/usr/include/arc/credential/VOMSUtil.h is in nordugrid-arc-dev 4.2.0-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 | #ifndef __ARC_VOMSUTIL_H__
#define __ARC_VOMSUTIL_H__
#include <vector>
#include <string>
#include <arc/ArcRegex.h>
#include <arc/credential/VOMSAttribute.h>
#include <arc/credential/Credential.h>
namespace Arc {
/** \addtogroup credential
* @{ */
typedef std::vector<std::string> VOMSTrustChain;
typedef std::string VOMSTrustRegex;
/// Represents VOMS attribute part of a credential.
class VOMSACInfo {
public:
// Not all statuses are implemented
typedef enum {
Success = 0,
CAUnknown = (1<<0), // Signed by VOMS certificate of unknow CA
CertRevoked = (1<<1), // Signed by revoked VOMS certificate
LSCFailed = (1<<2), // Failed while matching VOMS attr. against LSC files
TrustFailed = (1<<2), // Failed matching VOMS attr. against specified trust list
X509ParsingFailed = (1<<3), // Failed while parsing at X509 level
ACParsingFailed = (1<<4), // Failed while parsing at AC level
InternalParsingFailed = (1<<5), // Failed while parsing internal VOMS structures
TimeValidFailed = (1<<6), // VOMS attributes are not valid yet or expired
IsCritical = (1<<7), // VOMS extension was marked as critical (unusual but not error)
ParsingError = (X509ParsingFailed | ACParsingFailed | InternalParsingFailed), // Mask to test if status represents any failure caused by failed parsing
ValidationError = (CAUnknown | CertRevoked | LSCFailed | TrustFailed | TimeValidFailed), // Mask to test if status represents any failure caused by validation rules
Error = (0xffff & ~IsCritical) // Mask to test if status represents any failure
} status_t;
std::string voname;
std::string holder;
std::string issuer;
std::string target;
std::vector<std::string> attributes;
Time from;
Time till;
//Period validity;
unsigned int status;
VOMSACInfo(void):from(-1),till(-1),status(0) { };
};
/// Stores definitions for making decision if VOMS server is trusted.
class VOMSTrustList {
private:
std::vector<VOMSTrustChain> chains_;
std::vector<RegularExpression*> regexs_;
public:
VOMSTrustList(void) { };
/** Creates chain lists and regexps from plain list.
List is made of chunks delimited by elements containing
pattern "NEXT CHAIN". Each chunk with more than one element
is converted into one instance of VOMSTrustChain. Chunks
with single element are converted to VOMSTrustChain if
element does not have special symbols. Otherwise it is
treated as regular expression. Those symbols are '^','$'
and '*'.
Trusted chains can be congicured in two ways:
one way is:
<tls:VOMSCertTrustDNChain>
<tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>----NEXT CHAIN---</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN>
</tls:VOMSCertTrustDNChain>
the other way is:
<tls:VOMSCertTrustDNChain>
<tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN>
</tls:VOMSCertTrustDNChain>
<tls:VOMSCertTrustDNChain>
<tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN>
<tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN>
</tls:VOMSCertTrustDNChain>
each chunk is supposed to contain a suit of DN of trusted
certificate chain, in which the first DN is the DN of the
certificate (cert0) which is used to sign the Attribute Certificate
(AC), the second DN is the DN of the issuer certificate(cert1)
which is used to sign cert0. So if there are one or more intermediate
issuers, then there should be 3 or more than 3 DNs in this
chunk (considering cert0 and the root certificate, plus the intermediate
certificate) .
*/
VOMSTrustList(const std::vector<std::string>& encoded_list);
/** Creates chain lists and regexps from those specified in arguments.
See AddChain() and AddRegex() for more information. */
VOMSTrustList(const std::vector<VOMSTrustChain>& chains,const std::vector<VOMSTrustRegex>& regexs);
~VOMSTrustList(void);
/** Adds chain of trusted DNs to list.
During verification each signature of AC is checked against
all stored chains. DNs of chain of certificate used for signing
AC are compared against DNs stored in these chains one by one.
If needed DN of issuer of last certificate is checked too.
Comparison succeeds if DNs in at least one stored chain are
same as those in certificate chain. Comparison stops when all DNs
in stored chain are compared. If there are more DNs in stored chain
than in certificate chain then comparison fails. Empty stored
list matches any certificate chain.
Taking into account that certificate chains are verified down
to trusted CA anyway, having more than one DN in stored
chain seems to be useless. But such feature may be found useful
by some very strict sysadmins.
??? IMO,DN list here is not only for authentication, it is also kind
of ACL, which means the AC consumer only trusts those DNs which
issues AC.
