This file is indexed.

/usr/include/arc/credential/CertUtil.h is in nordugrid-arc-dev 5.0.5-1ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#ifndef __ARC_CERTUTIL_H__
#define __ARC_CERTUTIL_H__

#include <string>
#include <openssl/pem.h>
#include <openssl/x509.h>
#include <openssl/stack.h>

#include <arc/credential/Proxycertinfo.h>

namespace ArcCredential {
  
    #define PROXYCERTINFO_V3      "1.3.6.1.4.1.3536.1.222"
    #ifdef HAVE_OPENSSL_PROXY
      #define PROXYCERTINFO_V4      "1.3.6.1.5.5.7.1.1400"
    #else
      #define PROXYCERTINFO_V4      "1.3.6.1.5.5.7.1.14"
    #endif
    #define PROXYCERTINFO_OPENSSL      "1.3.6.1.5.5.7.1.14"

 
    /// Certificate Types
    /** \ingroup credential */
    typedef enum {
      /** A end entity certificate */
      CERT_TYPE_EEC,
      /** A CA certificate */
      CERT_TYPE_CA,
      /** A X.509 Proxy Certificate Profile (pre-RFC) compliant impersonation proxy */
      CERT_TYPE_GSI_3_IMPERSONATION_PROXY,
      /** A X.509 Proxy Certificate Profile (pre-RFC) compliant independent proxy */
      CERT_TYPE_GSI_3_INDEPENDENT_PROXY,
      /** A X.509 Proxy Certificate Profile (pre-RFC) compliant limited proxy */
      CERT_TYPE_GSI_3_LIMITED_PROXY,
      /** A X.509 Proxy Certificate Profile (pre-RFC) compliant restricted proxy */
      CERT_TYPE_GSI_3_RESTRICTED_PROXY,
      /** A legacy Globus impersonation proxy */
      CERT_TYPE_GSI_2_PROXY,
      /** A legacy Globus limited impersonation proxy */
      CERT_TYPE_GSI_2_LIMITED_PROXY,
      /** A X.509 Proxy Certificate Profile RFC compliant impersonation proxy; RFC inheritAll proxy */
      CERT_TYPE_RFC_IMPERSONATION_PROXY,
      /** A X.509 Proxy Certificate Profile RFC compliant independent proxy; RFC independent proxy */
      CERT_TYPE_RFC_INDEPENDENT_PROXY,
      /** A X.509 Proxy Certificate Profile RFC compliant limited proxy */
      CERT_TYPE_RFC_LIMITED_PROXY,
      /** A X.509 Proxy Certificate Profile RFC compliant restricted proxy */
      CERT_TYPE_RFC_RESTRICTED_PROXY,
      /** RFC anyLanguage proxy */
      CERT_TYPE_RFC_ANYLANGUAGE_PROXY
    } certType; 

    /** True if certificate type is one of proxy certificates */
    #define CERT_IS_PROXY(cert_type) \
        (cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
         cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY || \
         cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
         cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
         cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
         cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY || \
         cert_type == CERT_TYPE_GSI_2_PROXY || \
         cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)

    /** True if certificate type is one of standard proxy certificates */
    #define CERT_IS_RFC_PROXY(cert_type) \
        (cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
         cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
         cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
         cert_type == CERT_TYPE_RFC_ANYLANGUAGE_PROXY)

    /** True if certificate type is one of Globus newer proxy certificates */
    #define CERT_IS_GSI_3_PROXY(cert_type) \
        (cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY || \
         cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)

    /** True if certificate type is one of Globus older proxy certificates */
    #define CERT_IS_GSI_2_PROXY(cert_type) \
        (cert_type == CERT_TYPE_GSI_2_PROXY || \
         cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)

    #define CERT_IS_INDEPENDENT_PROXY(cert_type) \
        (cert_type == CERT_TYPE_RFC_INDEPENDENT_PROXY || \
         cert_type == CERT_TYPE_GSI_3_INDEPENDENT_PROXY)

    #define CERT_IS_RESTRICTED_PROXY(cert_type) \
        (cert_type == CERT_TYPE_RFC_RESTRICTED_PROXY || \
         cert_type == CERT_TYPE_GSI_3_RESTRICTED_PROXY)

    #define CERT_IS_LIMITED_PROXY(cert_type) \
        (cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)

    #define CERT_IS_IMPERSONATION_PROXY(cert_type) \
        (cert_type == CERT_TYPE_RFC_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_RFC_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_3_IMPERSONATION_PROXY || \
         cert_type == CERT_TYPE_GSI_3_LIMITED_PROXY || \
         cert_type == CERT_TYPE_GSI_2_PROXY || \
         cert_type == CERT_TYPE_GSI_2_LIMITED_PROXY)

    /* VERIFY_CTX_STORE_EX_DATA_IDX here could be temporal solution.
     * OpenSSL >= 098 has get_proxy_auth_ex_data_idx() which is 
     * specific for proxy extention.
     */
    #define VERIFY_CTX_STORE_EX_DATA_IDX  1

    /// Struct representing a certificate verification context.
    typedef struct {
      X509_STORE_CTX *                    cert_store;
      int                                 cert_depth;
      int                                 proxy_depth;
      int                                 max_proxy_depth;
      int                                 limited_proxy;
      certType                            cert_type;
      STACK_OF(X509) *                    cert_chain; /*  X509 */
      std::string                         ca_dir;
      std::string                         ca_file;
      std::string                         proxy_policy; /* The policy attached to proxy cert info extension*/
    } cert_verify_context;

    int verify_cert_chain(X509* cert, STACK_OF(X509)** certchain, cert_verify_context* vctx);
    bool check_cert_type(X509* cert, certType& type);
    const char* certTypeToString(certType type);

}

#endif // __ARC_CERTUTIL_H__