Commit b3a754cd authored by Gary Wong's avatar Gary Wong

Checkpointing work on URN support in certificates and credentials. URNs

are now generated for new certificates.  However, UUIDs and old HRNs
are still used, for compatibility.
parent 41a482dd
...@@ -256,6 +256,10 @@ else { ...@@ -256,6 +256,10 @@ else {
} }
print TEMP "CN\t\t= $user_uuid\n"; print TEMP "CN\t\t= $user_uuid\n";
print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n"; print TEMP "emailAddress\t= $user_uid" . "\@" . "$OURDOMAIN\n";
print TEMP "\n[ req_altname ]\nURI=urn:publicid:IDN+$OURDOMAIN" .
"+user+$user_uid\nemail=$user_uid" . "\@" . "$OURDOMAIN\n";
close(TEMP) close(TEMP)
or fatal("Could not close usercert.cnf: $!"); or fatal("Could not close usercert.cnf: $!");
......
...@@ -148,6 +148,7 @@ CREATE TABLE `geni_certificates` ( ...@@ -148,6 +148,7 @@ CREATE TABLE `geni_certificates` (
`cert` text, `cert` text,
`DN` text, `DN` text,
`privkey` text, `privkey` text,
`uri` text,
PRIMARY KEY (`uuid`) PRIMARY KEY (`uuid`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1; ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
......
...@@ -66,7 +66,6 @@ sub Lookup($$) ...@@ -66,7 +66,6 @@ sub Lookup($$)
my $self = {}; my $self = {};
$self->{'CERT'} = $query_result->fetchrow_hashref(); $self->{'CERT'} = $query_result->fetchrow_hashref();
$self->{'url'} = undef;
$self->{'stored'} = 1; $self->{'stored'} = 1;
bless($self, $class); bless($self, $class);
my $cert = $self->cert(); my $cert = $self->cert();
...@@ -98,6 +97,7 @@ sub DN($) { return field($_[0], "DN"); } ...@@ -98,6 +97,7 @@ sub DN($) { return field($_[0], "DN"); }
sub privkey($) { return field($_[0], "privkey"); } sub privkey($) { return field($_[0], "privkey"); }
sub revoked($) { return field($_[0], "revoked"); } sub revoked($) { return field($_[0], "revoked"); }
sub certfile($) { return field($_[0], "certfile"); } sub certfile($) { return field($_[0], "certfile"); }
sub uri($) { return field($_[0], "uri"); }
sub GetCertificate($) { return $_[0]; } sub GetCertificate($) { return $_[0]; }
# #
...@@ -315,7 +315,7 @@ sub LoadFromFile($$) ...@@ -315,7 +315,7 @@ sub LoadFromFile($$)
$self->{'CERT'}->{'revoked'} = undef; $self->{'CERT'}->{'revoked'} = undef;
$self->{'CERT'}->{'created'} = undef; $self->{'CERT'}->{'created'} = undef;
$self->{'CERT'}->{'certfile'} = $filename; $self->{'CERT'}->{'certfile'} = $filename;
$self->{'url'} = $url; $self->{'CERT'}->{'uri'} = $url;
return $self; return $self;
} }
...@@ -336,6 +336,8 @@ sub Store($) ...@@ -336,6 +336,8 @@ sub Store($)
push(@inserts, "DN=" . DBQuoteSpecial($self->DN())); push(@inserts, "DN=" . DBQuoteSpecial($self->DN()));
push(@inserts, "privkey=" . DBQuoteSpecial($self->privkey())) push(@inserts, "privkey=" . DBQuoteSpecial($self->privkey()))
if (defined($self->privkey())); if (defined($self->privkey()));
push(@inserts, "uri=" . DBQuoteSpecial($self->uri()))
if (defined($self->uri()));
return -1 return -1
if (!DBQueryWarn("replace into geni_certificates set ". if (!DBQueryWarn("replace into geni_certificates set ".
...@@ -374,7 +376,7 @@ sub WriteToFile($;$) ...@@ -374,7 +376,7 @@ sub WriteToFile($;$)
sub URL($) sub URL($)
{ {
my ($self) = @_; my ($self) = @_;
my $url = $self->{'url'}; my $url = $self->uri();
return $url return $url
if (defined($url)); if (defined($url));
...@@ -384,10 +386,21 @@ sub URL($) ...@@ -384,10 +386,21 @@ sub URL($)
print STDERR "Could not start $OPENSSL on $filename\n"; print STDERR "Could not start $OPENSSL on $filename\n";
return undef; return undef;
} }
my $altname = 0;
while (<X509>) { while (<X509>) {
if ($_ =~ /^\s+URI:([-\w\.\/:]+)$/) { if( /^\s+x509v3 Subject Alternative Name:\s*$/ ) {
$url = $1; $altname = 1;
