Commit b6d68956 authored by Leigh B Stoller's avatar Leigh B Stoller

Oops, left this out of chain certs commit.

parent 3c4ba2e9
...@@ -108,6 +108,7 @@ my $logging = 0; ...@@ -108,6 +108,7 @@ my $logging = 0;
my $logforked = 0; my $logforked = 0;
my $iserror = 0; my $iserror = 0;
my $rpcerror = 0; my $rpcerror = 0;
my $logfile = undef;
# Determined by version. # Determined by version.
my $responder; my $responder;
...@@ -134,8 +135,13 @@ sub XMLError($$) ...@@ -134,8 +135,13 @@ sub XMLError($$)
$string = $decoder->encode_fault($code, $string); $string = $decoder->encode_fault($code, $string);
# Make sure the error goes back to user not into the debug file. # Make sure the error goes back to user not into the debug file.
LogEnd(0) if ($logging) {
if ($logging); LogEnd(0);
if (!$logforked) {
# Use eval to avoid messing up the output stream if any errors.
eval { $logfile->Store(); };
}
}
print "Content-Type: text/xml \n\n"; print "Content-Type: text/xml \n\n";
print $string; print $string;
exit(0); exit(0);
...@@ -371,7 +377,7 @@ if (!defined($group)) { ...@@ -371,7 +377,7 @@ if (!defined($group)) {
die("*** $0:\n". die("*** $0:\n".
" Could not resolve lookup group $GENIGROUP\n"); " Could not resolve lookup group $GENIGROUP\n");
} }
my $logfile = Logfile->Create($group); $logfile = Logfile->Create($group);
if (!defined($logfile)) { if (!defined($logfile)) {
die("*** $0:\n". die("*** $0:\n".
" Could not create a new logfile\n"); " Could not create a new logfile\n");
...@@ -435,6 +441,8 @@ sub AddLogfileMetaData($$) ...@@ -435,6 +441,8 @@ sub AddLogfileMetaData($$)
return return
if ($key eq $metakey); if ($key eq $metakey);
} }
$nostorelogs = 0
if ($key eq "cert_error");
push(@metadata, [$key, $val]); push(@metadata, [$key, $val]);
} }
sub AddLogfileMetaDataFromSlice($) sub AddLogfileMetaDataFromSlice($)
...@@ -497,7 +505,7 @@ if ($method eq "ListResources" || ...@@ -497,7 +505,7 @@ if ($method eq "ListResources" ||
$method eq "Resolve" || $method eq "Resolve" ||
$method eq "DiscoverResources") { $method eq "DiscoverResources") {
$debug = 0; $debug = 0;
# Do no even bother with logs unless an error. # Do not even bother with logs unless an error.
$nostorelogs = 1; $nostorelogs = 1;
} }
# We always want as much data as possible for these. # We always want as much data as possible for these.
...@@ -507,6 +515,61 @@ if ($method eq "CreateSliver" || ...@@ -507,6 +515,61 @@ if ($method eq "CreateSliver" ||
$debug = 2; $debug = 2;
} }
#
# Look for a cert chain and verify the URN namespace along the chain.
#
my @chaincerts = ();
for (my $i = 0; $i < 10; $i++) {
last
if (!exists($ENV{"SSL_CLIENT_CERT_CHAIN_${i}"}));
my $chaincert =
GeniCertificate->LoadFromString($ENV{"SSL_CLIENT_CERT_CHAIN_${i}"});
if (!defined($chaincert)) {
print STDERR "Could not load chain certificate:\n";
print STDERR $ENV{"SSL_CLIENT_CERT_CHAIN_${i}"} . "\n";
XMLError(XMLRPC_APPLICATION_ERROR(),
"Could not load chain certificate $i");
}
push(@chaincerts, $chaincert);
}
#
# We need the user cert and the CA cert so that we have an
# entire chain to do namespace verification on.
#
my $user_certificate =
GeniCertificate->LoadFromString($ENV{'SSL_CLIENT_CERT'});
if (!defined($user_certificate)) {
print STDERR "Could not load user certificate:\n";
print STDERR $ENV{'SSL_CLIENT_CERT'} . "\n";
XMLError(XMLRPC_APPLICATION_ERROR(),
"Could not load user certificate");
}
#
# Sadly, apache does not tell us what the CA cert is; it just tells
# us the server cert, which is useless. So we have to recompute the
# chain to find the CA.
#
if ($user_certificate->VerifySSLChain(@chaincerts)) {
print STDERR "Could not verify user certificate chain:\n";
print STDERR Dumper([$user_certificate, @chaincerts]);
XMLError(XMLRPC_APPLICATION_ERROR(),
"Could not verify user certificate chain");
}
@chaincerts = (@chaincerts, $user_certificate->rootcert());
my $errorstr;
if ($user_certificate->VerifyGeniChain(\$errorstr, @chaincerts)) {
print STDERR "Failed to verify Geni chain (user cert): $errorstr\n";
print STDERR Dumper([$user_certificate, @chaincerts]);
AddLogfileMetaData("cert_error",
"Failed to verify Geni chain (user cert): $errorstr");
if (0) {
XMLError(XMLRPC_APPLICATION_ERROR(),
"Could not verify user URN namespace chain: $errorstr");
}
}
my $result; my $result;
push(@metadata, ["URN", $GENIURN]); push(@metadata, ["URN", $GENIURN]);
push(@metadata, ["Module", $MODULE]); push(@metadata, ["Module", $MODULE]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment