From 3cd2ea45b29e06f2d09e8ee4fdbad18d74926be8 Mon Sep 17 00:00:00 2001 From: Matyas Selmeci Date: Tue, 3 Sep 2024 16:34:37 +0000 Subject: [PATCH] Update to voms 2.1.0-1 from upstream, merge OSG changes, and delete unused patch files (SOFTWARE-5973) git-svn-id: https://vdt.cs.wisc.edu/svn/native/redhat/branches/23-main@28016 4e558342-562e-0410-864c-e07659590f8c --- ...16-better-ac-signature-error-message.patch | 46 - ...able-TLS-1.1-and-older-openssl-1.0.2.patch | 28 - voms/osg/Disable-weak-ciphers.patch | 26 - ...RFC-proxies-by-default-SOFTWARE-2381.patch | 38 - ...size-to-2048-bits-in-voms-proxy-init.patch | 72 - ...el-group-of-VOMS-attribute-also-acce.patch | 54 - voms/osg/sw3123-voms-proxy-direct.patch | 1722 ----------------- voms/osg/voms.spec | 146 +- 8 files changed, 36 insertions(+), 2096 deletions(-) delete mode 100644 voms/osg/116-better-ac-signature-error-message.patch delete mode 100644 voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch delete mode 100644 voms/osg/Disable-weak-ciphers.patch delete mode 100644 voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch delete mode 100644 voms/osg/Set-default-key-size-to-2048-bits-in-voms-proxy-init.patch delete mode 100644 voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch delete mode 100644 voms/osg/sw3123-voms-proxy-direct.patch diff --git a/voms/osg/116-better-ac-signature-error-message.patch b/voms/osg/116-better-ac-signature-error-message.patch deleted file mode 100644 index d02745763..000000000 --- a/voms/osg/116-better-ac-signature-error-message.patch +++ /dev/null @@ -1,46 +0,0 @@ -From b6dea2faa5a225e44159475d22713db8c81dffe7 Mon Sep 17 00:00:00 2001 -From: Brian Bockelman -Date: Wed, 26 Apr 2023 08:51:13 -0500 -Subject: [PATCH] If a detailed error message is available, do not overwrite - -When verification of ACs fails, the prior behavior is to always have -this message: - -``` -Cannot verify AC signature! -``` - -This can be difficult to debug as there's no indication of whether -its a problem with the proxy itself or with the host configuration. - -This patch appends the underlying error message if one was provided. -For example, - -``` -Cannot verify AC signature! Underlying error: Certificate verification \ - failed for certificate '/CN=voms.example.com': certificate has expired. -``` - -(newlines added for readability) ---- - src/api/ccapi/api_util.cc | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc -index b4c52bff..28c7288e 100644 ---- a/src/api/ccapi/api_util.cc -+++ b/src/api/ccapi/api_util.cc -@@ -327,7 +327,12 @@ vomsdata::verifydata(AC *ac, UNUSED(const std::string& subject), - issuer = check((void *)ac); - - if (!issuer) { -- seterror(VERR_SIGN, "Cannot verify AC signature!"); -+ std::string oldmessage = ErrorMessage(); -+ if (oldmessage.empty()) { -+ seterror(VERR_SIGN, "Cannot verify AC signature!"); -+ } else { -+ seterror(VERR_SIGN, "Cannot verify AC signature! Underlying error: " + oldmessage); -+ } - return false; - } - } diff --git a/voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch b/voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch deleted file mode 100644 index 81dff84ae..000000000 --- a/voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From cf3b5ee321a762c7de62669ce29ac377344c3697 Mon Sep 17 00:00:00 2001 -From: Matyas Selmeci -Date: Wed, 18 Sep 2019 17:25:12 -0500 -Subject: [PATCH] Disable TLS 1.1 and older (openssl 1.0.2) - -This method is deprecated (but not removed) in openssl 1.1 ---- - src/socklib/Server.cpp | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp -index e893612..024e7d2 100644 ---- a/src/socklib/Server.cpp -+++ b/src/socklib/Server.cpp -@@ -327,6 +327,10 @@ GSISocketServer::AcceptGSIAuthentication() - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback); - SSL_CTX_set_verify_depth(ctx, 100); - SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0); -+ if (!SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1)) { -+ SetErrorOpenSSL("Cannot set minimum TLS protocol version"); -+ goto err; -+ } - - if (own_stack) { - /* --- -2.6.3 - diff --git a/voms/osg/Disable-weak-ciphers.patch b/voms/osg/Disable-weak-ciphers.patch deleted file mode 100644 index eeb9d45e4..000000000 --- a/voms/osg/Disable-weak-ciphers.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d683ec6360b6dffafcd01a30ce389b0ce7fb68d6 Mon Sep 17 00:00:00 2001 -From: Matyas Selmeci -Date: Fri, 1 Nov 2019 16:56:18 -0500 -Subject: [PATCH] Disable weak ciphers - -RC4 is known to be broken; 3DES and IDEA are vulnerable to the SWEET32 attack ---- - src/socklib/Server.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp -index e893612..ce580ea 100644 ---- a/src/socklib/Server.cpp -+++ b/src/socklib/Server.cpp -@@ -321,7 +321,7 @@ GSISocketServer::AcceptGSIAuthentication() - SSL_CTX_load_verify_locations(ctx, NULL, cacertdir); - SSL_CTX_use_certificate(ctx, ucert); - SSL_CTX_use_PrivateKey(ctx,upkey); -- SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2"); -+ SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2:!3DES:!RC4:!IDEA"); - SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY); - SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback); --- -2.6.3 - diff --git a/voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch b/voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch deleted file mode 100644 index 230ec04eb..000000000 --- a/voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch +++ /dev/null @@ -1,38 +0,0 @@ -From c0fc31349fb61c51227d7a4672e56428ef7069a1 Mon Sep 17 00:00:00 2001 -From: Matyas Selmeci -Date: Tue, 5 Jul 2016 18:29:41 -0500 -Subject: [PATCH] Make RFC proxies by default (SOFTWARE-2381) - ---- - src/client/vomsclient.cc | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc -index b850379..3b21b86 100644 ---- a/src/client/vomsclient.cc -+++ b/src/client/vomsclient.cc -@@ -436,19 +436,13 @@ Client::Client(int argc, char ** argv) : - if (proxyver!=2 && proxyver!=3 && proxyver != 4 && proxyver!=0) { - Print(ERROR) << "Error: proxyver must be 2, 3 or 4" << std::endl; - exit(1); - } - else if (proxyver==0) { -- if (version<30) -- proxyver = 2; -- else if (version < 40) -- proxyver = 3; -- else -- proxyver = 4; -+ proxyver = 4; - -- Print(DEBUG) << "Unspecified proxy version, settling on Globus version: " -- << proxyver << std::endl; -+ Print(DEBUG) << "Unspecified proxy version, settling on version 4 (RFC)" << std::endl; - } - - /* PCI extension option */ - - if (proxyver >= 3) { --- -2.6.3 - diff --git a/voms/osg/Set-default-key-size-to-2048-bits-in-voms-proxy-init.patch b/voms/osg/Set-default-key-size-to-2048-bits-in-voms-proxy-init.patch deleted file mode 100644 index 693770c2b..000000000 --- a/voms/osg/Set-default-key-size-to-2048-bits-in-voms-proxy-init.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5f24ee925b0d11d33d3486a2bdf801ed70c2f7bf Mon Sep 17 00:00:00 2001 -From: Matyas Selmeci -Date: Mon, 8 Nov 2021 14:39:26 -0600 -Subject: [PATCH] Set default key size to 2048 bits in voms-proxy-init, - voms-proxy-fake, voms-proxy-direct - ---- - src/client/vomsclient.cc | 2 +- - src/utils/vomsdirect.cc | 4 ++-- - src/utils/vomsfake.cc | 4 ++-- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc -index 3f3bd0d..d5917ea 100644 ---- a/src/client/vomsclient.cc -+++ b/src/client/vomsclient.cc -@@ -476,7 +476,7 @@ Client::Client(int argc, char ** argv) : - /* controls that number of bits for the key is appropiate */ - - if (bits == -1) -- bits = 1024; -+ bits = 2048; - - if ((bits != 0) && (bits!=512) && (bits!=1024) && (bits!=2048) && (bits!=4096)) { - Print(ERROR) << "Error: number of bits in key must be one of 512, 1024, 2048, 4096." << std::endl; -diff --git a/src/utils/vomsdirect.cc b/src/utils/vomsdirect.cc -index 1034aa0..8411dd1 100644 ---- a/src/utils/vomsdirect.cc -+++ b/src/utils/vomsdirect.cc -@@ -217,7 +217,7 @@ Direct::Direct(int argc, char ** argv) : confile(conf_file_name), - " -pwstdin Allows passphrase from stdin\n" \ - " -limited Creates a limited proxy\n" \ - " -hours H Proxy is valid for H hours (default:12)\n" \ -- " -bits Number of bits in key {512|1024|2048|4096} (default:1024)\n" \ -+ " -bits Number of bits in key {512|1024|2048|4096} (default:2048)\n" \ - " -cert Non-standard location of user certificate\n" \ - " -key Non-standard location of user key\n" \ - " -certdir Non-standard location of trusted cert dir\n" \ -@@ -932,7 +932,7 @@ bool Direct::VerifyOptions() - /* controls that number of bits for the key is appropiate */ - - if (bits == -1) -- bits = 1024; -+ bits = 2048; - - if ((bits!=512) && (bits!=1024) && - (bits!=2048) && (bits!=4096) && (bits != 0)) -diff --git a/src/utils/vomsfake.cc b/src/utils/vomsfake.cc -index b98f56b..3270c62 100644 ---- a/src/utils/vomsfake.cc -+++ b/src/utils/vomsfake.cc -@@ -219,7 +219,7 @@ Fake::Fake(int argc, char ** argv) : confile(conf_file_name), - " -pwstdin Allows passphrase from stdin\n" \ - " -limited Creates a limited proxy\n" \ - " -hours H Proxy is valid for H hours (default:12)\n" \ -- " -bits Number of bits in key {512|1024|2048|4096} (default:1024)\n" \ -+ " -bits Number of bits in key {512|1024|2048|4096} (default:2048)\n" \ - " -cert Non-standard location of user certificate\n" \ - " -key Non-standard location of user key\n" \ - " -certdir Non-standard location of trusted cert dir\n" \ -@@ -1021,7 +1021,7 @@ bool Fake::VerifyOptions() - /* controls that number of bits for the key is appropiate */ - - if (bits == -1) -- bits = 1024; -+ bits = 2048; - - if ((bits!=512) && (bits!=1024) && - (bits!=2048) && (bits!=4096) && (bits != 0)) --- -2.6.3 - diff --git a/voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch b/voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch deleted file mode 100644 index 82f6be462..000000000 --- a/voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 4e721b43d8d8f6f49e21ab945dc567559ccaf138 Mon Sep 17 00:00:00 2001 -From: Brian Bockelman -Date: Mon, 20 Feb 2017 14:44:21 -0600 -Subject: [PATCH] Validate top-level group of VOMS attribute (also accept - attribs which _only_ have a top-level group) - ---- - src/ac/validate.cc | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/src/ac/validate.cc b/src/ac/validate.cc -index fb2aff3..55d30e8 100644 ---- a/src/ac/validate.cc -+++ b/src/ac/validate.cc -@@ -150,7 +150,7 @@ std::string get_error(int e) - return "VOMS Server contact data missing from AC."; - break; - case AC_ERR_ATTRIB_FQAN: -- return "VOMS Attributes absent or misformed."; -+ return "VOMS Attributes absent or malformed."; - break; - case AC_ERR_EXTS_ABSENT: - return "Required AC extensions missing (NoRevAvail and AuthorityKeyIdentifier)"; -@@ -430,6 +430,8 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v) - else - return AC_ERR_ATTRIB_URI; - -+ std::string top_group = "/" + v.voname; -+ - /* scan the stack of IETFATTRVAL to put attribute in voms struct */ - for (int i=0; idata, capname->length); -+ std::string::size_type top_group_size = top_group.size(); -+ std::string::size_type str_size = str.size(); -+ -+ /* The top level group name must be identical to the VO name. -+ An attribute may end right after the group name, or may continue on -+ (separated by a "/"). */ -+ if (str.compare(0, top_group_size, top_group)) { -+ return AC_ERR_ATTRIB_FQAN; -+ } -+ else if (str_size > top_group_size && str[top_group_size] != '/') { -+ return AC_ERR_ATTRIB_FQAN; -+ } - - v.fqan.push_back(str); - --- -2.6.3 - diff --git a/voms/osg/sw3123-voms-proxy-direct.patch b/voms/osg/sw3123-voms-proxy-direct.patch deleted file mode 100644 index d371cb2e8..000000000 --- a/voms/osg/sw3123-voms-proxy-direct.patch +++ /dev/null @@ -1,1722 +0,0 @@ -From 8713210b56a4dda249782d2ab6a10b236a764ceb Mon Sep 17 00:00:00 2001 -From: Matyas Selmeci -Date: Tue, 3 Apr 2018 17:50:15 -0500 -Subject: [PATCH] 3123-voms-proxy-direct - -Create a `voms-proxy-direct` tool based on `voms-proxy-fake` that is suitable -for our use case of having VO frontends locally create proxies for their -own pilots. - -(SOFTWARE-3123) ---- - doc/Makefile.am | 12 +- - doc/voms-proxy-direct.xml | 241 +++++++++ - src/utils/Makefile.am | 15 + - src/utils/vomsdirect.cc | 1205 +++++++++++++++++++++++++++++++++++++++++++++ - src/utils/vomsdirect.h | 152 ++++++ - 5 files changed, 1621 insertions(+), 4 deletions(-) - create mode 100644 doc/voms-proxy-direct.xml - create mode 100644 src/utils/vomsdirect.cc - create mode 100644 src/utils/vomsdirect.h - -diff --git a/doc/Makefile.am b/doc/Makefile.am -index 9f29c3a..120f046 100644 ---- a/doc/Makefile.am -+++ b/doc/Makefile.am -@@ -5,11 +5,13 @@ SGML = $(srcdir)/voms-proxy-init.xml \ - $(srcdir)/voms.xml \ - $(srcdir)/voms-proxy-info.xml \ - $(srcdir)/voms-proxy-destroy.xml \ -- $(srcdir)/voms-proxy-fake.xml -+ $(srcdir)/voms-proxy-fake.xml \ -+ $(srcdir)/voms-proxy-direct.xml - - SGML_DIST = voms-proxy-init.xml voms.xml voms-proxy-info.xml \ - voms-proxy-destroy.xml \ -- voms-proxy-fake.xml voms-proxy-list.xml -+ voms-proxy-fake.xml voms-proxy-list.xml \ -+ voms-proxy-direct.xml - - LATEX_DIST = software.tex capi.tex c++api.tex AC-RFC.tex - -@@ -23,7 +25,8 @@ man_MANS = \ - voms-proxy-info.1 \ - voms-proxy-destroy.1 \ - voms-proxy-fake.1 \ -- voms-proxy-list.1 -+ voms-proxy-list.1 \ -+ voms-proxy-direct.1 - endif - endif - -@@ -41,7 +44,8 @@ man_MANS = \ - voms-proxy-info.1 \ - voms-proxy-destroy.1 \ - voms-proxy-fake.1 \ -- voms-proxy-list.1 -+ voms-proxy-list.1 \ -+ voms-proxy-direct.1 - endif - endif - -diff --git a/doc/voms-proxy-direct.xml b/doc/voms-proxy-direct.xml -new file mode 100644 -index 0000000..905dc84 ---- /dev/null -+++ b/doc/voms-proxy-direct.xml -@@ -0,0 +1,241 @@ -+ -+ -+ -+ -+ -+]> -+ -+ -+ -+voms-proxy-direct -+1 -+VOMS Client -+ -+ -+ -+voms-proxy-direct -+create and sign a proxy with VOMS extensions -+ -+ -+ -+ -+voms-proxy-direct -+options -+ -+ -+ -+Description -+ -+voms-proxy-direct generates a proxy containing arbitrary attributes, -+signed directly with a VO's cert and key instead of contacting a VOMS -+server. -+ -+The intent for this is to allow VOs to sign proxies for their pilots -+without requiring them to also run a VOMS server and manage user -+membership. -+ -+ -+ -+Options -+ -+Options may be specified indifferently with either a "-" or "--" prefix. -+ -+ -+ -+Displays usage. -+ -+ -+Displays version. -+ -+ -+Enables extra debug output. -+ -+ -+Quiet mode, minimal output. -+ -+ -+Verifies certificate to make proxy for. -+ -+ -+Allows passphrase from stdin. -+ -+ -+Creates a limited proxy. -+ -+ H -+Proxy is valid for H hours (default:12). -+ -+ H -+Tries to get an AC with information valid for H hours. The -+default is "as long as the proxy certificate". The special value 0 means -+as long as the server will allow. -+ -+ B -+Number of bits in key {0|512|1024|2048|4096}. 0 is a special value -+which means: same number of bits as in the issuing certificate. -+ -+ certfile -+Non-standard location of user certificate -+ -+ keyfile -+Non-standard location of user key -+ -+ certdir -+Location of trusted certificates dir -+ -+ proxyfile -+Location of new proxy cert -+ -+ voms -+Specifies the VO name that will appear in the certificate's attributes. -+ -+ -+ file -+Includes file in the certificate (in a non -+critical extension) -+ -+ file -+Read options from file. -+ -+ -+The file containing the policy expression. -+ -+ pl -+The language in which the policy is expressed. Default is IMPERSONATION_PROXY. -+ -+ -+Maximum depth of proxy certfificate that can be signed from this. -+ -+ -+Version of the proxy certificate to create. May be 2, 3, or 4. -+Default value is 4 (RFC). -+ -+ file -+Saves the voms credential on file file. -+ -+ file -+The cert that will be used to sign the AC. -+ -+ file -+The key thet will be used to sign the AC. -+ -+ file -+The string that will be included in the AC as the granted FQAN. -+ -+ -+This forces the server to generate ACs in the new (correct) format. This is meant -+as a compatibility feature to ease migration while the servers upgrade to the new version. -+ -+ bit,...,bit -+The created proxy will have the specified bits in the Netscape -+ Certificate Extension. Acceptable values -+ for bit are: client, server, email, -+ objsign, sslCA, emailCA, objCA. The default value is not to have -+ this extension. -+ -+ bit,...,bit -+The created proxy will have the specified bits in the Extended -+ Key Usage Extension. Acceptable values -+ for bit are: serverAuth, clientAuth, -+ codeSigning, emailProtection, timeStamping, msCodeInd, msCodeCom, -+ msCTLSign, msSGC, msEFS, nsSGC, deltaCRL. The default value is not -+ to have this extensions. -+ -+ bit,...,bit -+The created proxy will have the specified bits in the Key Usage -+ Extensions. Acceptable values for bit -+ are: digitalSignature, nonRepudiation, keyEncipherment, -+ dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, -+ decipherOnly. The default value is to copy this extensions from the -+ issuer certificate while removing the keyCertSign and nonRepudiation -+ bits if present. -+ -+ oid[/criticality]value -+This option allows to specified additional extensions to be put -+ in the created certificate. -+oid is the Object Identifier of -+ the extensions. Any OID may be used even if it is not already known -+ in advance. This must always be specified. There is no -+ default. -+criticality specifies whether the -+ extensions is critical or not, and it must be -+ either true -+ or false. If absent, it defaults to -+ false. -+value is the value of the -+ extensions. It is composed by two -+ subfields, type -+ and content. type -+ is a single charater, and specifies how -+ the content is interpreted. ':' -+ means that content is a text string -+ to be included as is. '~' means -+ that content is an hex representation -+ of the string. '+' means -+ that content is the name of a file -+ which will contain the actual data. -+ -+ oid[/criticality]value -+This option allows to specified additional extensions to be put -+ in the created attribute certificate. -+oid is the Object Identifier of -+ the extensions. Any OID may be used even if it is not already known -+ in advance. This must always be specified. There is no -+ default. -+criticality specifies whether the -+ extensions is critical or not, and it must be -+ either true -+ or false. If absent, it defaults to -+ false. -+value is the value of the -+ extensions. It is composed by two -+ subfields, type -+ and content. type -+ is a single charater, and specifies how -+ the content is interpreted. ':' -+ means that content is a text string -+ to be included as is. '~' means -+ that content is an hex representation -+ of the string. '+' means that content -+ is the name of a file which will contain the actual data. -+ -+ id = value [(qualifier)] -+ -+This option adds the generic attribute specified to the AC generated. Please note that spaces before and after the '=' char are swallowed in the command line. -+ -+ file -+ -+ -+The file file contains informations for -+ additional ACs that should be included in the created proxy. ACs -+ specified via the -voinfo option shall be added before ACs specified -+ via the command line options. -+ -+The format of the file is the following: -+ -+ -+[voname] -+parameter=value -+parameter=value -+... -+ -+ -+ -+ -+&bugzilla; -+ -+See also -+ -+voms-proxy-fake(1), voms-proxy-init(1), voms-proxy-info(1), voms-proxy-destroy(1) -+ -+&links; -+ -+ -+ -+&authors; -+ -+&license; -+ -+ -diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am -index 5c6ff51..d68b8b9 100644 ---- a/src/utils/Makefile.am -+++ b/src/utils/Makefile.am -@@ -2,6 +2,7 @@ if BUILD_CLIENTS - bin_PROGRAMS = \ - voms-proxy-info \ - voms-proxy-destroy \ -+ voms-proxy-direct \ - voms-proxy-fake \ - voms-verify - -@@ -41,8 +42,16 @@ voms_proxy_fake_SOURCES = \ - vomsparser.c \ - lex.yy.c - -+voms_proxy_direct_SOURCES = \ -+ vomsdirect.h \ -+ vomsdirect.cc \ -+ vomsparser.c \ -+ lex.yy.c -+ - EXTRA_DIST = vomsfake.y vomsparser.l vomsparser.h fakeparsertypes.h - -+vomsdirect.$(OBJEXT): vomsparser.h -+ - vomsfake.$(OBJEXT): vomsparser.h - - vomsparser.$(OBJEXT): vomsparser.h -@@ -62,6 +71,12 @@ voms_proxy_fake_LDADD = \ - $(top_builddir)/src/sslutils/libssl_utils_nog.la \ - $(OPENSSL_LIBS) - -+voms_proxy_direct_LDADD = \ -+ $(top_builddir)/src/api/ccapi/libvomsapi.la \ -+ $(top_builddir)/src/replib/librep.la \ -+ $(top_builddir)/src/sslutils/libssl_utils_nog.la \ -+ $(OPENSSL_LIBS) -+ - AM_CPPFLAGS = \ - -I$(top_srcdir)/src/api/ccapi \ - -I$(top_srcdir)/src/include \ -diff --git a/src/utils/vomsdirect.cc b/src/utils/vomsdirect.cc -new file mode 100644 -index 0000000..1034aa0 ---- /dev/null -+++ b/src/utils/vomsdirect.cc -@@ -0,0 +1,1205 @@ -+/********************************************************************* -+ * -+ * Authors: Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it -+ * Valerio Venturi - Valerio.Venturi@cnaf.infn.it -+ * -+ * Copyright (c) Members of the EGEE Collaboration. 2004-2010. -+ * See http://www.eu-egee.org/partners/ for details on the copyright holders. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ * Parts of this code may be based upon or even include verbatim pieces, -+ * originally written by other people, in which case the original header -+ * follows. -+ * -+ *********************************************************************/ -+ -+#include "config.h" -+#include "replace.h" -+ -+#include "options.h" -+#include "data.h" -+ -+#include -+#include -+#include -+#include -+ -+#include -+ -+extern "C" { -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#include "listfunc.h" -+#include "credentials.h" -+#include "fakeparsertypes.h" -+#define YYTOKENTYPE -+#include "vomsparser.h" -+#include "vomsproxy.h" -+ -+VOLIST *volist = NULL; -+extern int yyparse(); -+extern FILE *yyin; -+} -+ -+#include -+ -+#include "vomsdirect.h" -+#include "ccwrite.h" -+ -+extern "C" { -+ -+#include "myproxycertinfo.h" -+extern int writeac(const X509 *issuerc, const STACK_OF(X509) *certstack, const X509 *holder, -+ const EVP_PKEY *pkey, BIGNUM *s, char **c, -+ const char *t, char **attributes, AC **ac, const char *voname, -+ const char *uri, int valid, int old, int startpast, -+ STACK_OF(X509_EXTENSION) *extensions); -+} -+ -+static int time_to_sec(std::string timestring); -+static long mystrtol(char *number, long int limit); -+static std::string hextostring(const std::string &data); -+static int parse_ga_value(char *ga, char **id, char **value, char **qual); -+ -+extern int AC_Init(); -+ -+#include "init.h" -+ -+const std::string SUBPACKAGE = "voms-proxy-direct"; -+ -+/* FIXME: should take locations from /etc/sysconfig/voms */ -+const std::string location = (getenv("VOMS_LOCATION") ? getenv("VOMS_LOCATION") : ""); -+const std::string conf_file_name = (location + "/etc/vomses"); -+const std::string USERCONFILENAME = std::string(".voms") + std::string("/vomses"); -+ -+/* global variable for output control */ -+ -+bool debug = false; -+bool quiet = false; -+ -+extern "C" { -+ -+static int (*pw_cb)() = NULL; -+ -+static int pwstdin_callback(char * buf, int num, UNUSED(int w)) -+{ -+ int i; -+ -+ if (!(fgets(buf, num, stdin))) { -+ std::cerr << "Failed to read pass-phrase from stdin" << std::endl; -+ return -1; -+ } -+ -+ i = strlen(buf); -+ if (buf[i-1] == '\n') { -+ buf[i-1] = '\0'; -+ i--; -+ } -+ return i; -+} -+ -+static int kpcallback(int p, int UNUSED(n)) -+{ -+ char c='B'; -+ -+ if (quiet) return 0; -+ -+ if (p == 0) c='.'; -+ if (p == 1) c='+'; -+ if (p == 2) c='*'; -+ if (p == 3) c='\n'; -+ if (!debug) c = '.'; -+ fputc(c,stderr); -+ -+ return 0; -+} -+ -+extern int proxy_verify_cert_chain(X509 * ucert, STACK_OF(X509) * cert_chain, proxy_verify_desc * pvd); -+extern void proxy_verify_ctx_init(proxy_verify_ctx_desc * pvxd); -+ -+} -+std::vector targets; -+ -+ -+int main(int argc, char** argv) -+{ -+ struct rlimit newlimit = {0,0}; -+ -+ if (setrlimit(RLIMIT_CORE, &newlimit) != 0) -+ exit(1); -+ -+ if (AC_Init()) { -+ InitProxyCertInfoExtension(1); -+ Direct v(argc, argv); -+ v.Run(); -+ -+ return 0; -+ } -+ return 1; -+} -+ -+extern int yydebug; -+Direct::Direct(int argc, char ** argv) : confile(conf_file_name), -+ cacertfile(NULL), certdir(NULL), -+ certfile(NULL), keyfile(NULL), -+ outfile(NULL), -+ separate(""), uri(""),bits(-1), -+ hours(12), limit_proxy(false), -+ vomslife(-1), proxyver(0), -+ pathlength(1), verify(false), -+ noregen(false), -+#ifdef CLASS_ADD -+ class_add_buf(NULL), -+ class_add_buf_len(0), -+#endif -+ ucert(NULL), upkey(NULL), cert_chain(NULL), -+ aclist(NULL), voID(""), -+ hostcert(""), hostkey(""), -+ newformat(false), -+ rfc(false), -+ keyusage(""), netscape(""), exkusage("") -+{ -+ -+ bool progversion = false; -+ std::string crtdir; -+ std::string crtfile; -+ std::string kfile; -+ std::string ofile; -+ bool pwstdin = false; -+ -+ yydebug = 0; -+ -+ if (strrchr(argv[0],'/')) -+ program = strrchr(argv[0],'/') + 1; -+ else -+ program = argv[0]; -+ -+ /* usage message */ -+ -+ static std::string LONG_USAGE = \ -+ "\n" \ -+ " Options\n" \ -+ " -help, -usage Displays usage\n" \ -+ " -version Displays version\n" \ -+ " -debug Enables extra debug output\n" \ -+ " -quiet, -q Quiet mode, minimal output\n" \ -+ " -verify Verifies certificate to make proxy for\n" \ -+ " -pwstdin Allows passphrase from stdin\n" \ -+ " -limited Creates a limited proxy\n" \ -+ " -hours H Proxy is valid for H hours (default:12)\n" \ -+ " -bits Number of bits in key {512|1024|2048|4096} (default:1024)\n" \ -+ " -cert Non-standard location of user certificate\n" \ -+ " -key Non-standard location of user key\n" \ -+ " -certdir Non-standard location of trusted cert dir\n" \ -+ " -out Non-standard location of new proxy cert\n" \ -+ " -voms Specify VO name to embed in the proxy.\n" \ -+ " -uri Specifies the : of the VOMS server to embed in the proxy.\n" \ -+ " -target Targets the AC against a specific hostname.\n" \ -+ " -vomslife Try to get a VOMS pseudocert valid for H hours.\n" \ -+ " -voinfo Gets AC information from \n" \ -+ " -include Include the contents of the specified file.\n" \ -+ " -conf Read options from .\n" \ -+ " -policy File containing policy to store in the ProxyCertInfo extension.\n" \ -+ " -pl, -policy-language OID string for the policy language.\n" \ -+ " -path-length Allow a chain of at most l proxies to be generated from this one.\n" \ -+ " -proxyver Version of proxy certificate. Default 4 (RFC)\n" \ -+ " -rfc Create RFC-conforming proxies (synonym of --proxyver 4)\n" -+ " -noregen Doesn't regenerate a new proxy for the connection.\n" \ -+ " -separate Saves the information returned by the server into file .\n" \ -+ " -hostcert Host certificate used for signing the attributes.\n" \ -+ " -hostkey Host private key used for signing the attributes.\n" \ -+ " -fqan String to include in the AC as the granted FQAN.\n" \ -+ " -newformat Creates ACs according to the new format.\n" \ -+ " -keyusage >> Specifies the bits to put in the keyusage field.\n"\ -+ " Allowed values: digitalSignature,nonRepudiation,\n"\ -+ " keyEncipherment,dataEncipherment,keyAgreement,\n"\ -+ " keyCertSign,cRLSign,encipherOnly,decipherOnly.\n"\ -+ " -nscert >> Specifies the bits to put in the Netscape Certificate\n"\ -+ " extension. Allowed values: client,server,email,\n"\ -+ " objsign,sslCA,emailCA,ojbCA.\n" -+ " -extkeyusage >> Specifies the bits to put in the extended key usage\n"\ -+ " field. Allowed values: serverAuth,clientAuth,\n"\ -+ " codeSigning,emailProtection,timeStamping,msCodeInd,\n"\ -+ " msCodeCom,msCTLSign,msSGC,msEFS,nsSGC,deltaCRL\n"\ -+ " CRLReason,invalidityDate,SXNetID,OCSPSigning.\n"\ -+ " -extension > Add Extension with the specified OID and with the specified value\n"\ -+ " -acextension > Add Extension to the AC with the specified OID and with the specified value\n"\ -+ " -ga = [(context)] Set a GA with name 'id', value 'value' and optional context.\n"\ -+ "\n"; -+ -+ set_usage(LONG_USAGE); -+ -+ /* parse command-line option */ -+ -+ std::string voinfo; -+ -+ struct option opts[] = { -+ {"help", 0, NULL, OPT_HELP}, -+ {"usage", 0, NULL, OPT_HELP}, -+ {"version", 0, (int *)&progversion, OPT_BOOL}, -+ {"cert", 1, (int *)&crtfile, OPT_STRING}, -+ {"certdir", 1, (int *)&crtdir, OPT_STRING}, -+ {"out", 1, (int *)&ofile, OPT_STRING}, -+ {"key", 1, (int *)&kfile, OPT_STRING}, -+ {"include", 1, (int *)&incfile, OPT_STRING}, -+ {"hours", 1, &hours, OPT_NUM}, -+ {"vomslife", 1, &vomslife, OPT_NUM}, -+ {"bits", 1, &bits, OPT_NUM}, -+ {"debug", 0, (int *)&debug, OPT_BOOL}, -+ {"limited", 0, (int *)&limit_proxy, OPT_BOOL}, -+ {"verify", 0, (int *)&verify, OPT_BOOL}, -+ {"q", 0, (int *)&quiet, OPT_BOOL}, -+ {"quiet", 0, (int *)&quiet, OPT_BOOL}, -+ {"pwstdin", 0, (int *)&pwstdin, OPT_BOOL}, -+ {"conf", 1, NULL, OPT_CONFIG}, -+ {"voms", 1, (int *)&voms, OPT_STRING}, -+ {"target", 1, (int *)&targets, OPT_MULTI}, -+ {"proxyver", 1, &proxyver, OPT_NUM}, -+ {"rfc", 0, (int *)&rfc, OPT_BOOL}, -+ {"policy", 1, (int *)&policyfile, OPT_STRING}, -+ {"policy-language", 1, (int *)&policylang, OPT_STRING}, -+ {"pl", 1, (int *)&policylang, OPT_STRING}, -+ {"path-length", 1, &pathlength, OPT_NUM}, -+ {"separate", 1, (int *)&separate, OPT_STRING}, -+ {"uri", 1, (int *)&uri, OPT_STRING}, -+ {"hostcert", 1, (int *)&hostcert, OPT_STRING}, -+ {"hostkey", 1, (int *)&hostkey, OPT_STRING}, -+ {"fqan", 1, (int *)&fqans, OPT_MULTI}, -+ {"newformat", 1, (int *)&newformat, OPT_BOOL}, -+ {"voinfo", 1, (int *)&voinfo, OPT_STRING}, -+ {"keyusage", 1, (int *)&keyusage, OPT_STRING}, -+ {"nscert", 1, (int *)&netscape, OPT_STRING}, -+ {"extkeyusage", 1, (int *)&exkusage, OPT_STRING}, -+ {"extension", 1, (int *)&extensions, OPT_MULTI}, -+ {"acextension", 1, (int *)&acextensions,OPT_MULTI}, -+ {"ga", 1, (int *)&galist, OPT_MULTI}, -+#ifdef CLASS_ADD -+ {"classadd", 1, (int *)class_add_buf,OPT_STRING}, -+#endif -+ {0, 0, 0, 0} -+ }; -+ -+ if (!getopts(argc, argv, opts)) -+ exit(1); -+ -+ if(debug) { -+ quiet = false; -+ yydebug = 1; -+ } -+ -+ if (!voinfo.empty()) { -+ FILE *file = fopen(voinfo.c_str(), "rb"); -+ if (file) { -+ yyin = file; -+ if (yyparse()) { -+ Print(ERROR) << "Error: Cannot parse voinfo file: " << voinfo << std::endl; -+ exit(1); -+ } -+ } -+ else { -+ Print(ERROR) << "Error opening voinfo file: " << voinfo << std::endl; -+ exit(1); -+ } -+ } -+ -+ /* show version and exit */ -+ -+ if (progversion) { -+ Print(FORCED) << SUBPACKAGE << "\nVersion: " << VERSION << std::endl; -+ Print(FORCED) << "Compiled: " << __DATE__ << " " << __TIME__ << std::endl; -+ exit(0); -+ } -+ -+ /* get vo */ -+ -+ char *vo = getenv("VO"); -+ if (vo != NULL && strcmp(vo, "") != 0) -+ voID = vo; -+ -+ /* certficate duration option */ -+ -+ if (vomslife == -1) -+ vomslife = hours; -+ -+ VO *voelem = NULL; -+ -+ /* collect local vo information */ -+ if (!voms.empty()) { -+ if (!volist) { -+ volist = (VOLIST *)calloc(1, sizeof(VOLIST)); -+ volist->vos = NULL; -+ } -+ voelem = (VO*)calloc(1, sizeof(VO)); -+ volist->vos = (VO**)listadd((char**)volist->vos, (char*)voelem); -+ -+ voelem->hostcert = (char*)hostcert.c_str(); -+ voelem->hostkey = (char*)hostkey.c_str(); -+ voelem->uri = (char*)uri.c_str(); -+ voelem->voname = strdup(voms.c_str()); -+ voelem->vomslife = vomslife; -+ voelem->pastac = NULL; -+ -+ voelem->fqans = (char **)malloc(sizeof(char*)*(fqans.size()+1)); -+ for (unsigned int i = 0; i < fqans.size(); i++) -+ voelem->fqans[i] = (char*)strdup((fqans[i].c_str())); -+ voelem->fqans[fqans.size()] = NULL; -+ -+ voelem->gas = (char **)malloc(sizeof(char*)*(galist.size()+1)); -+ int down = 0; -+ for (unsigned int i = 0; i < galist.size(); i++) { -+ char *temp = strdup(galist[i].c_str()); -+ char *id, *value, *qual; -+ if (parse_ga_value(temp, &id, &value, &qual)) { -+ std::string realga = std::string(qual) + "::" + id + "=" + value; -+ voelem->gas[i] = (char*)strdup((realga.c_str())); -+ } -+ else { -+ Print(ERROR) << "ga: " << galist[i] << "Does not respect 'id = value [{qual}]' syntax!\n"; -+ down++; -+ } -+ free(temp); -+ } -+ voelem->gas[galist.size()-down] = NULL; -+ -+ std::string targ; -+ for (unsigned int i = 0; i < targets.size(); i++) -+ targ += targets[i]; -+ -+ voelem->targets = targ.empty() ? NULL : (char*)(targ.c_str()); -+ -+ if (!acextensions.empty()) { -+ voelem->extensions = (char**)malloc(sizeof(char*)*(acextensions.size()+1)); -+ for (unsigned int i = 0; i < acextensions.size(); i++) -+ voelem->extensions[i] = strdup(acextensions[i].c_str()); -+ voelem->extsize = acextensions.size(); -+ voelem->extensions[voelem->extsize] = NULL; -+ } -+ } -+ -+ /* A failure here exits the program entirely */ -+ VerifyOptions(); -+ -+ /* allow password from stdin */ -+ -+ if(pwstdin) -+ pw_cb = (int (*)())(pwstdin_callback); -+ -+ /* with --debug prints configuration files used */ -+ -+ Print(DEBUG) << "Using configuration directory " << confile << std::endl; -+ -+ /* file used */ -+ -+ cacertfile = NULL; -+ certdir = (crtdir.empty() ? NULL : strdup(const_cast(crtdir.c_str()))); -+ outfile = (ofile.empty() ? NULL : strdup(const_cast(ofile.c_str()))); -+ certfile = (crtfile.empty() ? NULL : strdup(const_cast(crtfile.c_str()))); -+ keyfile = (kfile.empty() ? NULL : strdup(const_cast(kfile.c_str()))); -+ -+ /* prepare proxy_cred_desc */ -+ -+ if(!pcdInit()) { -+ CleanAll(); -+ exit(3); -+ } -+} -+ -+void Direct::CleanAll() -+{ -+ free(cacertfile); -+ free(certdir); -+ free(outfile); -+ free(certfile); -+ free(keyfile); -+ X509_free(ucert); -+ EVP_PKEY_free(upkey); -+ sk_X509_pop_free(cert_chain, X509_free); -+ cacertfile = certdir = outfile = certfile = keyfile = NULL; -+ -+ ucert = NULL; -+ upkey = NULL; -+ cert_chain = NULL; -+} -+ -+Direct::~Direct() -+{ -+ CleanAll(); -+} -+ -+bool Direct::Run() -+{ -+ /* set output file and environment */ -+ -+ char * oldenv = getenv("X509_USER_PROXY"); -+ -+ if(!noregen) { -+ std::stringstream tmpproxyname; -+ tmpproxyname << "/tmp/tmp_x509up_u" << getuid() << "_" << getpid(); -+ proxyfile = tmpproxyname.str(); -+ setenv("X509_USER_PROXY", proxyfile.c_str(), 1); -+ } -+ -+ /* contacts servers for each vo */ -+ -+ if (volist) -+ if (!MakeACs(volist)) -+ exit(1); -+ -+ /* set output file and environment */ -+ -+ proxyfile = outfile; -+ setenv("X509_USER_PROXY", proxyfile.c_str(), 1); -+ -+ /* with separate write info to file and exit */ -+ -+ if (!separate.empty() && aclist) { -+ if(!WriteSeparate()) -+ Print(WARN) << "Wasn't able to write to " << separate << std::endl; -+ exit(0); -+ } -+ -+ /* create a proxy containing the data retrieved from VOMS servers */ -+ -+ Print(INFO) << "Creating proxy " << std::flush; -+ Print(DEBUG) << "to " << proxyfile << " " << std::flush; -+ if(CreateProxy("", aclist, proxyver)) { -+ listfree((char **)aclist, (freefn)AC_free); -+ goto err; -+ } -+ else -+ free(aclist); -+ -+ /* unset environment */ -+ -+ if (!oldenv) -+ unsetenv("X509_USER_PROXY"); -+ else { -+ setenv("X509_USER_PROXY", oldenv, 1); -+ } -+ -+ /* assure user certificate is not expired or going to, else ad but still create proxy */ -+ -+ Test(); -+ -+ return true; -+ -+ err: -+ -+ Error(); -+ -+ return false; -+ -+} -+ -+static int parse_ga_value(char *ga, char **id, char **value, char **qual) -+{ -+ static char *empty=""; -+ char *eqpoint = strchr(ga, '='); -+ char *qualpoint = strchr(ga, '('); -+ char *qualend = strchr(ga, ')'); -+ -+ if (!eqpoint) -+ return 0; -+ -+ *id = ga; -+ *eqpoint='\0'; -+ *value = ++eqpoint; -+ -+ --eqpoint; -+ while (isspace(*(--eqpoint))) -+ *eqpoint='\0'; -+ -+ eqpoint = *value; -+ while (isspace(*eqpoint)) -+ eqpoint++; -+ *value =eqpoint; -+ -+ if (!qualpoint) -+ *qual = empty; -+ else { -+ if (qualpoint && !qualend) -+ return 0; -+ -+ *qualpoint='\0'; -+ -+ *qual = ++qualpoint; -+ *qualend='\0'; -+ -+ while (isspace(*(--qualpoint))) -+ *qualpoint='\0'; -+ } -+ -+ return 1; -+} -+ -+bool Direct::CreateProxy(std::string data, AC ** aclist, int version) -+{ -+ struct VOMSProxyArguments *args = VOMS_MakeProxyArguments(); -+ int ret = -1; -+ -+ if (args) { -+ args->proxyfilename = strdup(proxyfile.c_str()); -+ if (!incfile.empty()) -+ args->filename = strdup(incfile.c_str()); -+ args->aclist = aclist; -+ args->proxyversion = version; -+ if (!data.empty()) { -+ args->data = (char*)data.data(); -+ args->datalen = data.length(); -+ } -+ args->cert = ucert; -+ args->chain = cert_chain; -+ args->key = upkey; -+ args->bits = bits; -+ if (!policyfile.empty()) -+ args->policyfile = strdup(policyfile.c_str()); -+ if (!policylang.empty()) -+ args->policylang = strdup(policylang.c_str()); -+ args->pathlength = pathlength; -+ args->hours = hours; -+ args->minutes = 0; -+ args->limited = limit_proxy; -+ args->voID = strdup(voID.c_str()); -+ args->callback = (int (*)())kpcallback; -+ args->pastproxy = NULL; -+ -+ if (!keyusage.empty()) -+ args->keyusage = strdup(keyusage.c_str()); -+ -+ if (!netscape.empty()) -+ args->netscape = strdup(netscape.c_str()); -+ -+ if (!exkusage.empty()) -+ args->exkusage = strdup(exkusage.c_str()); -+ -+ args->selfsigned = 0; -+ -+ /* Read through extensions */ -+ std::vector::const_iterator end = extensions.end(); -+ for (std::vector::const_iterator i = extensions.begin(); -+ i != end; ++i) { -+ args->extensions = create_and_add_extension(*i, args->extensions); -+ } -+ -+ int warn = 0; -+ void *additional = NULL; -+ -+ struct VOMSProxy *proxy = VOMS_MakeProxy(args, &warn, &additional); -+ -+ PrintProxyCreationError(warn, additional); -+ -+ free(args->voID); -+ free(args->proxyfilename); -+ free(args->filename); -+ free(args->policyfile); -+ free(args->policylang); -+ free(args->keyusage); -+ free(args->netscape); -+ free(args->exkusage); -+ sk_X509_EXTENSION_pop_free(args->extensions, X509_EXTENSION_free); -+ VOMS_FreeProxyArguments(args); -+ -+ if (proxy) { -+ ret = VOMS_WriteProxy(proxyfile.c_str(), proxy); -+ VOMS_FreeProxy(proxy); -+ } -+ else { -+ Print(ERROR) << std::endl << "Unable to create proxy!" << std::endl; -+ exit (1); -+ ret = -1; -+ -+ } -+ -+ if (ret == -1) { -+ Print(ERROR) << std::endl << "Unable to write proxy to file " -+ << proxyfile << "! " << std::endl << " " -+ << strerror(errno) << std::endl; -+ exit(1); -+ } -+ -+ Print(INFO) << " Done" << std::endl << std::flush; -+ } -+ -+ return ret == -1; -+} -+ -+bool Direct::WriteSeparate() -+{ -+ if (aclist) { -+ BIO * out = BIO_new(BIO_s_file()); -+ BIO_write_filename(out, (char *)separate.c_str()); -+ -+ while(*aclist) -+#ifdef TYPEDEF_I2D_OF -+ if (!PEM_ASN1_write_bio(((i2d_of_void*)i2d_AC), "ATTRIBUTE CERTIFICATE", out, (char *)*(aclist++), NULL, NULL, 0, NULL, NULL)) -+#else -+ if (!PEM_ASN1_write_bio(((int (*)())i2d_AC), "ATTRIBUTE CERTIFICATE", out, (char *)*(aclist++), NULL, NULL, 0, NULL, NULL)) -+#endif -+ { -+ Print(ERROR) << "Unable to write to file" << std::endl; -+ return false; -+ } -+ -+ BIO_free(out); -+ -+ Print(INFO) << "Wrote ACs to " << separate << std::endl; -+ } -+ -+ return true; -+} -+ -+void Direct::Test() -+{ -+ ASN1_UTCTIME * asn1_time = ASN1_UTCTIME_new(); -+ X509_gmtime_adj(asn1_time, 0); -+ time_t time_now = ASN1_UTCTIME_mktime(asn1_time); -+ ASN1_UTCTIME_free(asn1_time); -+ time_t time_after = ASN1_UTCTIME_mktime(X509_get_notAfter(ucert)); -+ time_t time_diff = time_after - time_now ; -+ -+ if (time_diff < 0) -+ Print(INFO) << std::endl << "Error: your certificate expired " -+ << asctime(localtime(&time_after)) << std::endl << std::flush; -+ else if (hours && time_diff < hours*60*60) -+ Print(INFO) << "Warning: your certificate and proxy will expire " -+ << asctime(localtime(&time_after)) -+ << "which is within the requested lifetime of the proxy" -+ << std::endl << std::flush; -+ -+ time_t time_after_proxy; -+ -+ if (hours) -+ time_after_proxy = time_now + hours*60*60; -+ else -+ time_after_proxy = time_after; -+ -+ Print(INFO) << "Your proxy is valid until " -+ << asctime(localtime(&time_after_proxy)) << std::endl << std::flush; -+} -+ -+bool Direct::MakeACs(VOLIST *volist) -+{ -+ AC **actmplist = NULL; -+ AC *ac = NULL; -+ int res = 0; -+ BIO *hcrt = BIO_new(BIO_s_file()), -+ *hckey = BIO_new(BIO_s_file()), -+ *owncert = BIO_new(BIO_s_file()); -+ X509 *hcert = NULL, *holder = NULL; -+ EVP_PKEY *hkey = NULL; -+ -+ for (int i = 0; volist->vos[i]; i++) { -+ VO *vo = volist->vos[i]; -+ -+ // generic attributes -+ char ** attributes = vo->gas; -+ -+ if (hcrt && hckey && owncert) { -+ int hcertres = BIO_read_filename(hcrt, vo->hostcert); -+ int holderres = BIO_read_filename(hckey, vo->hostkey); -+ int hkeyres = BIO_read_filename(owncert, certfile); -+ -+ if ((hcertres > 0) && (holderres > 0) && (hkeyres > 0)) { -+ hcert = PEM_read_bio_X509(hcrt, NULL, 0, NULL); -+ holder = PEM_read_bio_X509(owncert, NULL, 0, NULL); -+ hkey = PEM_read_bio_PrivateKey(hckey, NULL, 0, NULL); -+ -+ if (hcert && hkey) { -+ ac = AC_new(); -+ // const char *uri = vo->uri ? vo->uri : ""; -+ -+ // The following two lines allow the creation of an AC -+ // without any FQAN. -+ char *vector[1] = {NULL }; -+ char **fqanlist = vo->fqans ? vo->fqans : vector; -+ -+ /* Now do extensions */ -+ STACK_OF(X509_EXTENSION) *exts = NULL; -+ -+ for (int i = 0; i < vo->extsize; i++) -+ exts = create_and_add_extension(std::string(vo->extensions[i]), exts); -+ -+ if (ac) -+ res = writeac(hcert, NULL, holder, hkey, (BIGNUM *)(BN_value_one()), fqanlist, -+ vo->targets, attributes, &ac, vo->voname, vo->uri, vo->vomslife * 3600, !newformat, -+ 0, exts); -+ -+ if (vo->fqans) -+ listfree(vo->fqans, (freefn)free); -+ if (attributes) -+ listfree(attributes, (freefn)free); -+ -+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); -+ free(vo->voname); -+ -+ } -+ } -+ else { -+ if (hcertres <= 0) { -+ if (vo->hostcert == NULL) -+ Print(ERROR) << "Host credential file unspecified!" << std::endl; -+ else -+ Print(ERROR) << "Could not open host credential file: " << vo->hostcert << std::endl; -+ } -+ if (holderres <= 0) { -+ if (vo->hostkey == NULL) -+ Print(ERROR) << "Host key file unspecified!" << std::endl; -+ else -+ Print(ERROR) << "Could not open host key file: " << vo->hostkey << std::endl; -+ } -+ if (hkeyres <= 0) { -+ if (certfile == NULL) -+ Print(ERROR) << "Holder key file unspecified!" << std::endl; -+ else -+ Print(ERROR) << "Could not open holder key file: " << certfile << std::endl; -+ } -+ return false; -+ } -+ } -+ -+ if (!res) -+ actmplist = (AC **)listadd((char **)aclist, (char *)ac); -+ -+ if (actmplist) -+ aclist = actmplist; -+ -+ X509_free(hcert); -+ X509_free(holder); -+ EVP_PKEY_free(hkey); -+ BIO_free(hcrt); -+ BIO_free(hckey); -+ BIO_free(owncert); -+ -+ hcrt = BIO_new(BIO_s_file()); -+ hckey = BIO_new(BIO_s_file()); -+ owncert = BIO_new(BIO_s_file()); -+ } -+ -+ BIO_free(hcrt); -+ BIO_free(hckey); -+ BIO_free(owncert); -+ -+ if (!actmplist) { -+ AC_free(ac); -+ listfree((char **)aclist, (freefn)AC_free); -+ -+ Error(); -+ return false; -+ } -+ -+ return true; -+} -+ -+bool Direct::pcdInit() { -+ -+ int status = false; -+ -+ ERR_load_prxyerr_strings(0); -+ SSLeay_add_ssl_algorithms(); -+ PKCS12_PBE_add(); -+ -+ BIO * bio_err = NULL; -+ if ((bio_err = BIO_new(BIO_s_file())) != NULL) -+ BIO_set_fp(bio_err, stderr, BIO_NOCLOSE); -+ -+ -+ if (!determine_filenames(&cacertfile, &certdir, &outfile, &certfile, &keyfile, noregen)) -+ goto err; -+ -+ Print(DEBUG) << "Files being used:" << std::endl -+ << " CA certificate file: " << (cacertfile ? cacertfile : "none") << std::endl -+ << " Trusted certificates directory : " << (this->certdir ? this->certdir : "none") << std::endl -+ << " Proxy certificate file : " << (this->outfile ? this->outfile : "none") << std::endl -+ << " User certificate file: " << (this->certfile ? this->certfile : "none") << std::endl -+ << " User key file: " << (this->keyfile ? this->keyfile : "none") << std::endl << std::flush; -+ -+ Print(DEBUG) << "Output to " << outfile << std::endl << std::flush; -+ -+ if (!load_credentials(certfile, keyfile, &ucert, &cert_chain, &upkey, pw_cb)) -+ goto err; -+ -+ status = true; -+ -+ err: -+ -+ BIO_free(bio_err); -+ Error(); -+ if (!status) -+ CleanAll(); -+ return status; -+ -+} -+ -+void Direct::Error() -+{ -+ std::string output = OpenSSLError(debug); -+ -+ if (debug) -+ Print(DEBUG) << output; -+ else -+ Print(ERROR) << output; -+} -+ -+ -+void Direct::exitError(const char *string) -+{ -+ Print(ERROR) << string << std::endl; -+ exit(1); -+} -+ -+bool Direct::VerifyOptions() -+{ -+ if (debug) { -+ quiet = false; -+ yydebug = 1; -+ } -+ -+ if (!voms.empty()) { -+ if (hostcert.empty()) -+ exitError("Error: You must specify an host certificate!"); -+ -+ if (hostcert.empty() || hostkey.empty()) -+ exitError("Error: You must specify an host key!"); -+ } -+ -+ if (rfc && proxyver != 0) -+ exitError("Used both -rfc and --proxyver!\nChoose one or the other."); -+ -+ if (rfc) -+ proxyver = 4; -+ -+ /* set proxy version */ -+ -+ if (proxyver!=2 && proxyver!=3 && proxyver!=4 && proxyver!=0) -+ exitError("Error: proxyver must be 2 or 3 or 4"); -+ else if (proxyver==0) { -+ Print(DEBUG) << "Unspecified proxy version, settling on version 4 (RFC)" << std::endl; -+ proxyver = 4; -+ } -+ -+ /* PCI extension option */ -+ -+ if (proxyver>3) { -+ if (!policylang.empty()) -+ if (policyfile.empty()) -+ exitError("Error: if you specify a policy language you also need to specify a policy file"); -+ } -+ -+ if (proxyver>3) { -+ Print(DEBUG) << "PCI extension info: " << std::endl << " Path length: " << pathlength << std::endl; -+ -+ if (policylang.empty()) -+ Print(DEBUG) << " Policy language not specified." << std::endl; -+ else -+ Print(DEBUG) << " Policy language: " << policylang << std::endl; -+ -+ if (policyfile.empty()) -+ Print(DEBUG) << " Policy file not specified." << std::endl; -+ else -+ Print(DEBUG) << " Policy file: " << policyfile << std::endl; -+ } -+ -+ /* controls that number of bits for the key is appropiate */ -+ -+ if (bits == -1) -+ bits = 1024; -+ -+ if ((bits!=512) && (bits!=1024) && -+ (bits!=2048) && (bits!=4096) && (bits != 0)) -+ exitError("Error: number of bits in key must be one of 512, 1024, 2048, 4096."); -+ else -+ Print(DEBUG) << "Number of bits in key :" << bits << std::endl; -+ -+ /* certificate duration option */ -+ -+ if (hours < 0) -+ exitError("Error: duration must be positive."); -+ -+ if (volist) { -+ for (int i = 0; i < volist->current; i++) { -+ VO *vo = volist->vos[i]; -+ if (!vo->voname) -+ exitError("Error: You must give a name to a VO!"); -+ -+ if (vo->hostcert == NULL) -+ exitError("Error: You must specify an host certificate!"); -+ -+ if (vo->hostkey == NULL) -+ exitError("Error: You must specify an host key!"); -+ -+ if (vo->vomslife < 0) -+ exitError("Error: Duration of AC must be positive."); -+ } -+ } -+ -+ return true; -+} -+ -+struct nullstream: std::ostream { -+ struct nullbuf: std::streambuf { -+ int overflow(int c) { return traits_type::not_eof(c); } -+ } m_sbuf; -+ nullstream(): std::ios(&m_sbuf), std::ostream(&m_sbuf) {} -+}; -+ -+nullstream voidstream; -+ -+std::ostream& Direct::Print(message_type type) -+{ -+ if (type == FORCED) -+ return std::cout; -+ -+ if (type == ERROR) -+ return std::cerr; -+ -+ if (quiet) -+ return voidstream; -+ -+ if (type == WARN) -+ return std::cerr; -+ -+ if (type == DEBUG && !debug) -+ return voidstream; -+ -+ return std::cout; -+} -+ -+static int time_to_sec(std::string timestring) -+{ -+ int seconds = 0; -+ int hours = 0; -+ int minutes = 0; -+ -+ std::string::size_type pos = timestring.find(':'); -+ -+ if (pos == std::string::npos) { -+ /* Seconds format */ -+ seconds = mystrtol((char*)timestring.c_str(), LONG_MAX); -+ } -+ else { -+ /* hours:minutes(:seconds) format */ -+ hours = mystrtol((char*)timestring.substr(0, pos).c_str(), LONG_MAX); -+ -+ std::string::size_type pos2 = timestring.substr(pos+1).find(':'); -+ -+ if (pos2 == std::string::npos) { -+ minutes = mystrtol((char*)timestring.substr(pos+1).c_str(), 59); -+ } -+ else { -+ minutes = mystrtol((char*)timestring.substr(pos+1, pos2).c_str(), 59); -+ seconds = mystrtol((char*)timestring.substr(pos2+1).c_str(), 59); -+ } -+ } -+ -+ if (seconds == -1 || minutes == -1 || hours == -1) -+ return -1; -+ -+ return seconds + minutes * 60 + hours * 3600; -+} -+ -+static long mystrtol(char *number, long int limit) -+{ -+ char *end = NULL; -+ -+ errno = 0; -+ -+ long value = strtol(number, &end, 10); -+ -+ /* Was there extraneous data at the end ? */ -+ if ((size_t)(end - number) != strlen(number)) -+ return -1; -+ -+ /* Conversion errors of some kind */ -+ if (errno != 0 || value < 0) -+ return -1; -+ -+ /* Value greater than maximum */ -+ if (value > limit) -+ return -1; -+ -+ return value; -+} -+ -+STACK_OF(X509_EXTENSION) *Direct::create_and_add_extension(const std::string &string, STACK_OF(X509_EXTENSION) *exts) -+{ -+ bool alloced = false; -+ X509_EXTENSION *ext = NULL; -+ -+ if (!exts) { -+ exts= sk_X509_EXTENSION_new_null(); -+ if (!exts) { -+ Print(ERROR) << "Memory problems." << std::endl; -+ goto err; -+ } -+ alloced = true; -+ } -+ -+ ext = create_extension(string); -+ -+ if (ext) { -+ if (!sk_X509_EXTENSION_push(exts, ext)) { -+ Print(ERROR) << "Memory problems." << std::endl; -+ goto err; -+ } -+ } -+ else { -+ Print(ERROR) << std::endl << "Cannot create extension: " << string << std::endl; -+ goto err; -+ } -+ -+ return exts; -+ -+ err: -+ if (alloced) -+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); -+ -+ X509_EXTENSION_free(ext); -+ -+ exit(1); -+} -+ -+static std::string::size_type get_minimum(std::string::size_type s1, -+ std::string::size_type s2, -+ std::string::size_type s3) -+{ -+ std::string::size_type minimum = std::string::npos; -+ -+ if (s1 < minimum) -+ minimum = s1; -+ if (s2 < minimum) -+ minimum = s2; -+ if (s3 < minimum) -+ minimum = s3; -+ -+ return minimum; -+} -+ -+X509_EXTENSION *Direct::create_extension(const std::string &string) -+{ -+ std::string::size_type colon_position = string.find_first_of(':'); -+ std::string::size_type slash_position = string.find_first_of('/'); -+ std::string::size_type gate_position = string.find_first_of('~'); -+ std::string::size_type file_position = string.find_first_of('+'); -+ std::string::size_type data_position = get_minimum(colon_position, -+ gate_position, -+ file_position); -+ bool critical = false; -+ -+ bool critical_present = slash_position < data_position; -+ -+ std::string oid = string.substr(0, (critical_present ? -+ slash_position : -+ data_position)); -+ -+ if (critical_present) { -+ std::string crit = string.substr(slash_position+1, (data_position == std::string::npos ? -+ std::string::npos : -+ data_position - slash_position-1)); -+ if (!crit.compare("false")) -+ critical = false; -+ else if (!crit.compare("true")) -+ critical = true; -+ else { -+ Print(ERROR) << "\nCriticality must be either true or false. Found" -+ << crit << std::endl; -+ exit(1); -+ } -+ } -+ -+ std::string data = " "; -+ -+ if (data_position != std::string::npos) { -+ data = string.substr(data_position+1); -+ -+ if (gate_position == data_position) -+ data = hextostring(data); -+ -+ if (file_position == data_position) { -+ std::string file = data; -+ data = readfile(file); -+ -+ if (data.empty()) { -+ Print(ERROR) << "\nProblem in reading file: " -+ << file << ": " << strerror(errno) -+ << std::endl; -+ exit(1); -+ } -+ } -+ } -+ -+ return CreateProxyExtension((char*)oid.c_str(), (char*)data.c_str(), data.size(), critical); -+} -+ -+static std::string hextostring(const std::string &data) -+{ -+ std::string temp = data; -+ -+ /* Add initial 0 if needed */ -+ if ((temp.length() %2) == 1) -+ temp = std::string("0") + temp; -+ -+ int len = temp.length()/2; -+ -+ char *newdata= new char[len]; -+ -+ for (int i =0; i < len; i++) { -+ char first = temp[i*2]; -+ char second = temp[i*2+1]; -+ -+ if (isxdigit(first) && isxdigit(second)) -+ newdata[i] = (hex2num(first) << 4) +hex2num(second); -+ else { -+ delete[] newdata; -+ return ""; -+ } -+ } -+ -+ std::string value = std::string(newdata, len); -+ -+ delete[] newdata; -+ -+ return value; -+} -+ -+void Direct::PrintProxyCreationError(int error, void *additional) -+{ -+ char *msg = ProxyCreationError(error, additional); -+ -+ if (msg) { -+ if (PROXY_ERROR_IS_WARNING(error)) -+ Print(DEBUG) << "\n" << msg; -+ else -+ Print(ERROR) << "\n" << msg; -+ free(msg); -+ } -+} -diff --git a/src/utils/vomsdirect.h b/src/utils/vomsdirect.h -new file mode 100644 -index 0000000..032b99d ---- /dev/null -+++ b/src/utils/vomsdirect.h -@@ -0,0 +1,152 @@ -+/********************************************************************* -+ * -+ * Authors: Vincenzo Ciaschini - Vincenzo.Ciaschini@cnaf.infn.it -+ * Valerio Venturi - Valerio.Venturi@cnaf.infn.it -+ * -+ * Copyright (c) Members of the EGEE Collaboration. 2004-2010. -+ * See http://www.eu-egee.org/partners/ for details on the copyright holders. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ * Parts of this code may be based upon or even include verbatim pieces, -+ * originally written by other people, in which case the original header -+ * follows. -+ * -+ *********************************************************************/ -+#ifndef VOMS_UTILS_VOMSDIRECT_H -+#define VOMS_UTILS_VOMSDIRECT_H -+ -+#include "config.h" -+ -+#include -+#include -+ -+extern "C" { -+ -+#include "openssl/bn.h" -+ -+#include "sslutils.h" -+#include "newformat.h" -+#include "fakeparsertypes.h" -+} -+ -+enum message_type {FORCED, INFO, WARN, ERROR, DEBUG}; -+ -+class Direct { -+ -+ private: -+ -+ std::string program; -+ -+ std::string confile; -+ -+ // PKI files -+ char * cacertfile; -+ char * certdir; -+ char * certfile; -+ char * keyfile; -+ -+ // output files -+ char * outfile; -+ std::string proxyfile; -+ -+ std::string incfile; -+ std::string separate; -+ std::string uri; -+ -+ // proxy and AC settings */ -+ int bits; -+ int hours; -+ bool limit_proxy; -+ int vomslife; -+ int proxyver; -+ std::string policyfile; -+ std::string policylang; -+ int pathlength; -+ -+ // verify the cert is good -+ bool verify; -+ -+ // doesn't regenerate proxy, use old -+ bool noregen; -+ -+ std::string voms; -+ std::string targetlist; -+ std::vector fqans; -+ -+#ifdef CLASS_ADD -+ void * class_add_buf = NULL; -+ size_t class_add_buf_len = 0; -+#endif -+ -+ X509 *ucert; -+ EVP_PKEY *upkey; -+ STACK_OF(X509) *cert_chain; -+ proxy_verify_desc pvd; -+ proxy_verify_ctx_desc pvxd; -+ -+ // store data retrieved from server -+ AC ** aclist; -+ -+ // vo -+ std::string voID; -+ -+ std::string hostcert, hostkey; -+ -+ bool newformat; -+ public: -+ -+ Direct(int argc, char** argv); -+ ~Direct(); -+ bool Run(); -+ std::vector galist; -+ private: -+ -+ bool CreateProxy(std::string filedata, AC ** aclist, int version); -+ -+ bool MakeACs(VOLIST *list); -+ -+ // write AC and data retrieved form server to file -+ bool WriteSeparate(); -+ -+ // test if certificate used for signing is expired -+ void Test(); -+ -+ bool pcdInit(); -+ -+ // verify the certificate is signed by a trusted CA -+ bool Verify(); -+ -+ void CleanAll(); -+ -+ // get openssl error */ -+ void Error(); -+ -+ bool VerifyOptions(); -+ void exitError(const char *message); -+ std::ostream& Print(message_type type); -+ -+ X509_EXTENSION *create_extension(const std::string &string); -+ STACK_OF(X509_EXTENSION) *create_and_add_extension(const std::string &string, STACK_OF(X509_EXTENSION) *exts); -+ -+ bool rfc; -+ std::string keyusage; -+ std::string netscape; -+ std::string exkusage; -+ -+ std::vector extensions; -+ std::vector acextensions; -+ void PrintProxyCreationError(int error, void *additional); -+}; -+ -+#endif --- -2.6.3 - diff --git a/voms/osg/voms.spec b/voms/osg/voms.spec index af34abbb5..b18eb8c47 100644 --- a/voms/osg/voms.spec +++ b/voms/osg/voms.spec @@ -1,45 +1,15 @@ %global _hardened_build 1 -%if %{?fedora}%{!?fedora:0} >= 25 || %{?rhel}%{!?rhel:0} >= 8 -%global use_systemd 1 -%else -%global use_systemd 0 -%endif - Name: voms Version: 2.1.0 -Release: 0.31.rc3.2%{?dist} +Release: 1.1%{?dist} Summary: Virtual Organization Membership Service License: Apache-2.0 URL: https://italiangrid.github.io/voms/ -Source0: https://github.com/italiangrid/%{name}/archive/v%{version}-rc3/%{name}-%{version}-rc3.tar.gz +Source0: https://github.com/italiangrid/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz # Post-install setup instructions: Source1: %{name}.INSTALL -# https://github.com/italiangrid/voms/pull/105 -Patch0: 0001-Catch-exception-by-reference.patch -# https://github.com/italiangrid/voms/pull/106 -Patch1: 0002-Fix-warning-about-possible-use-after-free.patch -# https://github.com/italiangrid/voms/pull/107 -Patch2: 0003-Fix-doxygen-warning.patch -# https://github.com/italiangrid/voms/pull/108 -Patch3: 0004-Fix-warning-about-possible-string-truncation.patch -# https://github.com/italiangrid/voms/pull/104 -Patch4: 0005-config.h-must-not-be-included-in-public-header-file.patch -Patch5: 0006-Include-config.h-before-other-header-files.patch -# https://github.com/italiangrid/voms/pull/109 -Patch6: 0007-Compile-and-link-libvomsapi-with-proper-thread-flags.patch -# Backport from upstream -Patch7: 0008-Fix-memory-leaks-and-double-deletes.patch -# https://github.com/italiangrid/voms/pull/116 -Patch8: 0009-If-a-detailed-error-message-is-available-do-not-over.patch -# https://github.com/italiangrid/voms/pull/112 -Patch9: 0010-Add-lexparse.h-headers-for-lexer-parser-integration-.patch -# https://github.com/italiangrid/voms/pull/121 -Patch10: 0011-Only-process-authority-and-subject-key-identifiers-i.patch -# https://github.com/italiangrid/voms/pull/113 -Patch11: 0012-Consider-the-Authority-Key-Id-extension-only-if-it-s.patch -# https://github.com/italiangrid/voms/pull/128 Patch128: 128-Adapt-client-libraries-to-voms-aa.patch # OSG patches @@ -58,9 +28,7 @@ BuildRequires: pkgconfig BuildRequires: libxslt BuildRequires: docbook-style-xsl BuildRequires: doxygen -%if %{use_systemd} BuildRequires: systemd-rpm-macros -%endif %description The Virtual Organization Membership Service (VOMS) is an attribute authority @@ -93,7 +61,15 @@ Summary: Virtual Organization Membership Service Documentation BuildArch: noarch %description doc -Documentation for the Virtual Organization Membership Service. +The Virtual Organization Membership Service (VOMS) is an attribute authority +which serves as central repository for VO user authorization information, +providing support for sorting users into group hierarchies, keeping track of +their roles and other attributes in order to issue trusted attribute +certificates and SAML assertions used in the Grid environment for +authorization purposes. + +This package provides documentation for the Virtual Organization Membership +Service. %package clients-cpp Summary: Virtual Organization Membership Service Clients @@ -118,16 +94,8 @@ services. %package server Summary: Virtual Organization Membership Service Server Requires: %{name}%{?_isa} = %{version}-%{release} - -Requires(pre): shadow-utils -%if %{use_systemd} +Requires(pre): shadow-utils %{?systemd_requires} -%else -Requires(post): chkconfig -Requires(preun): chkconfig -Requires(preun): initscripts -Requires(postun): initscripts -%endif %description server The Virtual Organization Membership Service (VOMS) is an attribute authority @@ -140,25 +108,13 @@ authorization purposes. This package provides the VOMS service. %prep -%setup -q -n %{name}-%{version}-rc3 -%patch -P 0 -p1 -%patch -P 1 -p1 -%patch -P 2 -p1 -%patch -P 3 -p1 -%patch -P 4 -p1 -%patch -P 5 -p1 -%patch -P 6 -p1 -%patch -P 7 -p1 -%patch -P 8 -p1 -%patch -P 9 -p1 -%patch -P 10 -p1 -%patch -P 11 -p1 +%setup -q %patch -P 128 -p1 # OSG patches -%patch100 -p1 -%patch102 -p1 +%patch -P 100 -p1 +%patch -P 102 -p1 ./autogen.sh @@ -175,21 +131,10 @@ install -m 644 -p %{SOURCE1} README.Fedora rm %{buildroot}%{_libdir}/*.la -%if %{use_systemd} mkdir -p %{buildroot}%{_unitdir} install -m 644 -p systemd/%{name}@.service %{buildroot}%{_unitdir} rm %{buildroot}%{_initrddir}/%{name} rm %{buildroot}%{_sysconfdir}/sysconfig/%{name} -%else -# Turn off default enabling of the service -sed -e 's/\(chkconfig: \)\w*/\1-/' \ - -e '/Default-Start/d' \ - -e 's/\(Default-Stop:\s*\).*/\10 1 2 3 4 5 6/' \ - -i %{buildroot}%{_initrddir}/%{name} -%endif - -mkdir -p %{buildroot}%{_pkgdocdir} -install -m 644 -p AUTHORS README.md %{buildroot}%{_pkgdocdir} mkdir -p %{buildroot}%{_pkgdocdir}/VOMS_C_API cp -pr doc/apidoc/api/VOMS_C_API/html %{buildroot}%{_pkgdocdir}/VOMS_C_API @@ -209,8 +154,6 @@ for b in voms-proxy-init voms-proxy-info voms-proxy-destroy; do touch %{buildroot}%{_mandir}/man1/${b}.1 done -%ldconfig_scriptlets - %posttrans # Recover /etc/vomses... if [ -r %{_sysconfdir}/vomses.rpmsave -a ! -r %{_sysconfdir}/vomses ] ; then @@ -222,14 +165,6 @@ getent group %{name} >/dev/null || groupadd -r %{name} getent passwd %{name} >/dev/null || useradd -r -g %{name} \ -d %{_sysconfdir}/%{name} -s /sbin/nologin -c "VOMS Server Account" %{name} -%if %{use_systemd} -# Remove old init config when systemd is used -/sbin/service voms stop >/dev/null 2>&1 || : -/sbin/chkconfig --del voms >/dev/null 2>&1 || : -%endif - -%if %{use_systemd} - %post server if [ $1 -eq 1 ] ; then systemctl daemon-reload >/dev/null 2>&1 || : @@ -251,26 +186,6 @@ if [ $1 -ge 1 ] ; then done fi -%else - -%post server -if [ $1 = 1 ]; then - /sbin/chkconfig --add %{name} -fi - -%preun server -if [ $1 = 0 ]; then - /sbin/service %{name} stop >/dev/null 2>&1 || : - /sbin/chkconfig --del %{name} -fi - -%postun server -if [ $1 -ge 1 ]; then - /sbin/service %{name} condrestart >/dev/null 2>&1 || : -fi - -%endif - %pre clients-cpp if [ $1 -gt 1 ]; then for c in voms-proxy-init voms-proxy-info voms-proxy-destroy; do @@ -329,9 +244,8 @@ fi %dir %{_sysconfdir}/grid-security/vomsdir %dir %{_datadir}/%{name} %{_datadir}/%{name}/vomses.template -%doc %dir %{_pkgdocdir} -%doc %{_pkgdocdir}/AUTHORS -%doc %{_pkgdocdir}/README.md +%doc AUTHORS +%doc README.md %license LICENSE %files devel @@ -343,9 +257,9 @@ fi %files doc %doc %dir %{_pkgdocdir} -%doc %{_pkgdocdir}/AUTHORS %doc %{_pkgdocdir}/VOMS_C_API %doc %{_pkgdocdir}/VOMS_CC_API +%doc AUTHORS %license LICENSE %files clients-cpp @@ -369,12 +283,7 @@ fi %files server %{_sbindir}/%{name} -%if %{use_systemd} %{_unitdir}/%{name}@.service -%else -%{_initrddir}/%{name} -%config(noreplace) %{_sysconfdir}/sysconfig/%{name} -%endif %attr(-,voms,voms) %dir %{_sysconfdir}/%{name} %dir %{_sysconfdir}/grid-security/%{name} %attr(-,voms,voms) %dir %{_localstatedir}/log/%{name} @@ -389,6 +298,23 @@ fi %doc README.Fedora %changelog +* Fri Jul 05 2024 Mattias Ellert - 2.1.0-1 +- Update to version 2.1.0 +- Drop EPEL 7 support from spec file (EOL) + +* Tue Jun 18 2024 Mattias Ellert - 2.1.0-0.35.rc5 +- Update to version 2.1.0-rc5 + +* Fri May 03 2024 Mattias Ellert - 2.1.0-0.34.rc4 +- Update to version 2.1.0-rc4 +- Drop patches accepted upstream + +* Wed Apr 10 2024 Mattias Ellert - 2.1.0-0.33.rc3 +- Fix problem with newer gsoap versions + +* Sat Jan 27 2024 Fedora Release Engineering - 2.1.0-0.32.rc3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Wed Jan 17 2024 Matt Westphall - 2.1.0-0.31.rc3.2 - Apply patch from upstream to support voms-aa @@ -892,4 +818,4 @@ fi - autogen.sh -> autobuild.sh * Mon Apr 18 2005 Anders Wäänänen - 1.3.2-1 -- Initial build. +- Initial build. \ No newline at end of file