*/
VOMSTrustChain& AddChain(const VOMSTrustChain& chain);
/** Adds empty chain of trusted DNs to list. */
VOMSTrustChain& AddChain(void);
void AddElement(const std::vector<std::string>& encoded_list);
/** Adds regular expression to list.
During verification each signature of AC is checked against
all stored regular expressions. DN of signing certificate
must match at least one of stored regular expressions. */
RegularExpression& AddRegex(const VOMSTrustRegex& reg);
int SizeChains(void) const { return chains_.size(); };
int SizeRegexs(void) const { return regexs_.size(); };
const VOMSTrustChain& GetChain(int num) const { return chains_[num]; };
const RegularExpression& GetRegex(int num) const { return *(regexs_[num]); };
};
void InitVOMSAttribute(void);
/* This method is used to create an AC. It is supposed
* to be used by the voms server
* @param issuer The issuer which will be used to sign the AC, it is also
* the voms server certificate
* @param issuerstack The stack of the issuer certificates that issue the
* voms server certificate. If the voms server certificate
* is issued by a root CA (self-signed), then this param
* is empty.
* @param holder The certificate of the holder of this AC. It should be
* parsed from the peer that launches a AC query request
* @param pkey The key of the holder
* @param fqan The AC_IETFATTR. According to the definition of voms, the fqan
* will be like /Role=Employee/Group=Tester/Capability=NULL
* @param attributes The AC_FULL_ATTRIBUTES. Accoding to the definition of voms,
* the attributes will be like "qualifier::name=value"
* @param target The list of targets which are supposed to consume this AC
* @param ac The generated AC
* @param voname The vo name
* @param uri The uri of this vo, together with voname, it will be
* as the grantor of this AC
* @param lifetime The lifetime of this AC
*/
/*
int createVOMSAC(X509 *issuer, STACK_OF(X509) *issuerstack, X509 *holder,
EVP_PKEY *pkey, BIGNUM *serialnum,
std::vector<std::string> &fqan,
std::vector<std::string> &targets,
std::vector<std::string>& attributes,
ArcCredential::AC **ac, std::string voname,
std::string uri, int lifetime);
*/
/**Create AC(Attribute Certificate) with voms specific format.
* @param codedac The coded AC as output of this method
* @param issuer_cred The issuer credential which is used to sign the AC
* @param holder_cred The holder credential, the holder certificate
* is the one which carries AC
* @param fqan The AC_IETFATTR. According to the definition of voms, the fqan
* will be like /Role=Employee/Group=Tester/Capability=NULL
* @param targets The list of targets which are supposed to consume this AC
* @param attributes The AC_FULL_ATTRIBUTES. Accoding to the definition of voms,
* the attributes will be like "qualifier::name=value"
* @param voname The vo name
* @param uri The uri of this vo, together with voname, it will be
* as the granter of this AC
* @param lifetime The lifetime of this AC *
*/
bool createVOMSAC(std::string& codedac, Credential& issuer_cred,
Credential& holder_cred,
std::vector<std::string> &fqan,
std::vector<std::string> &targets,
std::vector<std::string>& attributes,
std::string &voname, std::string &uri, int lifetime);
/**Add decoded AC string into a list of AC objects
* @param aclist The list of AC objects (output)
* @param acorder The order of AC objects (output)
* @param decodedac The AC string that is decoded from the string
* returned from voms server (input)
*/
bool addVOMSAC(ArcCredential::AC** &aclist, std::string &acorder, std::string &decodedac);
/**Parse the certificate, and output the attributes.
* @param holder The proxy certificate which includes the voms
* specific formated AC.
* @param ca_cert_dir The trusted certificates which are used to
* verify the certificate which is used to sign the AC
* @param ca_cert_file The same as ca_cert_dir except it is a file
* instead of a directory. Only one of them need to be set
* @param vomsdir The directory which include *.lsc file for each vo.
* For instance, a vo called "knowarc.eu" should
* have file vomsdir/knowarc/voms.knowarc.eu.lsc which
* contains on the first line the DN of the VOMS server, and on
* the second line the corresponding CA DN:
* /O=Grid/O=NorduGrid/OU=KnowARC/CN=voms.knowarc.eu
* /O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority
* See more in : https://twiki.cern.ch/twiki/bin/view/LCG/VomsFAQforServiceManagers
* @param vomscert_trust_dn List of VOMS trust chains
* @param output The parsed attributes (Role and Generic Attribute) .
* Each attribute is stored in element of a vector as a string.
* It is up to the consumer to understand the meaning of the
* attribute.
* There are two types of attributes stored in VOMS AC:
* AC_IETFATTR, AC_FULL_ATTRIBUTES.
* The AC_IETFATTR will be like /Role=Employee/Group=Tester/Capability=NULL
* The AC_FULL_ATTRIBUTES will be like knowarc:Degree=PhD (qualifier::name=value)
* In order to make the output attribute values be identical, the voms server
* information is added as prefix of the original attributes in AC.
* for AC_FULL_ATTRIBUTES, the voname + hostname is added:
* /voname=knowarc.eu/hostname=arthur.hep.lu.se:15001//knowarc.eu/coredev:attribute1=1
* for AC_IETFATTR, the 'VO' (voname) is added:
* /VO=knowarc.eu/Group=coredev/Role=NULL/Capability=NULL
* /VO=knowarc.eu/Group=testers/Role=NULL/Capability=NULL
* some other redundant attributes is provided:
* voname=knowarc.eu/hostname=arthur.hep.lu.se:15001
* @param verify true: Verify the voms certificate is trusted based on the
* ca_cert_dir/ca_cert_file which specifies the CA certificates,
* and the vomscert_trust_dn which specifies the trusted DN chain
* from voms server certificate to CA certificate.
* false: Not verify, which means the issuer of AC (voms server
* certificate is supposed to be trusted by default).
* In this case the parameters 'ca_cert_dir',
* 'ca_cert_file' and 'vomscert_trust_dn' will not effect, and
* may be left empty.
* This case is specifically used by 'arcproxy --info' to list
* all of the attributes in AC, and not to need to verify if
* the AC's issuer is trusted.
*
* @param reportall If set to true fills output with all attributes
* including those which failed passing test procedures.
* Validity of attributes can be checked through status
* members of output items.
* Combination of verify=true and reportall=true provides
* most information.
*
*/
bool parseVOMSAC(X509* holder,
const std::string& ca_cert_dir,
const std::string& ca_cert_file,
const std::string& vomsdir,
VOMSTrustList& vomscert_trust_dn,
std::vector<VOMSACInfo>& output,
bool verify = true, bool reportall = false);
/**Parse the certificate. Similar to above one, but collects information
From all certificates in a chain. */
bool parseVOMSAC(const Credential& holder_cred,
const std::string& ca_cert_dir,
const std::string& ca_cert_file,
const std::string& vomsdir,
VOMSTrustList& vomscert_trust_dn,
std::vector<VOMSACInfo>& output,
bool verify = true, bool reportall = false);
/**Parse the certificate or a chain of certificates, in string format */
bool parseVOMSAC(const std::string& cert_str,
const std::string& ca_cert_dir,
const std::string& ca_cert_file,
const std::string& vomsdir,
VOMSTrustList& vomscert_trust_dn,
std::vector<VOMSACInfo>& output,
bool verify = true, bool reportall = false);
/**Decode the data which is encoded by voms server. Since voms code uses some specific
* coding method (not base64 encoding), we simply copy the method from voms code to here*/
char *VOMSDecode(const char *data, int size, int *j);
/**Encode the data with base64 encoding */
char *VOMSEncode(const char *data, int size, int *j);
/**Extract the needed field from the certificate.
* @param u The proxy certificate which includes the voms
* specific formated AC.
* @param property The property that caller would get,
* including: dn, voms:vo, voms:role, voms:group
* @param ca_cert_dir
* @param ca_cert_file
* @param vomsdir
* @param voms_trust_list the dn chain that is trusted when parsing voms AC
* \since Changed in 4.1.0. Provide ability to query credential for VOMS
* nickname attribute.
*/
std::string getCredentialProperty(const Arc::Credential& u, const std::string& property,
const std::string& ca_cert_dir = std::string(""),
const std::string& ca_cert_file = std::string(""),
const std::string& vomsdir = std::string(""),
const std::vector<std::string>& voms_trust_list = std::vector<std::string>());
std::string VOMSFQANToFull(const std::string& vo, const std::string& fqan);
/**Encode the VOMS AC list into ASN1, so that the result can be used
* to insert into X509 as extension.
* @param ac_seq The input string includes a list of AC
with VOMS_AC_HEADER and VOMS_AC_TRAILER as seperator
* @param asn1 The encoded value as output
*/
bool VOMSACSeqEncode(const std::string& ac_seq, std::string& asn1);
/**Encode the VOMS AC list into ASN1, so that the result can be used
* to insert into X509 as extension.
* @param acs The input list includes a list of AC
* @param asn1 The encoded value as output
*/
bool VOMSACSeqEncode(const std::list<std::string> acs, std::string& asn1);
/** @} */
}// namespace Arc
#endif /* __ARC_VOMSUTIL_H__ */
|