Commit b3a754cd authored by Gary Wong's avatar Gary Wong

Checkpointing work on URN support in certificates and credentials. URNs

are now generated for new certificates.  However, UUIDs and old HRNs
are still used, for compatibility.
parent 41a482dd
......@@ -256,6 +256,10 @@ else {
}
print TEMP "CN\t\t= $user_uuid\n";
print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
print TEMP "\n[ req_altname ]\nURI=urn:publicid:IDN+$OURDOMAIN" .
"+user+$user_uid\nemail=$user_uid" . "\@" . "$OURDOMAIN\n";
close(TEMP)
or fatal("Could not close usercert.cnf: $!");
......
......@@ -148,6 +148,7 @@ CREATE TABLE `geni_certificates` (
`cert` text,
`DN` text,
`privkey` text,
`uri` text,
PRIMARY KEY (`uuid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
......
......@@ -66,7 +66,6 @@ sub Lookup($$)
my $self = {};
$self->{'CERT'} = $query_result->fetchrow_hashref();
$self->{'url'} = undef;
$self->{'stored'} = 1;
bless($self, $class);
my $cert = $self->cert();
......@@ -98,6 +97,7 @@ sub DN($) { return field($_[0], "DN"); }
sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); }
sub certfile($) { return field($_[0], "certfile"); }
sub uri($) { return field($_[0], "uri"); }
sub GetCertificate($) { return $_[0]; }
#
......@@ -315,7 +315,7 @@ sub LoadFromFile($$)
$self->{'CERT'}->{'revoked'} = undef;
$self->{'CERT'}->{'created'} = undef;
$self->{'CERT'}->{'certfile'} = $filename;
$self->{'url'} = $url;
$self->{'CERT'}->{'uri'} = $url;
return $self;
}
......@@ -336,6 +336,8 @@ sub Store($)
push(@inserts, "DN=" . DBQuoteSpecial($self->DN()));
push(@inserts, "privkey=" . DBQuoteSpecial($self->privkey()))
if (defined($self->privkey()));
push(@inserts, "uri=" . DBQuoteSpecial($self->uri()))
if (defined($self->uri()));
return -1
if (!DBQueryWarn("replace into geni_certificates set ".
......@@ -374,7 +376,7 @@ sub WriteToFile($;$)
sub URL($)
{
my ($self) = @_;
my $url = $self->{'url'};
my $url = $self->uri();
return $url
if (defined($url));
......@@ -384,10 +386,21 @@ sub URL($)
print STDERR "Could not start $OPENSSL on $filename\n";
return undef;
}
my $altname = 0;
while (<X509>) {
if ($_ =~ /^\s+URI:([-\w\.\/:]+)$/) {
$url = $1;
chomp($url);
if( /^\s+x509v3 Subject Alternative Name:\s*$/ ) {
$altname = 1;
} elsif( $altname ) {
# Gah! OpenSSL is horrible. Apparently the text output format
# for the subject alternative name is fixed, and neither
# -nameopt nor -certopt will help us. Worse still, the
# directory entries (e.g. URI, email) are comma separated...
# but commas are legal characters in URIs (see RFC 3986, section
# 2.2)! We'll have to assume the delimiter is the ", " (comma,
# space) pair...
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $url = $1
foreach split( /, / );
$altname = 0;
}
}
if (!close(X509) || !defined($url)) {
......@@ -395,7 +408,7 @@ sub URL($)
return undef;
}
unlink($filename);
$self->{'url'} = $url;
$self->{'CERT'}->{'uri'} = $url;
return $url;
}
......@@ -456,9 +469,13 @@ sub StoreCRL($$$)
# Wrapper for local users.
#
package GeniCertificate::LocalUser;
use GeniHRN;
use English;
use emdb;
# Configure variables
my $OURDOMAIN = "@OURDOMAIN@";
#
# Create a wrapper, with the same access names.
#
......@@ -477,6 +494,8 @@ sub Create($$)
my $self = {};
$self->{'CERT'} = $query_result->fetchrow_hashref();
$self->{'CERT'}->{'uri'} = GeniHRN::Generate( $OURDOMAIN, "user",
$self->{'CERT'}->{'uid'} );
$self->{'stored'} = 1;
bless($self, $class);
......
......@@ -123,6 +123,8 @@ sub extensions($) { return field($_[0], "extensions"); }
sub owner_cert($) { return $_[0]->{"owner_cert"}; }
sub target_cert($) { return $_[0]->{"target_cert"}; }
sub hrn($) { return $_[0]->{"target_cert"}->hrn(); }
sub target_uri($) { return $_[0]->{"target_cert"}->uri(); }
sub owner_uri($) { return $_[0]->{"owner_cert"}->uri(); }
#
# Stringify for output.
......
......@@ -60,6 +60,12 @@ def Decode( gid ):
f.close()
return s
def SubjectName( cert ):
return ( re.search( r"X509v3 Subject Alternative Name:[ \t]*\n[ \t]*.*URI:"
"(urn:publicid:[-!$%()*+.0-9:;=?@A-Z_a-z~]+)", \
cert ) or \
re.search( r"Subject: .*OU=([-\w.]+)", cert ) ).group( 1 )
def ShowCredential( cred, level ):
if level == 0:
......@@ -79,14 +85,8 @@ def ShowCredential( cred, level ):
owner = Decode( Text( Lookup( cred, "owner_gid" ) ) )
target = Decode( Text( Lookup( cred, "target_gid" ) ) )
print " Owner:"
print " Subject:", re.search( r"Subject: (.+)", owner ).group( 1 )
print " Issuer:", re.search( r"Issuer: (.+)", owner ).group( 1 )
print " Target:"
print " Subject:", re.search( r"Subject: (.+)", target ).group( 1 )
print " Issuer:", re.search( r"Issuer: (.+)", target ).group( 1 )
print " Owner: " + SubjectName( owner )
print " Target: " + SubjectName( target )
print " UUID: " + Text( Lookup( cred, "uuid" ) )
print " Expires: " + Text( Lookup( cred, "expires" ) )
......
#
# Add a URI column to the certificate table, for storing new GENI identifiers.
#
use strict;
use GeniDB;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBSetDefault( $dbhandle );
DBQueryFatal( "ALTER TABLE `geni_certificates` ADD `uri` text" )
unless DBSlotExists( "geni_certificates", "uri" );
return 0;
}
1;
......@@ -11,6 +11,7 @@ string_mask = nombstr
[ request_extensions ]
basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash
subjectAltName=@req_altname
# This will be appended to by mkusercert.
[ req_distinguished_name ]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment