legacy Globus impersonation proxy */
CERT_TYPE_GSI_2_PROXY,
/** A legacy Globus limited impersonation proxy */
CERT_TYPE_GSI_2_LIMITED_PROXY,
/** A X.509 Proxy Certificate Profile RFC compliant impersonation proxy; RFC inheritAll proxy */
CERT_TYPE_RFC_IMPERSONATION_PROXY,
/** A X.509 Proxy Certificate Profile RFC compliant independent proxy; RFC independent proxy */
CERT_TYPE_RFC_INDEPENDENT_PROXY,
/** A X.509 Proxy Certificate Profile RFC compliant limited proxy */
CERT_TYPE_RFC_LIMITED_PROXY,
/** A X.509 Proxy Certificate Profile RFC compliant restricted proxy */
CERT_TYPE_RFC_RESTRICTED_PROXY,
/** RFC anyLanguage proxy */
CERT_TYPE_RFC_ANYLANGUAGE_PROXY
} certType;
/** True if certificate type is one of proxy certificates */
#define CERT_IS_PROXY(cert_type) \
(cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY || \
cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY || \
cert_type == CERT_TYPE_GSI_2_PROXY || \
cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
/** True if certificate type is one of standard proxy certificates */
#define CERT_IS_RFC_PROXY(cert_type) \
(cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY)
/** True if certificate type is one of Globus newer proxy certificates */
#define CERT_IS_GSI_3_PROXY(cert_type) \
(cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)
/** True if certificate type is one of Globus older proxy certificates */
#define CERT_IS_GSI_2_PROXY(cert_type) \
(cert_type == CERT_TYPE_GSI_2_PROXY || \
cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
#define CERT_IS_INDEPENDENT_PROXY(cert_type) \
(cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY)
#define CERT_IS_RESTRICTED_PROXY(cert_type) \
(cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)
#define CERT_IS_LIMITED_PROXY(cert_type) \
(cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
#define CERT_IS_IMPERSONATION_PROXY(cert_type) \
(cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
cert_type == CERT_TYPE_GSI_2_PROXY || \
cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)
/* VERIFY_CTX_STORE_EX_DATA_IDX here could be temporal solution.
* OpenSSL >= 098 has get_proxy_auth_ex_data_idx() which is
* specific for proxy extention.
*/
#define VERIFY_CTX_STORE_EX_DATA_IDX 1
/// Struct representing a certificate verification context.
typedef struct {
X509_STORE_CTX * cert_store;
int cert_depth;
int proxy_depth;
int max_proxy_depth;
int limited_proxy;
certType cert_type;
STACK_OF(X509) * cert_chain; /* X509 */
std::string ca_dir;
std::string ca_file;
std::string proxy_policy; /* The policy attached to proxy cert info extension*/
} cert_verify_context;
int verify_cert_chain(X509* cert, STACK_OF(X509)** certchain, cert_verify_context* vctx);
bool check_cert_type(X509* cert, certType& type);
const char* certTypeToString(certType type);
}
#endif // __ARC_CERTUTIL_H__
|