(Note: this is my first time playing with git... please let me know if I've done this right).
This fixes proxy creation when multiple certificates are located in the proxy file.
For example, the DOEGrids CA gives users certificate files which include a copy of its
CA certificate chain. This allows us to pick out the correct end-user certificate, as opposed
to the current behavior which just uses the first certificate in the file.
Note the xEEC object appears to leak in the current code; I have not fixed this, as it would require more in-depth
---
src/XrdCrypto/XrdCryptosslgsiAux.cc | 29 ++++++++++++++++-------------
1 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/src/XrdCrypto/XrdCryptosslgsiAux.cc b/src/XrdCrypto/XrdCryptosslgsiAux.cc
index 2a95876..af5dd7b 100644
--- a/src/XrdCrypto/XrdCryptosslgsiAux.cc
+++ b/src/XrdCrypto/XrdCryptosslgsiAux.cc
@@ -463,21 +463,24 @@ int XrdSslgsiX509CreateProxy(const char *fnc, const char *fnk,
//
// Get EEC certificate from fnc
X509 *xEEC = 0;
- FILE *fc = fopen(fnc, "r");
- if (fc) {
- // Read out the certificate
- if (PEM_read_X509(fc, &xEEC, 0, 0)) {
- DEBUG("EEC certificate loaded from file: "<<fnc);
- } else {
- PRINT("unable to load EEC certificate from file: "<<fnc);
- fclose(fc);
- return -kErrPX_BadEECfile;
- }
- } else {
- PRINT("EEC certificate cannot be opened (file: "<<fnc<<")");
+
+ XrdCryptoX509Chain *chain = new XrdCryptoX509Chain();
+ if (XrdCryptosslX509ParseFile(fnc, chain) < 1) {
+ PRINT("No certificates found in file " <<fnc);
return -kErrPX_BadEECfile;
}
- fclose(fc);
+ if (chain->Reorder()) {
+ PRINT("Unable to extract an ordered certificate chain from "<<fnc);
+ return -kErrPX_BadEECfile;
+ }
+ XrdCryptoX509 *cx509 = chain->End();
+ if (cx509 == NULL) {
+ PRINT("Internal error - certificate chain is empty.")
+ return -kErrPX_BadEECfile;
+ }
+ xEEC = (X509 *)cx509->Opaque();
+ // X: memory leaked?
+
// Make sure the certificate is not expired
int now = (int)time(0);
if (now > XrdCryptosslASN1toUTC(X509_get_notAfter(xEEC))) {
--
1.7.3.1
|