chomp($url); } elsif( $altname ) {
# Gah! OpenSSL is horrible. Apparently the text output format
# for the subject alternative name is fixed, and neither
# -nameopt nor -certopt will help us. Worse still, the
# directory entries (e.g. URI, email) are comma separated...
# but commas are legal characters in URIs (see RFC 3986, section
# 2.2)! We'll have to assume the delimiter is the ", " (comma,
# space) pair...
m'^\s*URI:([-!#$%()*+,./0-9:;=?@A-Z_a-z~]+)\s*$' and $url = $1
foreach split( /, / );
$altname = 0;
} }
} }
if (!close(X509) || !defined($url)) { if (!close(X509) || !defined($url)) {
...@@ -395,7 +408,7 @@ sub URL($) ...@@ -395,7 +408,7 @@ sub URL($)
return undef; return undef;
} }
unlink($filename); unlink($filename);
$self->{'url'} = $url; $self->{'CERT'}->{'uri'} = $url;
return $url; return $url;
} }
...@@ -456,9 +469,13 @@ sub StoreCRL($$$) ...@@ -456,9 +469,13 @@ sub StoreCRL($$$)
# Wrapper for local users. # Wrapper for local users.
# #
package GeniCertificate::LocalUser; package GeniCertificate::LocalUser;
use GeniHRN;
use English; use English;
use emdb; use emdb;
# Configure variables
my $OURDOMAIN = "@OURDOMAIN@";
# #
# Create a wrapper, with the same access names. # Create a wrapper, with the same access names.
# #
...@@ -477,6 +494,8 @@ sub Create($$) ...@@ -477,6 +494,8 @@ sub Create($$)
my $self = {}; my $self = {};
$self->{'CERT'} = $query_result->fetchrow_hashref(); $self->{'CERT'} = $query_result->fetchrow_hashref();
$self->{'CERT'}->{'uri'} = GeniHRN::Generate( $OURDOMAIN, "user",
$self->{'CERT'}->{'uid'} );
$self->{'stored'} = 1; $self->{'stored'} = 1;
bless($self, $class); bless($self, $class);
......
...@@ -123,6 +123,8 @@ sub extensions($) { return field($_[0], "extensions"); } ...@@ -123,6 +123,8 @@ sub extensions($) { return field($_[0], "extensions"); }
sub owner_cert($) { return $_[0]->{"owner_cert"}; } sub owner_cert($) { return $_[0]->{"owner_cert"}; }
sub target_cert($) { return $_[0]->{"target_cert"}; } sub target_cert($) { return $_[0]->{"target_cert"}; }
sub hrn($) { return $_[0]->{"target_cert"}->hrn(); } sub hrn($) { return $_[0]->{"target_cert"}->hrn(); }
sub target_uri($) { return $_[0]->{"target_cert"}->uri(); }
sub owner_uri($) { return $_[0]->{"owner_cert"}->uri(); }
# #
# Stringify for output. # Stringify for output.
......
...@@ -60,6 +60,12 @@ def Decode( gid ): ...@@ -60,6 +60,12 @@ def Decode( gid ):
f.close() f.close()
return s return s
def SubjectName( cert ):
return ( re.search( r"X509v3 Subject Alternative Name:[ \t]*\n[ \t]*.*URI:"
"(urn:publicid:[-!$%()*+.0-9:;=?@A-Z_a-z~]+)", \
cert ) or \
re.search( r"Subject: .*OU=([-\w.]+)", cert ) ).group( 1 )
def ShowCredential( cred, level ): def ShowCredential( cred, level ):
if level == 0: if level == 0:
...@@ -79,14 +85,8 @@ def ShowCredential( cred, level ): ...@@ -79,14 +85,8 @@ def ShowCredential( cred, level ):
owner = Decode( Text( Lookup( cred, "owner_gid" ) ) ) owner = Decode( Text( Lookup( cred, "owner_gid" ) ) )
target = Decode( Text( Lookup( cred, "target_gid" ) ) ) target = Decode( Text( Lookup( cred, "target_gid" ) ) )
print " Owner:" print " Owner: " + SubjectName( owner )
print " Subject:", re.search( r"Subject: (.+)", owner ).group( 1 ) print " Target: " + SubjectName( target )
print " Issuer:", re.search( r"Issuer: (.+)", owner ).group( 1 )
print " Target:"
print " Subject:", re.search( r"Subject: (.+)", target ).group( 1 )
print " Issuer:", re.search( r"Issuer: (.+)", target ).group( 1 )
print " UUID: " + Text( Lookup( cred, "uuid" ) ) print " UUID: " + Text( Lookup( cred, "uuid" ) )
print " Expires: " + Text( Lookup( cred, "expires" ) ) print " Expires: " + Text( Lookup( cred, "expires" ) )
......
#
# Add a URI column to the certificate table, for storing new GENI identifiers.
#
use strict;
use GeniDB;
sub DoUpdate($$$)
{
my ($dbhandle, $dbname, $version) = @_;
DBSetDefault( $dbhandle );
DBQueryFatal( "ALTER TABLE `geni_certificates` ADD `uri` text" )
unless DBSlotExists( "geni_certificates", "uri" );
return 0;
}
1;
...@@ -11,6 +11,7 @@ string_mask = nombstr ...@@ -11,6 +11,7 @@ string_mask = nombstr
[ request_extensions ] [ request_extensions ]
basicConstraints=critical,CA:TRUE basicConstraints=critical,CA:TRUE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
subjectAltName=@req_altname
# This will be appended to by mkusercert. # This will be appended to by mkusercert.
[ req_distinguished_name ] [ req_distinguished_name ]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment