ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; const unsigned char *p; unsigned char *data; int i; /* Sanity check OID encoding: can't have leading 0x80 in * subidentifiers, see: X.690 8.19.2 */ for (i = 0, p = *pp; i < len; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); return NULL; } } /* only the ASN1_OBJECTs from the 'table' will have values * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL); } else ret=(*a); p= *pp; /* detach data from object */ data = (unsigned char *)ret->data; ret->data = NULL; /* once detached we can change it */ if ((data == NULL) || (ret->length < len)) { ret->length=0; if (data != NULL) OPENSSL_free(data); data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); if (data == NULL) { i=ERR_R_MALLOC_FAILURE; goto err; } ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data,p,(int)len); /* reattach data to object, after which it remains const */ ret->data =data; ret->length=(int)len; ret->sn=NULL; ret->ln=NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ p+=len; if (a != NULL) (*a)=ret; *pp=p; return(ret); err: ASN1err(ASN1_F_C2I_ASN1_OBJECT,i); if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_OBJECT_free(ret); return(NULL); }
ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o) { ASN1_OBJECT *r; int i; char *ln = NULL, *sn = NULL; unsigned char *data = NULL; if (o == NULL) return (NULL); if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC)) return((ASN1_OBJECT *)o); /* XXX: ugh! Why? What kind of duplication is this??? */ r = ASN1_OBJECT_new(); if (r == NULL) { OBJerr(OBJ_F_OBJ_DUP, ERR_R_ASN1_LIB); return (NULL); } data = malloc(o->length); if (data == NULL) goto err; if (o->data != NULL) memcpy(data, o->data, o->length); /* once data attached to object it remains const */ r->data = data; r->length = o->length; r->nid = o->nid; r->ln = r->sn = NULL; if (o->ln != NULL) { i = strlen(o->ln) + 1; ln = malloc(i); if (ln == NULL) goto err; memcpy(ln, o->ln, i); r->ln = ln; } if (o->sn != NULL) { i = strlen(o->sn) + 1; sn = malloc(i); if (sn == NULL) goto err; memcpy(sn, o->sn, i); r->sn = sn; } r->flags = o->flags | (ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA); return (r); err: OBJerr(OBJ_F_OBJ_DUP, ERR_R_MALLOC_FAILURE); free(ln); free(sn); free(data); free(r); return (NULL); }
ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) { ASN1_OBJECT *r; int i; char *ln=NULL; if (o == NULL) return(NULL); if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC)) return((ASN1_OBJECT *)o); /* XXX: ugh! Why? What kind of duplication is this??? */ r=ASN1_OBJECT_new(); if (r == NULL) { OBJerr(OBJ_F_OBJ_DUP,ERR_R_ASN1_LIB); return(NULL); } r->data=OPENSSL_malloc(o->length); if (r->data == NULL) goto err; if (o->data != NULL) memcpy(r->data,o->data,o->length); r->length=o->length; r->nid=o->nid; r->ln=r->sn=NULL; if (o->ln != NULL) { i=strlen(o->ln)+1; r->ln=ln=OPENSSL_malloc(i); if (r->ln == NULL) goto err; memcpy(ln,o->ln,i); } if (o->sn != NULL) { char *s; i=strlen(o->sn)+1; r->sn=s=OPENSSL_malloc(i); if (r->sn == NULL) goto err; memcpy(s,o->sn,i); } r->flags=o->flags|(ASN1_OBJECT_FLAG_DYNAMIC| ASN1_OBJECT_FLAG_DYNAMIC_STRINGS|ASN1_OBJECT_FLAG_DYNAMIC_DATA); return(r); err: OBJerr(OBJ_F_OBJ_DUP,ERR_R_MALLOC_FAILURE); if (r != NULL) { if (ln != NULL) OPENSSL_free(ln); if (r->data != NULL) OPENSSL_free(r->data); OPENSSL_free(r); } return(NULL); }
ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; const unsigned char *p; int i; /* Sanity check OID encoding: can't have leading 0x80 in * subidentifiers, see: X.690 8.19.2 */ for (i = 0, p = *pp + 1; i < len - 1; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { /* ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); */ return NULL; } } /* only the ASN1_OBJECTs from the 'table' will have values * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL); } else ret=(*a); p= *pp; if ((ret->data == NULL) || (ret->length < len)) { if (ret->data != NULL) free(ret->data); ret->data=(unsigned char *)malloc(len ? (int)len : 1); ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; if (ret->data == NULL) { /* i=ERR_R_MALLOC_FAILURE; */ i=-1; goto err; } } memcpy(ret->data,p,(int)len); ret->length=(int)len; ret->sn=NULL; ret->ln=NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ p+=len; if (a != NULL) (*a)=ret; *pp=p; return(ret); err: /* ASN1err(ASN1_F_C2I_ASN1_OBJECT,i); */ if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_OBJECT_free(ret); return(NULL); }
ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, long len) { ASN1_OBJECT *ret=NULL; unsigned char *p; int i; /* only the ASN1_OBJECTs from the 'table' will have values * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL); } else ret=(*a); p= *pp; if ((ret->data == NULL) || (ret->length < len)) { if (ret->data != NULL) OPENSSL_free(ret->data); ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; if (ret->data == NULL) { i=ERR_R_MALLOC_FAILURE; goto err; } } memcpy(ret->data,p,(int)len); ret->length=(int)len; ret->sn=NULL; ret->ln=NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ p+=len; if (a != NULL) (*a)=ret; *pp=p; return(ret); err: ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_OBJECT_free(ret); return(NULL); }
ASN1_OBJECT * c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long len) { ASN1_OBJECT *ret = NULL; const unsigned char *p; unsigned char *data; int i, length; /* * Sanity check OID encoding: * - need at least one content octet * - MSB must be clear in the last octet * - can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 */ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || p[len - 1] & 0x80) { ASN1err(ASN1_F_C2I_ASN1_OBJECT, ASN1_R_INVALID_OBJECT_ENCODING); return (NULL); } /* Now 0 < len <= INT_MAX, so the cast is safe. */ length = (int)len; for (i = 0; i < length; i++, p++) { if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { ASN1err(ASN1_F_C2I_ASN1_OBJECT, ASN1_R_INVALID_OBJECT_ENCODING); return NULL; } } /* only the ASN1_OBJECTs from the 'table' will have values * for ->sn or ->ln */ if ((a == NULL) || ((*a) == NULL) || !((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { if ((ret = ASN1_OBJECT_new()) == NULL) return (NULL); } else ret = (*a); p = *pp; /* detach data from object */ data = (unsigned char *)ret->data; ret->data = NULL; /* once detached we can change it */ if ((data == NULL) || (ret->length < length)) { ret->length = 0; free(data); data = malloc(length); if (data == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; } ret->flags |= ASN1_OBJECT_FLAG_DYNAMIC_DATA; } memcpy(data, p, length); /* reattach data to object, after which it remains const */ ret->data = data; ret->length = length; ret->sn = NULL; ret->ln = NULL; /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ p += length; if (a != NULL) (*a) = ret; *pp = p; return (ret); err: ASN1err(ASN1_F_C2I_ASN1_OBJECT, i); if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_OBJECT_free(ret); return (NULL); }
inline object object::create() { return take_ownership(ASN1_OBJECT_new()); }
/** * @brief Inquire Sec Context by OID * @ingroup globus_gsi_gssapi_extensions */ OM_uint32 GSS_CALLCONV gss_inquire_sec_context_by_oid( OM_uint32 * minor_status, const gss_ctx_id_t context_handle, const gss_OID desired_object, gss_buffer_set_t * data_set) { OM_uint32 major_status = GSS_S_COMPLETE; OM_uint32 local_minor_status; gss_ctx_id_desc * context = NULL; int found_index; int chain_index; int cert_count; X509_EXTENSION * extension; X509 * cert = NULL; STACK_OF(X509) * cert_chain = NULL; ASN1_OBJECT * asn1_desired_obj = NULL; ASN1_OCTET_STRING * asn1_oct_string; gss_buffer_desc data_set_buffer = GSS_C_EMPTY_BUFFER; globus_result_t local_result = GLOBUS_SUCCESS; unsigned char * tmp_ptr; static char * _function_name_ = "gss_inquire_sec_context_by_oid"; GLOBUS_I_GSI_GSSAPI_DEBUG_ENTER; /* parameter checking goes here */ if(minor_status == NULL) { GLOBUS_GSI_GSSAPI_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT, (_GGSL("Invalid minor_status (NULL) passed to function"))); major_status = GSS_S_FAILURE; goto exit; } if(context_handle == GSS_C_NO_CONTEXT) { GLOBUS_GSI_GSSAPI_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT, (_GGSL("Invalid context_handle passed to function"))); major_status = GSS_S_FAILURE; goto exit; } *minor_status = (OM_uint32) GLOBUS_SUCCESS; context = (gss_ctx_id_desc *) context_handle; if(desired_object == GSS_C_NO_OID) { GLOBUS_GSI_GSSAPI_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT, (_GGSL("Invalid desired_object passed to function"))); major_status = GSS_S_FAILURE; goto exit; } if(data_set == NULL) { GLOBUS_GSI_GSSAPI_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_BAD_ARGUMENT, (_GGSL("Invalid data_set (NULL) passed to function"))); major_status = GSS_S_FAILURE; goto exit; } *data_set = NULL; /* lock the context mutex */ globus_mutex_lock(&context->mutex); local_result = globus_gsi_callback_get_cert_depth(context->callback_data, &cert_count); if(local_result != GLOBUS_SUCCESS) { GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT( minor_status, local_result, GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA); major_status = GSS_S_FAILURE; goto unlock_exit; } if(cert_count == 0) { goto unlock_exit; } major_status = gss_create_empty_buffer_set(&local_minor_status, data_set); if(GSS_ERROR(major_status)) { GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT( minor_status, local_minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER); goto unlock_exit; } local_result = globus_gsi_callback_get_cert_chain( context->callback_data, &cert_chain); if(local_result != GLOBUS_SUCCESS) { GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT( minor_status, local_result, GLOBUS_GSI_GSSAPI_ERROR_WITH_CALLBACK_DATA); major_status = GSS_S_FAILURE; cert_chain = NULL; goto unlock_exit; } if(((gss_OID_desc *)desired_object)->length != gss_ext_x509_cert_chain_oid->length || memcmp(((gss_OID_desc *)desired_object)->elements, gss_ext_x509_cert_chain_oid->elements, gss_ext_x509_cert_chain_oid->length)) { /* figure out what object was asked for */ asn1_desired_obj = ASN1_OBJECT_new(); if(!asn1_desired_obj) { GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Couldn't create ASN1 object"))); major_status = GSS_S_FAILURE; goto unlock_exit; } asn1_desired_obj->length = ((gss_OID_desc *)desired_object)->length; asn1_desired_obj->data = ((gss_OID_desc *)desired_object)->elements; found_index = -1; for(chain_index = 0; chain_index < cert_count; chain_index++) { cert = sk_X509_value(cert_chain, chain_index); data_set_buffer.value = NULL; data_set_buffer.length = 0; found_index = X509_get_ext_by_OBJ(cert, asn1_desired_obj, found_index); if(found_index >= 0) { extension = X509_get_ext(cert, found_index); if(!extension) { GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Couldn't get extension at index %d " "from cert in credential."), found_index)); major_status = GSS_S_FAILURE; goto unlock_exit; } asn1_oct_string = X509_EXTENSION_get_data(extension); if(!asn1_oct_string) { GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Couldn't get cert extension in the form of an " "ASN1 octet string."))); major_status = GSS_S_FAILURE; goto unlock_exit; } asn1_oct_string = ASN1_OCTET_STRING_dup(asn1_oct_string); if(!asn1_oct_string) { GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Failed to make copy of extension data"))); major_status = GSS_S_FAILURE; goto unlock_exit; } data_set_buffer.value = asn1_oct_string->data; data_set_buffer.length = asn1_oct_string->length; OPENSSL_free(asn1_oct_string); major_status = gss_add_buffer_set_member( &local_minor_status, &data_set_buffer, data_set); if(GSS_ERROR(major_status)) { GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT( minor_status, local_minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER); goto unlock_exit; } } } } else { for(chain_index = 0; chain_index < cert_count; chain_index++) { int certlen; cert = sk_X509_value(cert_chain, chain_index); certlen = i2d_X509(cert, NULL); data_set_buffer.length = certlen; if (certlen < 0) { GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Failed to serialize certificate"))); major_status = GSS_S_FAILURE; goto unlock_exit; } tmp_ptr = realloc(data_set_buffer.value, data_set_buffer.length); if(tmp_ptr == NULL) { GLOBUS_GSI_GSSAPI_MALLOC_ERROR(minor_status); major_status = GSS_S_FAILURE; goto unlock_exit; } data_set_buffer.value = tmp_ptr; if(i2d_X509(cert,&tmp_ptr) < 0) { free(data_set_buffer.value); GLOBUS_GSI_GSSAPI_OPENSSL_ERROR_RESULT( minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_OPENSSL, (_GGSL("Failed to serialize certificate"))); major_status = GSS_S_FAILURE; goto unlock_exit; } major_status = gss_add_buffer_set_member( &local_minor_status, &data_set_buffer, data_set); if(GSS_ERROR(major_status)) { GLOBUS_GSI_GSSAPI_ERROR_CHAIN_RESULT( minor_status, local_minor_status, GLOBUS_GSI_GSSAPI_ERROR_WITH_BUFFER); goto unlock_exit; } } if(data_set_buffer.value != NULL) { free(data_set_buffer.value); } } unlock_exit: /* unlock the context mutex */ globus_mutex_unlock(&context->mutex); exit: if (asn1_desired_obj != NULL) { ASN1_OBJECT_free(asn1_desired_obj); } if(cert_chain != NULL) { sk_X509_pop_free(cert_chain, X509_free); } GLOBUS_I_GSI_GSSAPI_DEBUG_EXIT; return major_status; }
int globus_i_gram_get_tg_gateway_user( gss_ctx_id_t context, globus_gsi_cred_handle_t peer_cred, char ** gateway_user) { #if HAVE_LIBXML2 OM_uint32 maj_stat, min_stat; gss_buffer_set_t data_set; ASN1_UTF8STRING * asn1_str; char * assertion_string; unsigned char * p; long pl; xmlDocPtr doc; xmlXPathContextPtr xpath_ctx; xmlXPathObjectPtr xresult; int rc; ASN1_OBJECT * asn1_desired_object = NULL; int cert_count; int found_index; int chain_index; X509 *cert; X509_EXTENSION * extension; ASN1_OCTET_STRING *asn1_oct_string; STACK_OF(X509) *chain = NULL; *gateway_user = NULL; if (context == GSS_C_NO_CONTEXT && peer_cred != NULL) { globus_result_t result; /* This basically duplicates the gss_inquire_sec_context_by_oid(), but * instead uses a gsi credential object */ rc = GLOBUS_SUCCESS; asn1_desired_object = ASN1_OBJECT_new(); if (asn1_desired_object == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED; goto no_extension_in_cred_chain; } asn1_desired_object->length = globus_l_saml_oid_desc.length; asn1_desired_object->data = globus_l_saml_oid_desc.elements; result = globus_gsi_cred_get_cert_chain(peer_cred, &chain); if (result != GLOBUS_SUCCESS) { char * msg; msg = globus_error_print_friendly( globus_error_peek(result)); globus_gram_protocol_error_7_hack_replace_message( msg); free(msg); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto no_extension_in_cred_chain; } cert_count = sk_X509_num(chain); found_index = -1; for (chain_index = 0; chain_index < cert_count; chain_index++) { cert = sk_X509_value(chain, chain_index); found_index = X509_get_ext_by_OBJ(cert, asn1_desired_object, found_index); if (found_index >= 0) { extension = X509_get_ext(cert, found_index); if (extension == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; globus_gram_protocol_error_7_hack_replace_message( "Unable to extract SAML assertion extension from certificate chain"); goto no_extension_in_cred_chain; } asn1_oct_string = X509_EXTENSION_get_data(extension); if (asn1_oct_string == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; globus_gram_protocol_error_7_hack_replace_message( "Unable to extract SAML assertion extension from certificate chain"); goto no_extension_in_cred_chain; } p = asn1_oct_string->data; asn1_str = d2i_ASN1_UTF8STRING(NULL, (void *)&p, asn1_oct_string->length); if (asn1_str == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; globus_gram_protocol_error_7_hack_replace_message( "Unable to convert SAML assertion text from DER to UTF8"); goto no_extension_in_cred_chain; } assertion_string = malloc(asn1_str->length + 1); if (assertion_string == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED; goto no_extension_in_cred_chain; } memcpy(assertion_string, asn1_str->data, asn1_str->length); assertion_string[asn1_str->length] = 0; break; } } if (chain_index == cert_count) { goto no_extension_in_cred_chain; } } else if (context == GSS_C_NO_CONTEXT) { rc = GLOBUS_SUCCESS; goto no_context; } else { maj_stat = gss_inquire_sec_context_by_oid( &min_stat, context, globus_saml_oid, &data_set); if (GSS_ERROR(maj_stat)) { globus_gram_protocol_error_7_hack_replace_message( "Error extracting SAML assertion"); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto inquire_failed; } /* We'll process only the first SAML assertion bound in the X.509 chain */ if (data_set->count < 1) { rc = GLOBUS_SUCCESS; goto empty_data_set; } p = data_set->elements[0].value; pl = data_set->elements[0].length; /* Convert DER-Encoded string to UTF8 */ asn1_str = d2i_ASN1_UTF8STRING(NULL, (void *) &p, pl); if (!asn1_str) { globus_gram_protocol_error_7_hack_replace_message( "Error decoding SAML assertion"); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto utfstring_failed; } assertion_string = malloc(asn1_str->length + 1); if (assertion_string == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED; goto assertion_string_malloc_failed; } memcpy(assertion_string, asn1_str->data, asn1_str->length); assertion_string[asn1_str->length] = 0; } /* Parse SAML assertion */ doc = xmlParseDoc(BAD_CAST assertion_string); if (doc == NULL) { globus_gram_protocol_error_7_hack_replace_message( "Error parsing SAML assertion"); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto parse_assertion_failed; } xmlXPathInit(); /* Use XPATH to extract Issuer */ xpath_ctx = xmlXPathNewContext(doc); if (xpath_ctx == NULL) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED; goto xpath_ctx_init_failed; } rc = xmlXPathRegisterNs( xpath_ctx, (xmlChar *) "s", (xmlChar *) "urn:oasis:names:tc:SAML:1.0:assertion"); if (rc != 0) { rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED; goto xpath_register_ns_failed; } xresult = xmlXPathEvalExpression( (const xmlChar *) "string(/s:Assertion/@Issuer)", xpath_ctx); if (xresult == NULL) { globus_gram_protocol_error_7_hack_replace_message( "Error processing SAML assertion: no \"Issuer\" attribute"); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto xpath_eval_issuer_failed; } if (! globus_l_tg_saml_assertion_is_self_issued( context, (const char *) xresult->stringval)) { /* Ignore non-self issued assertions */ rc = GLOBUS_SUCCESS; goto non_self_issued; } xmlXPathFreeObject(xresult); /* Use XPATH to extract the sender-vouches, self-issued, TG principal name * Subject attribute from the Assertion's AuthenticationStatement */ xresult = xmlXPathEvalExpression( (const xmlChar *) "string(/s:Assertion/s:AuthenticationStatement/s:Subject[string(s:SubjectConfirmation/s:ConfirmationMethod) = 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches' and s:NameIdentifier/@Format = 'http://teragrid.org/names/nameid-format/principalname']/s:NameIdentifier[1])", xpath_ctx); if (xresult == NULL) { globus_gram_protocol_error_7_hack_replace_message( "Error processing SAML assertion: no teragrid principal"); rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION; goto get_gateway_name_failed; } if (xresult != NULL && xresult->stringval != NULL && *(xresult->stringval) != 0) { *gateway_user = strdup((char *) xresult->stringval); } get_gateway_name_failed: non_self_issued: if (xresult != NULL) { xmlXPathFreeObject(xresult); } xpath_eval_issuer_failed: xpath_register_ns_failed: xmlXPathFreeContext(xpath_ctx); xpath_ctx_init_failed: xmlFreeDoc(doc); parse_assertion_failed: free(assertion_string); assertion_string_malloc_failed: ASN1_UTF8STRING_free(asn1_str); utfstring_failed: empty_data_set: gss_release_buffer_set(&min_stat, &data_set); inquire_failed: no_extension_in_cred_chain: no_context: if (asn1_desired_object != NULL) { ASN1_OBJECT_free(asn1_desired_object); } if (chain != NULL) { sk_X509_free(chain); } return rc; #else *gateway_user = NULL; return GLOBUS_SUCCESS; #endif /* HAVE_LIBXML2 */ }