static size_t
get_extension_by_object (X509 *x509, ASN1_OBJECT *obj, char **output)
{
int pos = X509_get_ext_by_OBJ (x509, obj, -1);
if (pos < 0) {
return 0;
}
X509_EXTENSION *ext = X509_get_ext (x509, pos);
int tag;
long len;
int tc;
const unsigned char *p = ext->value->data;
ASN1_get_object (&p, &len, &tag, &tc, ext->value->length);
size_t size;
switch (tag) {
case V_ASN1_UTF8STRING:
{
ASN1_UTF8STRING *str =
ASN1_item_unpack (ext->value,
ASN1_ITEM_rptr
(ASN1_UTF8STRING));
*output = strndup ((const char *)
ASN1_STRING_data (str),
str->length);
size = str->length;
ASN1_UTF8STRING_free (str);
return size;
}
case V_ASN1_OCTET_STRING:
{
ASN1_OCTET_STRING *octstr =
ASN1_item_unpack (ext->value,
ASN1_ITEM_rptr
(ASN1_OCTET_STRING));
*output = malloc (octstr->length);
memcpy (*output, octstr->data, octstr->length);
size = octstr->length;
ASN1_OCTET_STRING_free (octstr);
return size;
}
default:
{
BIO *bio = BIO_new (BIO_s_mem ());
X509V3_EXT_print (bio, ext, 0, 0);
size_t size = BIO_ctrl_pending (bio);
char *buf = malloc (sizeof (char) * size);
BIO_read (bio, buf, size);
*output = buf;
BIO_free (bio);
return size;
}
}
}
int X509_alias_set1(X509 *x, unsigned char *name, int len)
{
X509_CERT_AUX *aux;
if (!name)
{
if (!x || !x->aux || !x->aux->alias)
return 1;
ASN1_UTF8STRING_free(x->aux->alias);
x->aux->alias = NULL;
return 1;
}
if(!(aux = aux_get(x))) return 0;
if(!aux->alias && !(aux->alias = ASN1_UTF8STRING_new())) return 0;
return ASN1_STRING_set(aux->alias, name, len);
}
int
globus_i_gram_get_tg_gateway_user(
gss_ctx_id_t context,
globus_gsi_cred_handle_t peer_cred,
char ** gateway_user)
{
#if HAVE_LIBXML2
OM_uint32 maj_stat, min_stat;
gss_buffer_set_t data_set;
ASN1_UTF8STRING * asn1_str;
char * assertion_string;
unsigned char * p;
long pl;
xmlDocPtr doc;
xmlXPathContextPtr xpath_ctx;
xmlXPathObjectPtr xresult;
int rc;
ASN1_OBJECT * asn1_desired_object = NULL;
int cert_count;
int found_index;
int chain_index;
X509 *cert;
X509_EXTENSION * extension;
ASN1_OCTET_STRING *asn1_oct_string;
STACK_OF(X509) *chain = NULL;
*gateway_user = NULL;
if (context == GSS_C_NO_CONTEXT && peer_cred != NULL)
{
globus_result_t result;
/* This basically duplicates the gss_inquire_sec_context_by_oid(), but
* instead uses a gsi credential object
*/
rc = GLOBUS_SUCCESS;
asn1_desired_object = ASN1_OBJECT_new();
if (asn1_desired_object == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED;
goto no_extension_in_cred_chain;
}
asn1_desired_object->length = globus_l_saml_oid_desc.length;
asn1_desired_object->data = globus_l_saml_oid_desc.elements;
result = globus_gsi_cred_get_cert_chain(peer_cred, &chain);
if (result != GLOBUS_SUCCESS)
{
char * msg;
msg = globus_error_print_friendly(
globus_error_peek(result));
globus_gram_protocol_error_7_hack_replace_message(
msg);
free(msg);
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto no_extension_in_cred_chain;
}
cert_count = sk_X509_num(chain);
found_index = -1;
for (chain_index = 0; chain_index < cert_count; chain_index++)
{
cert = sk_X509_value(chain, chain_index);
found_index = X509_get_ext_by_OBJ(cert, asn1_desired_object, found_index);
if (found_index >= 0)
{
extension = X509_get_ext(cert, found_index);
if (extension == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
globus_gram_protocol_error_7_hack_replace_message(
"Unable to extract SAML assertion extension from certificate chain");
goto no_extension_in_cred_chain;
}
asn1_oct_string = X509_EXTENSION_get_data(extension);
if (asn1_oct_string == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
globus_gram_protocol_error_7_hack_replace_message(
"Unable to extract SAML assertion extension from certificate chain");
goto no_extension_in_cred_chain;
}
p = asn1_oct_string->data;
asn1_str = d2i_ASN1_UTF8STRING(NULL, (void *)&p, asn1_oct_string->length);
if (asn1_str == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
globus_gram_protocol_error_7_hack_replace_message(
"Unable to convert SAML assertion text from DER to UTF8");
goto no_extension_in_cred_chain;
}
assertion_string = malloc(asn1_str->length + 1);
if (assertion_string == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED;
goto no_extension_in_cred_chain;
}
memcpy(assertion_string, asn1_str->data, asn1_str->length);
assertion_string[asn1_str->length] = 0;
break;
}
}
if (chain_index == cert_count)
{
goto no_extension_in_cred_chain;
}
}
else if (context == GSS_C_NO_CONTEXT)
{
rc = GLOBUS_SUCCESS;
goto no_context;
}
else
{
maj_stat = gss_inquire_sec_context_by_oid(
&min_stat,
context,
globus_saml_oid,
&data_set);
if (GSS_ERROR(maj_stat))
{
globus_gram_protocol_error_7_hack_replace_message(
"Error extracting SAML assertion");
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto inquire_failed;
}
/* We'll process only the first SAML assertion bound in the X.509 chain */
if (data_set->count < 1)
{
rc = GLOBUS_SUCCESS;
goto empty_data_set;
}
p = data_set->elements[0].value;
pl = data_set->elements[0].length;
/* Convert DER-Encoded string to UTF8 */
asn1_str = d2i_ASN1_UTF8STRING(NULL, (void *) &p, pl);
if (!asn1_str)
{
globus_gram_protocol_error_7_hack_replace_message(
"Error decoding SAML assertion");
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto utfstring_failed;
}
assertion_string = malloc(asn1_str->length + 1);
if (assertion_string == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED;
goto assertion_string_malloc_failed;
}
memcpy(assertion_string, asn1_str->data, asn1_str->length);
assertion_string[asn1_str->length] = 0;
}
/* Parse SAML assertion */
doc = xmlParseDoc(BAD_CAST assertion_string);
if (doc == NULL)
{
globus_gram_protocol_error_7_hack_replace_message(
"Error parsing SAML assertion");
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto parse_assertion_failed;
}
xmlXPathInit();
/* Use XPATH to extract Issuer */
xpath_ctx = xmlXPathNewContext(doc);
if (xpath_ctx == NULL)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED;
goto xpath_ctx_init_failed;
}
rc = xmlXPathRegisterNs(
xpath_ctx,
(xmlChar *) "s",
(xmlChar *) "urn:oasis:names:tc:SAML:1.0:assertion");
if (rc != 0)
{
rc = GLOBUS_GRAM_PROTOCOL_ERROR_MALLOC_FAILED;
goto xpath_register_ns_failed;
}
xresult = xmlXPathEvalExpression(
(const xmlChar *) "string(/s:Assertion/@Issuer)",
xpath_ctx);
if (xresult == NULL)
{
globus_gram_protocol_error_7_hack_replace_message(
"Error processing SAML assertion: no \"Issuer\" attribute");
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto xpath_eval_issuer_failed;
}
if (! globus_l_tg_saml_assertion_is_self_issued(
context,
(const char *) xresult->stringval))
{
/* Ignore non-self issued assertions */
rc = GLOBUS_SUCCESS;
goto non_self_issued;
}
xmlXPathFreeObject(xresult);
/* Use XPATH to extract the sender-vouches, self-issued, TG principal name
* Subject attribute from the Assertion's AuthenticationStatement
*/
xresult = xmlXPathEvalExpression(
(const xmlChar *) "string(/s:Assertion/s:AuthenticationStatement/s:Subject[string(s:SubjectConfirmation/s:ConfirmationMethod) = 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches' and s:NameIdentifier/@Format = 'http://teragrid.org/names/nameid-format/principalname']/s:NameIdentifier[1])",
xpath_ctx);
if (xresult == NULL)
{
globus_gram_protocol_error_7_hack_replace_message(
"Error processing SAML assertion: no teragrid principal");
rc = GLOBUS_GRAM_PROTOCOL_ERROR_AUTHORIZATION;
goto get_gateway_name_failed;
}
if (xresult != NULL &&
xresult->stringval != NULL &&
*(xresult->stringval) != 0)
{
*gateway_user = strdup((char *) xresult->stringval);
}
get_gateway_name_failed:
non_self_issued:
if (xresult != NULL)
{
xmlXPathFreeObject(xresult);
}
xpath_eval_issuer_failed:
xpath_register_ns_failed:
xmlXPathFreeContext(xpath_ctx);
xpath_ctx_init_failed:
xmlFreeDoc(doc);
parse_assertion_failed:
free(assertion_string);
assertion_string_malloc_failed:
ASN1_UTF8STRING_free(asn1_str);
utfstring_failed:
empty_data_set:
gss_release_buffer_set(&min_stat, &data_set);
inquire_failed:
no_extension_in_cred_chain:
no_context:
if (asn1_desired_object != NULL)
{
ASN1_OBJECT_free(asn1_desired_object);
}
if (chain != NULL)
{
sk_X509_free(chain);
}
return rc;
#else
*gateway_user = NULL;
return GLOBUS_SUCCESS;
#endif /* HAVE_LIBXML2 */
}
