GridSite Grid Security for the Web
Web platforms for Grids

Welcome page : Documentation : Download : License

gridsite.h File Reference

Go to the source code of this file.

Data Structures

struct  GRSTgaclAcl
struct  GRSTgaclCred
struct  GRSTgaclEntry
struct  GRSTgaclNamevalue
struct  GRSTgaclUser
struct  GRSThttpBody
struct  GRSThttpCharsList


typedef int GRSTgaclAction
typedef unsigned int GRSTgaclPerm


int GRSTgaclInit (void)
GRSTgaclCredGRSTgaclCredNew (char *)
int GRSTgaclCredAddValue (GRSTgaclCred *, char *, char *)
int GRSTgaclCredFree (GRSTgaclCred *)
int GRSTgaclEntryAddCred (GRSTgaclEntry *, GRSTgaclCred *)
int GRSTgaclEntryDelCred (GRSTgaclEntry *, GRSTgaclCred *)
int GRSTgaclCredCredPrint (GRSTgaclCred *, FILE *)
GRSTgaclEntryGRSTgaclEntryNew (void)
int GRSTgaclEntryFree (GRSTgaclEntry *)
int GRSTgaclAclAddEntry (GRSTgaclAcl *, GRSTgaclEntry *)
int GRSTgaclEntryPrint (GRSTgaclEntry *, FILE *)
int GRSTgaclPermPrint (GRSTgaclPerm, FILE *)
int GRSTgaclEntryAllowPerm (GRSTgaclEntry *, GRSTgaclPerm)
int GRSTgaclEntryUnallowPerm (GRSTgaclEntry *, GRSTgaclPerm)
int GRSTgaclEntryDenyPerm (GRSTgaclEntry *, GRSTgaclPerm)
int GRSTgaclUndenyPerm (GRSTgaclEntry *, GRSTgaclPerm)
char * GRSTgaclPermToChar (GRSTgaclPerm)
GRSTgaclPerm GRSTgaclPermFromChar (char *)
GRSTgaclAclGRSTgaclAclNew (void)
int GRSTgaclAclFree (GRSTgaclAcl *)
int GRSTgaclAclPrint (GRSTgaclAcl *, FILE *)
int GRSTgaclAclSave (GRSTgaclAcl *, char *)
GRSTgaclAclGRSTgaclAclLoadFile (char *)
char * GRSTgaclFileFindAclname (char *)
GRSTgaclAclGRSTgaclAclLoadforFile (char *)
int GRSTgaclFileIsAcl (char *)
GRSTgaclUserGRSTgaclUserNew (GRSTgaclCred *)
int GRSTgaclUserFree (GRSTgaclUser *)
int GRSTgaclUserAddCred (GRSTgaclUser *, GRSTgaclCred *)
int GRSTgaclUserHasCred (GRSTgaclUser *, GRSTgaclCred *)
int GRSTgaclUserSetDNlists (GRSTgaclUser *, char *)
GRSTgaclCredGRSTgaclUserFindCredtype (GRSTgaclUser *, char *)
int GRSTgaclDNlistHasUser (char *, GRSTgaclUser *)
GRSTgaclPerm GRSTgaclAclTestUser (GRSTgaclAcl *, GRSTgaclUser *)
GRSTgaclPerm GRSTgaclAclTestexclUser (GRSTgaclAcl *, GRSTgaclUser *)
char * GRSThttpUrlDecode (char *)
char * GRSThttpUrlEncode (char *)
char * GRSThttpUrlMildencode (char *)
int GRSTx509NameCmp (char *, char *)
 Compare X509 Distinguished Name strings.

int GRSTx509KnownCriticalExts (X509 *)
 Check critical extensions.

time_t GRSTasn1TimeToTimeT (char *)
 ASN1 time string (in a char *) to time_t.

int GRSTx509IsCA (X509 *)
 Check if certificate can be used as a CA to sign standard X509 certs.

int GRSTx509CheckChain (int *, X509_STORE_CTX *)
 Check certificate chain for GSI proxy acceptability.

int GRSTx509VerifyCallback (int, X509_STORE_CTX *)
 Example VerifyCallback routine.

int GRSTx509CheckVomsSig (unsigned char *, unsigned int, unsigned char *, unsigned int, char *, char *, char *)
 Check VOMS signature.

int GRSTx509GetVomsCreds (int *, int, size_t, char *, X509 *, X509 *, char *)
 Get the VOMS attributes in the extensions to the given cert.

GRSTgaclCredGRSTx509CompactToCred (char *)
 Turn a Compact Cred line into a GRSTgaclCred object.

int GRSTx509CompactCreds (int *, int, size_t, char *, STACK_OF(X509)*, char *)
 Get the credentials in an X509 cert/GSI proxy, including any VOMS.

void GRSThttpBodyInit (GRSThttpBody *)
void GRSThttpPrintf (GRSThttpBody *, char *,...)
int GRSThttpCopy (GRSThttpBody *, char *)
void GRSThttpWriteOut (GRSThttpBody *)
int GRSThttpPrintHeaderFooter (GRSThttpBody *, char *, char *)
char * GRSThttpGetCGI (char *)

Typedef Documentation

typedef int GRSTgaclAction

typedef unsigned int GRSTgaclPerm

Function Documentation

time_t GRSTasn1TimeToTimeT char *    asn1time

ASN1 time string (in a char *) to time_t.

(Use ASN1_STRING_data() to convert ASN1_GENERALIZEDTIME to char * if necessary)

int GRSTgaclAclAddEntry GRSTgaclAcl  ,

int GRSTgaclAclFree GRSTgaclAcl  

GRSTgaclAcl* GRSTgaclAclLoadFile char *   

GRSTgaclAcl* GRSTgaclAclLoadforFile char *   

GRSTgaclAcl* GRSTgaclAclNew void   

int GRSTgaclAclPrint GRSTgaclAcl  ,
FILE *   

int GRSTgaclAclSave GRSTgaclAcl  ,
char *   

GRSTgaclPerm GRSTgaclAclTestexclUser GRSTgaclAcl  ,

GRSTgaclPerm GRSTgaclAclTestUser GRSTgaclAcl  ,

int GRSTgaclCredAddValue GRSTgaclCred  ,
char *   ,
char *   

int GRSTgaclCredCredPrint GRSTgaclCred  ,
FILE *   

int GRSTgaclCredFree GRSTgaclCred  

GRSTgaclCred* GRSTgaclCredNew char *   

int GRSTgaclDNlistHasUser char *   ,

int GRSTgaclEntryAddCred GRSTgaclEntry  ,

int GRSTgaclEntryAllowPerm GRSTgaclEntry  ,

int GRSTgaclEntryDelCred GRSTgaclEntry  ,

int GRSTgaclEntryDenyPerm GRSTgaclEntry  ,

int GRSTgaclEntryFree GRSTgaclEntry  

GRSTgaclEntry* GRSTgaclEntryNew void   

int GRSTgaclEntryPrint GRSTgaclEntry  ,
FILE *   

int GRSTgaclEntryUnallowPerm GRSTgaclEntry  ,

char* GRSTgaclFileFindAclname char *   

int GRSTgaclFileIsAcl char *   

int GRSTgaclInit void   

GRSTgaclPerm GRSTgaclPermFromChar char *   

int GRSTgaclPermPrint GRSTgaclPerm   ,
FILE *   

char* GRSTgaclPermToChar GRSTgaclPerm   

int GRSTgaclUndenyPerm GRSTgaclEntry  ,

int GRSTgaclUserAddCred GRSTgaclUser  ,

GRSTgaclCred* GRSTgaclUserFindCredtype GRSTgaclUser  ,
char *   

int GRSTgaclUserFree GRSTgaclUser  

int GRSTgaclUserHasCred GRSTgaclUser  ,

GRSTgaclUser* GRSTgaclUserNew GRSTgaclCred  

int GRSTgaclUserSetDNlists GRSTgaclUser  ,
char *   

void GRSThttpBodyInit GRSThttpBody  

int GRSThttpCopy GRSThttpBody  ,
char *   

char* GRSThttpGetCGI char *   

void GRSThttpPrintf GRSThttpBody  ,
char *   ,

int GRSThttpPrintHeaderFooter GRSThttpBody  ,
char *   ,
char *   

char* GRSThttpUrlDecode char *   

char* GRSThttpUrlEncode char *   

char* GRSThttpUrlMildencode char *   

void GRSThttpWriteOut GRSThttpBody  

int GRSTx509CheckChain int *    first_non_ca,
X509_STORE_CTX *    ctx

Check certificate chain for GSI proxy acceptability.

Returns X509_V_OK/GRST_RET_OK if valid; OpenSSL X509 errors otherwise.

Inspired by GSIcheck written by Mike Jones, SVE, Manchester Computing, The University of Manchester.

The GridSite version handles old and new style Globus proxies, and proxies derived from user certificates issued with "X509v3 Basic Constraints: CA:FALSE" (eg UK e-Science CA)

We do not check chain links between certs here: this is done by GRST_check_issued/X509_check_issued in mod_ssl's ssl_engine_init.c

TODO: we do not yet check ProxyCertInfo and ProxyCertPolicy extensions (although via GRSTx509KnownCriticalExts() we can accept them.)

int GRSTx509CheckVomsSig unsigned char *    sig,
unsigned int    siglen,
unsigned char *    data,
unsigned int    datalen,
char *    vomsdir,
char *    vo,
char *    vomsdn

Check VOMS signature.

Return GRST_RET_OK if signature starting at *sig matches *data and is from VOMS *vo; return GRST_RET_FAILED otherwise.

int GRSTx509CompactCreds int *    lastcred,
int    maxcreds,
size_t    credlen,
char *    creds,
STACK_OF(X509)*    certstack,
char *    vomsdir

Get the credentials in an X509 cert/GSI proxy, including any VOMS.

Credentials are placed in Compact Creds string array at *creds.

Function returns GRST_RET_OK on success, or GRST_RET_FAILED if some inconsistency found in certificate.

GRSTgaclCred* GRSTx509CompactToCred char *    grst_cred

Turn a Compact Cred line into a GRSTgaclCred object.

Returns pointer to created GRSTgaclCred or NULL or failure.

int GRSTx509GetVomsCreds int *   ,
int   ,
size_t   ,
char *   ,
X509 *   ,
X509 *   ,
char *   

Get the VOMS attributes in the extensions to the given cert.

int GRSTx509IsCA X509 *   

Check if certificate can be used as a CA to sign standard X509 certs.

int GRSTx509KnownCriticalExts X509 *    cert

Check critical extensions.

Returning GRST_RET_OK if all of extensions are known to us or OpenSSL; GRST_REF_FAILED otherwise.

Since this function relies on functionality (X509_supported_extension) introduced in 0.9.7, then we do nothing and report an error (GRST_RET_FAILED) if one of the associated defines (X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) is absent.

int GRSTx509NameCmp char *    a,
char *    b

Compare X509 Distinguished Name strings.

This function attempts to do with string representations what would ideally be done with OIDs/values. In particular, we equate "/Email=" == "/emailAddress=" to deal with this important change between OpenSSL 0.9.6 and 0.9.7. Other than that, it is currently the same as ordinary strcmp(3).

int GRSTx509VerifyCallback int    ok,
X509_STORE_CTX *    ctx

Example VerifyCallback routine.

Generated on Fri Dec 19 20:43:58 2003 by doxygen1.2.18

Last modified Fri 19 December 2003 . View page history
Switch to HTTPS . Print View . Built with GridSite 1.4.3
Funded by:   GridPP   STFC   JISC   University of Manchester