Author: dumindu
Date: Wed Feb 13 22:52:51 2008
New Revision: 13721
Log:
Fixed the white_list_validator
Added:
trunk/solutions/identity/modules/mod-cspace/mod_cspace_defines.h
trunk/solutions/identity/modules/mod-cspace/test/
trunk/solutions/identity/modules/mod-cspace/test/a.out (contents, props
changed)
trunk/solutions/identity/modules/mod-cspace/test/build.sh
trunk/solutions/identity/modules/mod-cspace/test/cert.pem
trunk/solutions/identity/modules/mod-cspace/test/test_validator.c
Modified:
trunk/solutions/identity/modules/mod-cspace/cspace_validator.c
trunk/solutions/identity/modules/mod-cspace/mod_cspace.h
Modified: trunk/solutions/identity/modules/mod-cspace/cspace_validator.c
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/cspace_validator.c
(original)
+++ trunk/solutions/identity/modules/mod-cspace/cspace_validator.c Wed Feb
13 22:52:51 2008
@@ -1,5 +1,5 @@
#include <openssl/ssl.h>
-#include "mod_cspace.h"
+#include "mod_cspace_defines.h"
#include "cspace_validator.h"
/* In validating the saml token using xmlsec we anyway need the CA cert
@@ -32,6 +32,29 @@
const char *ppid, const char *cert,
const void *user_data);
+static X509 *x509_create_with_buffer(unsigned char *input, int length)
+{
+ BIO *b64, *bmem;
+ X509 *x509 = NULL;
+ char *buffer = NULL;
+ /*TODO: replace mallocs with apr_palloc when used with apache*/
+ buffer = (char *)malloc(length);
+ memset(buffer, 0, length);
+
+ b64 = BIO_new(BIO_f_base64());
+ BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
+ bmem = BIO_new_mem_buf(input, length);
+ bmem = BIO_push(b64, bmem);
+
+ x509 = d2i_X509_bio(bmem, NULL);
+ BIO_free_all(bmem);
+ free(buffer);
+ return x509;
+}
+
+
+#define MAXARR 1024
+
static int white_list_validator(const char *uri, const char *issuer,
const char *ppid, const char *cert,
const char *w_list)
@@ -39,70 +62,65 @@
FILE *fp = NULL;
SSL_CTX *ctx = NULL;
X509 *needle = NULL;
- X509 *search_cert = NULL;
- X509_NAME *needle_name = NULL;
- X509_STORE *haystack = NULL;
- X509_OBJECT *search_obj = NULL;
+ X509 *(haystack[MAXARR]); /* TODO: this list should be made static */
+ int i = 0, j = 0;
- if((fp = fopen (cert, "r"))) {
+ /*if((fp = fopen (cert, "r"))) {
if(!(needle = d2i_X509_fp(fp, NULL))) {
fseek(fp, 0, SEEK_SET);
needle = PEM_read_X509( fp, NULL, NULL, NULL );
}
} else {
return FAIL;
- }
-
- if (needle && needle->cert_info) {
- needle_name = needle->cert_info->subject;
- }
-
- ctx = SSL_CTX_new(NULL);
- if (!ctx) {
- return FAIL;
- }
+ }*/
- SSL_CTX_use_certificate_chain_file(ctx, w_list);
+ needle = x509_create_with_buffer((void *)cert, strlen(cert));
- haystack = SSL_CTX_get_cert_store(ctx);
-
- if(haystack && needle_name) {
- search_obj = X509_OBJECT_retrieve_by_subject(haystack->objs,
- X509_LU_X509,
- needle_name);
+ /*ideally we would do this file read only once per server init*/
+ i=0;
+ if ((fp = fopen (w_list, "r"))) {
+ while (!feof(fp)) {
+ if (i < MAXARR) {
+ haystack[i++] = PEM_read_X509(fp, NULL, NULL, NULL);
+ } else {
+ break;
+ }
+ }
+ } else {
+ return FAIL;
}
- if (search_obj) {
- search_cert = (search_obj->data).x509;
- if (search_cert &&
- (M_ASN1_BIT_STRING_cmp(search_cert->signature,
+ for (j=0; j<i; j++) {
+ if (haystack[j] &&
+ (M_ASN1_BIT_STRING_cmp(haystack[j]->signature,
needle->signature) == 0)) {
-
- if (ctx) {
- SSL_CTX_free(ctx);
- }
if (needle) {
X509_free(needle);
}
-
- fclose(fp);
+
+ /* free the haystack */
+ for (j=0; j<i; j++) {
+ free(haystack[i]);
+ }
+ fclose(fp);
+
return SUCC;
}
}
- if (ctx) {
- SSL_CTX_free(ctx);
- }
-
- if (needle) {
+ if (needle) {
X509_free(needle);
}
+ /* free the haystack */
+ for (j=0; j<i; j++) {
+ free(haystack[i]);
+ }
+
fclose(fp);
- /* FREE_CTX() */
return FAIL;
}
Modified: trunk/solutions/identity/modules/mod-cspace/mod_cspace.h
==============================================================================
--- trunk/solutions/identity/modules/mod-cspace/mod_cspace.h (original)
+++ trunk/solutions/identity/modules/mod-cspace/mod_cspace.h Wed Feb 13
22:52:51 2008
@@ -8,6 +8,7 @@
#include "http_config.h"
#include "session.h"
#include "process_request.h"
+#include "mod_cspace_defines.h"
/*#define DONT_INCLUDE_CS_PFX_IN_HEADERS*/
@@ -16,11 +17,6 @@
#define ap_http_scheme(r) ap_http_method(r)
#endif
-#ifndef FAIL
- #define FAIL 0
- #define SUCC !(FAIL)
-#endif
-
#define CSPACE_DEFAULT_LOGIN_ARG "__mod_cspace_login__"
#define CSPACE_DEFAULT_LOGIN_AMP_ARG "&__mod_cspace_login__"
Added: trunk/solutions/identity/modules/mod-cspace/mod_cspace_defines.h
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/mod_cspace_defines.h Wed Feb
13 22:52:51 2008
@@ -0,0 +1,9 @@
+#ifndef _MOD_CSPACE_DEFINES_H_
+#define _MOD_CSPACE_DEFINES_H_
+
+#ifndef FAIL
+ #define FAIL 0
+ #define SUCC !(FAIL)
+#endif
+
+#endif
Added: trunk/solutions/identity/modules/mod-cspace/test/a.out
==============================================================================
Binary file. No diff available.
Added: trunk/solutions/identity/modules/mod-cspace/test/build.sh
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/test/build.sh Wed Feb 13
22:52:51 2008
@@ -0,0 +1,2 @@
+gcc *.c -I../ `xmlsec1-config --cflags` `xmlsec1-config --libs` -g
+
Added: trunk/solutions/identity/modules/mod-cspace/test/cert.pem
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/test/cert.pem Wed Feb 13
22:52:51 2008
@@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIDZTCCAs6gAwIBAgIJAIhSvW2QQbDBMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAo
+UHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVu
+dGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdz
+bzIub3JnMB4XDTA3MDkyMTEyMjE0MFoXDTI0MDIyNDEyMjE0MFowgZsxCzAJBgNV
+BAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMR4wHAYD
+VQQKExVXU08yIExhbmthIChQdnQpIEx0ZC4xETAPBgNVBAsTCFNlY3VyaXR5MQ8w
+DQYDVQQDEwZjbGllbnQxJDAiBgkqhkiG9w0BCQEWFWlkZW50aXR5LWRldkB3c28y
+Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr/lI0b4l4+X7Op+9SrF4
+ZcDnMTRQnAkwUn5Vcd0Qmgi+RQ8Rb5Y/MT879B1mSVQHd2AYsD/EEP3lwTzPmw7J
+J6gQ1ceNdhIwmwX/VleBjCB3CZGpYoMN7OXcPWz5/1m2m7ZRVngJz09+wIQ6zUvQ
+NMFncO3Rz2+OTKxkyguSxpMCAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCGSAGG
++EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU
+LmgqoC6toIdLBMTrEjXJfiYG5ywwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZGDww
+BtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9jYS1j
+cmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAIDa0yhwqbzmycN6Yj99OnXLYu37VJ+e
+Fn6kl2IrNljJ45/uv/3f4EeIJ6fK7kcgQCzjFivTdGeSsTvJjXQIEppyUniYFYYD
+WQGbUChd9UXmNSP+VvDWGss8LVvMHRxvuzXTDvZiw4rbsL2y9SmCBGzBVpdbTfwT
+C+Ed1lzxzJhv
+-----END CERTIFICATE-----
+
+
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAtGgAwIBAgIJAIhSvW2QQbDAMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
+VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAo
+UHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVu
+dGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdz
+bzIub3JnMB4XDTA3MDkyMTEyMTg1NVoXDTI0MDIyNDEyMTg1NVowgZ4xCzAJBgNV
+BAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMR4wHAYD
+VQQKExVXU08yIExhbmthIChQdnQpIEx0ZC4xETAPBgNVBAsTCFNlY3VyaXR5MRIw
+EAYDVQQDEwlsb2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWlkZW50aXR5LWRldkB3
+c28yLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr+h7tKoABQeQfWXp
+sYU8XAb8iiuiQdKoBYp5DoJNSAut2Qdv/+Vyw29lgGhQM6ppT8ANlyizw2Y9+63X
+ijzrMdSgivjCS08+/RLzUCkGYkm1qiUxJ54T3kEacG/TNtvmK852vlpj9Od8v/HD
+O4Wk1j8ZtDCZSUueu9wt+Nb8fX8CAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUQqdG1Edj6WtNRQTfIQovgaqgYYIwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZ
+GDwwBtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9j
+YS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAEfDja8hOhscNicycR8cKZ5p2++L
+N9iEj2ytsmLnpTvvDsk1hIH8nmsCtZ9fZ+5V+x6+FXt2a/lPtyEjEPDnVUlNRrpg
+wXSbJWO4vCQAbndkKcM2k+Ann+NmcIlA8Q0tZnNNp1tegNc892Yp4T7AYz1dt9kY
+Jtc2KiXYXbK63pID
+-----END CERTIFICATE-----
+
Added: trunk/solutions/identity/modules/mod-cspace/test/test_validator.c
==============================================================================
--- (empty file)
+++ trunk/solutions/identity/modules/mod-cspace/test/test_validator.c Wed Feb
13 22:52:51 2008
@@ -0,0 +1,32 @@
+#include <openssl/ssl.h>
+#include <stdio.h>
+#include "cspace_validator.h"
+
+const char *cert =
"MIIDRDCCAq2gAwIBAgIJAIhSvW2QQbDDMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYDVQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAoUHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVudGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdzbzIub3JnMB4XDTA3MDkyODEyNTkzNloXDTI0MDMwMjEyNTkzNlowezELMAkGA1UEBhMCTEsxEDAOBgNVBAgTB1dlc3Rlcm4xEDAOBgNVBAcTB0NvbG9tYm8xDTALBgNVBAoTBFdTTzIxGjAYBgNVBAsTEUlkZW50aXR5IFNvbHV0aW9uMR0wGwYDVQQDExRpZGVudGl0eS5say53c28yLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUgh+jegaVAoCBbYg9gsUzxlpoD7UeX3R39rMpqQpAsTtCC7Jks1CCpF1jFttyPcXagRoOL6xXAbpjKyyzU08DoC8Gsnzlmj8nyPw1n8hr5e1g+5ZMxf7S+P5Op7QzASoQUQhMyEOlM24KtombTsg+0YZV4g7YndauDckNSIGlUCAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUOq/5DXiozYJeuwbT8VFH3rHjoVYwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZGDwwBtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAANDXhknYtcrXReWSkvkUJgUvfEWlBnB93SUC8G5JYjojDCjGYeb3kSVJGtUqO3U4M3iXNFJHdoVD7ytrNSoR9KlbSsk5OXeK/zSIZ9Dj18NMeAXk6nIu8Zj4sbN6MIDhHBCpR9T3lUe4JmkgNp78l/eibH9btEq/e+mp5UXVcQ/";
+
+const char *cert_ok =
"MIIDaDCCAtGgAwIBAgIJAIhSvW2QQbDAMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD"
+
"VQQGEwJMSzEQMA4GA1UECBMHV2VzdGVybjEeMBwGA1UEChMVV1NPMiBMYW5rYSAo"
+
"UHZ0KSBMdGQuMREwDwYDVQQLEwhTZWN1cml0eTEiMCAGA1UEAxMZV1NPMiBJZGVu"
+
"dGl0eSBTb2x1dGlvbiBDQTEkMCIGCSqGSIb3DQEJARYVaWRlbnRpdHktZGV2QHdz"
+
"bzIub3JnMB4XDTA3MDkyMTEyMTg1NVoXDTI0MDIyNDEyMTg1NVowgZ4xCzAJBgNV"
+
"BAYTAkxLMRAwDgYDVQQIEwdXZXN0ZXJuMRAwDgYDVQQHEwdDb2xvbWJvMR4wHAYD"
+
"VQQKExVXU08yIExhbmthIChQdnQpIEx0ZC4xETAPBgNVBAsTCFNlY3VyaXR5MRIw"
+
"EAYDVQQDEwlsb2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWlkZW50aXR5LWRldkB3"
+
"c28yLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr+h7tKoABQeQfWXp"
+
"sYU8XAb8iiuiQdKoBYp5DoJNSAut2Qdv/+Vyw29lgGhQM6ppT8ANlyizw2Y9+63X"
+
"ijzrMdSgivjCS08+/RLzUCkGYkm1qiUxJ54T3kEacG/TNtvmK852vlpj9Od8v/HD"
+
"O4Wk1j8ZtDCZSUueu9wt+Nb8fX8CAwEAAaOBrTCBqjAJBgNVHRMEAjAAMCwGCWCG"
+
"SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E"
+
"FgQUQqdG1Edj6WtNRQTfIQovgaqgYYIwHwYDVR0jBBgwFoAU2NAfBYUWO847BEWZ"
+
"GDwwBtsmB2swLwYJYIZIAYb4QgEEBCIWIGh0dHA6Ly9jYS5pcy53c28yLm9yZy9j"
+
"YS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4GBAEfDja8hOhscNicycR8cKZ5p2++L"
+
"N9iEj2ytsmLnpTvvDsk1hIH8nmsCtZ9fZ+5V+x6+FXt2a/lPtyEjEPDnVUlNRrpg"
+
"wXSbJWO4vCQAbndkKcM2k+Ann+NmcIlA8Q0tZnNNp1tegNc892Yp4T7AYz1dt9kY"
+ "Jtc2KiXYXbK63pID";
+
+int main() {
+ SSL_library_init();
+ printf("%d\n", validate_with_op_mode("white", "uri", "issuer", "ppid",
cert_ok, "cert.pem"));
+
+ return 0;
+}
_______________________________________________
Identity-dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/identity-dev
