From 601fa2e91becc2c4f1b54e4d75afd065abc7cc8b Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 24 Sep 2020 12:05:51 +0200 Subject: [PATCH 01/18] Systemd unit support --- systemd/voms@.service | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 systemd/voms@.service diff --git a/systemd/voms@.service b/systemd/voms@.service new file mode 100644 index 00000000..e735e5e2 --- /dev/null +++ b/systemd/voms@.service @@ -0,0 +1,14 @@ +[Unit] +Description=VOMS service for VO %I + +[Service] +WorkingDirectory=/ +EnvironmentFile=/etc/sysconfig/voms +User=voms +Type=forking +ExecStart=/usr/sbin/voms --conf /etc/voms/%I/voms.conf +KillMode=process +SuccessExitStatus=1 + +[Install] +WantedBy=multi-user.target From feeaed1b63880719de6452d73ab7808b3ebd0752 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 24 Sep 2020 15:37:43 +0200 Subject: [PATCH 02/18] Validate top-level group and other patches from OSG Include patch from Brian Bockelman and Matyas Selmeci from here: https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Validate-top-level-group-of-VOMS-attribute-also-acce.patch https://raw.githubusercontent.com/opensciencegrid/Software-Redhat/trunk/voms/osg/Make-RFC-proxies-by-default-SOFTWARE-2381.patch https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Disable-TLS-1.1-and-older-openssl-1.0.2.patch https://github.com/opensciencegrid/Software-Redhat/blob/trunk/voms/osg/Disable-weak-ciphers.patch --- src/ac/validate.cc | 16 +++++++++++++++- src/client/vomsclient.cc | 10 ++-------- src/socklib/Server.cpp | 6 +++++- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/src/ac/validate.cc b/src/ac/validate.cc index fb2aff3f..55d30e84 100644 --- a/src/ac/validate.cc +++ b/src/ac/validate.cc @@ -150,7 +150,7 @@ std::string get_error(int e) return "VOMS Server contact data missing from AC."; break; case AC_ERR_ATTRIB_FQAN: - return "VOMS Attributes absent or misformed."; + return "VOMS Attributes absent or malformed."; break; case AC_ERR_EXTS_ABSENT: return "Required AC extensions missing (NoRevAvail and AuthorityKeyIdentifier)"; @@ -430,6 +430,8 @@ static int checkAttributes(STACK_OF(AC_ATTR) *atts, voms &v) else return AC_ERR_ATTRIB_URI; + std::string top_group = "/" + v.voname; + /* scan the stack of IETFATTRVAL to put attribute in voms struct */ for (int i=0; idata, capname->length); + std::string::size_type top_group_size = top_group.size(); + std::string::size_type str_size = str.size(); + + /* The top level group name must be identical to the VO name. + An attribute may end right after the group name, or may continue on + (separated by a "/"). */ + if (str.compare(0, top_group_size, top_group)) { + return AC_ERR_ATTRIB_FQAN; + } + else if (str_size > top_group_size && str[top_group_size] != '/') { + return AC_ERR_ATTRIB_FQAN; + } v.fqan.push_back(str); diff --git a/src/client/vomsclient.cc b/src/client/vomsclient.cc index 05d5398a..3f3bd0d1 100644 --- a/src/client/vomsclient.cc +++ b/src/client/vomsclient.cc @@ -438,15 +438,9 @@ Client::Client(int argc, char ** argv) : exit(1); } else if (proxyver==0) { - if (version<30) - proxyver = 2; - else if (version < 40) - proxyver = 3; - else - proxyver = 4; + proxyver = 4; - Print(DEBUG) << "Unspecified proxy version, settling on Globus version: " - << proxyver << std::endl; + Print(DEBUG) << "Unspecified proxy version, settling on version 4 (RFC)" << std::endl; } /* PCI extension option */ diff --git a/src/socklib/Server.cpp b/src/socklib/Server.cpp index e8936120..fcf480e8 100644 --- a/src/socklib/Server.cpp +++ b/src/socklib/Server.cpp @@ -321,12 +321,16 @@ GSISocketServer::AcceptGSIAuthentication() SSL_CTX_load_verify_locations(ctx, NULL, cacertdir); SSL_CTX_use_certificate(ctx, ucert); SSL_CTX_use_PrivateKey(ctx,upkey); - SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2"); + SSL_CTX_set_cipher_list(ctx, "ALL:!LOW:!EXP:!MD5:!MD2:!3DES:!RC4:!IDEA"); SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY); SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, proxy_verify_callback); SSL_CTX_set_verify_depth(ctx, 100); SSL_CTX_set_cert_verify_callback(ctx, proxy_app_verify_callback, 0); + if (!SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1)) { + SetErrorOpenSSL("Cannot set minimum TLS protocol version"); + goto err; + } if (own_stack) { /* From a831ee21031ac0607d3a93814590b22590499d39 Mon Sep 17 00:00:00 2001 From: Marcelo Date: Tue, 1 Dec 2020 12:06:00 +0100 Subject: [PATCH 03/18] Issue-83 New unit file fails for VOs containing - in the name (or similar) Problem: The new unit file https://github.com/italiangrid/voms/blob/2.0.15-systemd/systemd/voms%40.service fails for VOs containing e.g. - in their name (such as rcdemo.aarc-project.eu.service) Solution: replace ExecStart=/usr/sbin/voms --conf /etc/voms/%I/voms.conf with ExecStart=/usr/sbin/voms --conf /etc/voms/%i/voms.conf --- systemd/voms@.service | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/systemd/voms@.service b/systemd/voms@.service index e735e5e2..e1383cbf 100644 --- a/systemd/voms@.service +++ b/systemd/voms@.service @@ -1,12 +1,12 @@ [Unit] -Description=VOMS service for VO %I +Description=VOMS service for VO %i [Service] WorkingDirectory=/ EnvironmentFile=/etc/sysconfig/voms User=voms Type=forking -ExecStart=/usr/sbin/voms --conf /etc/voms/%I/voms.conf +ExecStart=/usr/sbin/voms --conf /etc/voms/%i/voms.conf KillMode=process SuccessExitStatus=1 From af27dbc933fb3f8a0180aec0f50296f86dc13edb Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Wed, 2 Dec 2020 18:47:45 +0100 Subject: [PATCH 04/18] Bump version to 2.0.16 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 8a427fb3..c394a750 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT([VOMS], [2.0.15]) +AC_INIT([VOMS], [2.0.16]) AC_PREREQ(2.57) AC_CONFIG_AUX_DIR([./aux]) AM_INIT_AUTOMAKE From 3bc8a0f6dcdb4bf5f88a8ceb63fb2fdc3949b3dd Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Wed, 2 Dec 2020 19:08:54 +0100 Subject: [PATCH 05/18] Imported Jenkinsfile from develop-2.1.x branch --- Jenkinsfile | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 Jenkinsfile diff --git a/Jenkinsfile b/Jenkinsfile new file mode 100644 index 00000000..ad299f9d --- /dev/null +++ b/Jenkinsfile @@ -0,0 +1,60 @@ +#!/usr/bin/env groovy + +pipeline { + + agent { + kubernetes { + label "voms-${env.JOB_BASE_NAME}-${env.BUILD_NUMBER}" + cloud 'Kube mwdevel' + defaultContainer 'jnlp' + inheritFrom 'ci-template' + containerTemplate { + name 'runner' + image 'voms/voms-build:centos7' + ttyEnabled true + command 'cat' + } + } + } + + options { + timeout(time: 1, unit: 'HOURS') + buildDiscarder(logRotator(numToKeepStr: '5')) + } + + triggers { cron('@daily') } + + stages { + stage ('build') { + steps { + container('runner') { + sh "./autogen.sh" + sh "./configure && make" + } + } + } + + stage('result'){ + steps { + script { + currentBuild.result = 'SUCCESS' + } + } + } + } + + post { + + failure { + slackSend color: 'danger', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Failure (<${env.BUILD_URL}|Open>)" + } + + changed { + script{ + if('SUCCESS'.equals(currentBuild.result)) { + slackSend color: 'good', message: "${env.JOB_NAME} - #${env.BUILD_NUMBER} Back to normal (<${env.BUILD_URL}|Open>)" + } + } + } + } +} From a3f04c253eea7fb1ad448ca74f88eb2ae58c6ea2 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Fri, 19 Mar 2021 18:43:31 +0100 Subject: [PATCH 06/18] Dockerized development environment --- .devcontainer.json | 7 +++++++ .gitignore | 1 + compose/.env | 1 + compose/docker-compose.yml | 38 ++++++++++++++++++++++++++++++++++++++ docker/.env | 3 +++ docker/Dockerfile | 29 +++++++++++++++++++++++++++++ 6 files changed, 79 insertions(+) create mode 100644 .devcontainer.json create mode 100644 compose/.env create mode 100644 compose/docker-compose.yml create mode 100644 docker/.env create mode 100644 docker/Dockerfile diff --git a/.devcontainer.json b/.devcontainer.json new file mode 100644 index 00000000..1c335d82 --- /dev/null +++ b/.devcontainer.json @@ -0,0 +1,7 @@ +{ + "name": "VOMS core development", + "dockerComposeFile": "compose/docker-compose.yml", + "service": "voms_build", + "workspaceFolder": "/home/build/workspace", + "shutdownAction": "stopCompose" +} diff --git a/.gitignore b/.gitignore index acc01d52..9fc02c1d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,5 @@ /.cproject /.settings /.test +/.vscode /INSTALL diff --git a/compose/.env b/compose/.env new file mode 100644 index 00000000..19f3aff5 --- /dev/null +++ b/compose/.env @@ -0,0 +1 @@ +COMPOSE_PROJECT_NAME=voms-core diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml new file mode 100644 index 00000000..7f40dfd0 --- /dev/null +++ b/compose/docker-compose.yml @@ -0,0 +1,38 @@ +version: '3.5' + +volumes: + vscode-server: + dotlocal: + +services: + + init: + image: italiangrid/voms-build-centos7:latest + volumes: + - vscode-server:/home/build/.vscode-server + - dotlocal:/home/build/.local + command: sudo chown -R build:build /home/build/.vscode-server /home/build/.local + + voms_build: + image: italiangrid/voms-build-centos7:latest + + depends_on: + - init + + environment: + - TZ=Europe/Rome + + volumes: + - vscode-server:/home/build/.vscode-server + - dotlocal:/home/build/.local + - $HOME/grid-security:/etc/grid-security/certificates + - $HOME/ca-bundle:/etc/pki + - $HOME/vomsdir:/etc/grid-security/vomsdir:ro + - $HOME/vomses:/etc/vomses + - $HOME/.globus:/home/build/.globus:ro + - ..:/home/build/workspace:cached + + entrypoint: /tini -- sleep infinity + + extra_hosts: + - "dev.local.io: 192.168.65.2" diff --git a/docker/.env b/docker/.env new file mode 100644 index 00000000..920ae708 --- /dev/null +++ b/docker/.env @@ -0,0 +1,3 @@ +DOCKER_IMAGE=italiangrid/voms-build-centos7 +DOCKER_GIT_TAG_ENABLED=y +DOCKER_OPTS=--rm=true diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 00000000..2af7c598 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,29 @@ +FROM centos:7 + +# Allow customization of build user ID and name +ARG BUILD_USER=build +ARG BUILD_USER_UID=501 + +RUN echo "include_only=.garr.it,.cern.ch" >> /etc/yum/pluginconf.d/fastestmirror.conf && \ + yum clean all && \ + yum install -y hostname epel-release && \ + yum -y update && \ + yum -y install which wget tar sudo file && \ + yum -y install which wget tar sudo file && \ + echo '%wheel ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && \ + adduser --uid ${BUILD_USER_UID} ${BUILD_USER} && \ + usermod -a -G wheel ${BUILD_USER} && \ + yum -y install \ + gdb git expat-devel autoconf automake make libtool pkgconfig openssl-devel gsoap-devel \ + mysql-devel libxslt docbook-style-xsl doxygen bison gcc-c++ gcc && \ + yum clean all && \ + rm -rf /var/cache/yum + +ENV TINI_VERSION v0.18.0 +ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini +RUN chmod +x /tini +ENTRYPOINT ["/tini", "--"] + + +USER $BUILD_USER +WORKDIR /home/$BUILD_USER From 435483d95914a5921a04af5e7fd3f30559eb1b85 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Sun, 21 Mar 2021 16:55:01 +0100 Subject: [PATCH 07/18] Support SNI in the client Fix https://issues.infn.it/jira/browse/VOMS-894 --- src/socklib/Client.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/socklib/Client.cpp b/src/socklib/Client.cpp index 80b3d397..e4f292a9 100644 --- a/src/socklib/Client.cpp +++ b/src/socklib/Client.cpp @@ -298,6 +298,7 @@ GSISocketClient::Open() ssl = SSL_new(ctx); setup_SSL_proxy_handler(ssl, cacertdir); SSL_set_bio(ssl, conn, conn); + SSL_set_tlsext_host_name(ssl, host.c_str()); conn = NULL; From 18b066c047da2daf7a852411718e9eb4d6d19006 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Wed, 24 Mar 2021 15:55:08 +0100 Subject: [PATCH 08/18] Change build image --- Jenkinsfile | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index ad299f9d..bd2c487d 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,19 +1,22 @@ #!/usr/bin/env groovy +@Library('sd')_ +def kubeLabel = getKubeLabel() + pipeline { agent { kubernetes { - label "voms-${env.JOB_BASE_NAME}-${env.BUILD_NUMBER}" - cloud 'Kube mwdevel' - defaultContainer 'jnlp' - inheritFrom 'ci-template' - containerTemplate { - name 'runner' - image 'voms/voms-build:centos7' - ttyEnabled true - command 'cat' - } + label "${kubeLabel}" + cloud 'Kube mwdevel' + defaultContainer 'runner' + inheritFrom 'ci-template' + containerTemplate { + name 'runner' + image 'italiangrid/voms-build-centos7' + ttyEnabled true + command 'cat' + } } } From 015edee4270c3ba2a2760c41b558a0873bc16920 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 12:15:38 +0100 Subject: [PATCH 09/18] More CI tuning --- Jenkinsfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index bd2c487d..0a96fc8e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,7 +21,7 @@ pipeline { } options { - timeout(time: 1, unit: 'HOURS') + timeout(time: 10, unit: 'MINUTES') buildDiscarder(logRotator(numToKeepStr: '5')) } @@ -30,10 +30,8 @@ pipeline { stages { stage ('build') { steps { - container('runner') { sh "./autogen.sh" sh "./configure && make" - } } } From 5241da82f6dfda968d8eff33a55e40461df446d6 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 16:37:52 +0100 Subject: [PATCH 10/18] ... --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 0a96fc8e..46c2d027 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,7 +13,7 @@ pipeline { inheritFrom 'ci-template' containerTemplate { name 'runner' - image 'italiangrid/voms-build-centos7' + image 'italiangrid/voms-build-centos7:015edee' ttyEnabled true command 'cat' } From 8a0f1980ccc59009b010b995d878cf39d9a22dd1 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 16:49:17 +0100 Subject: [PATCH 11/18] Do not use cache when building docker image --- docker/.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/.env b/docker/.env index 920ae708..bb569a0a 100644 --- a/docker/.env +++ b/docker/.env @@ -1,3 +1,3 @@ DOCKER_IMAGE=italiangrid/voms-build-centos7 DOCKER_GIT_TAG_ENABLED=y -DOCKER_OPTS=--rm=true +DOCKER_OPTS="--rm=true --no-cache" From ea5b22df9b5b782a7c8f32b6204111b12ac7ac35 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 16:56:55 +0100 Subject: [PATCH 12/18] First attempt at GH actions build workflow --- .github/workflows/centos7-build.yml | 33 +++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/centos7-build.yml diff --git a/.github/workflows/centos7-build.yml b/.github/workflows/centos7-build.yml new file mode 100644 index 00000000..eb8986d8 --- /dev/null +++ b/.github/workflows/centos7-build.yml @@ -0,0 +1,33 @@ +# +# Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2020 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +name: Maven build + +on: + push: + branches: '*' + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + container: italiangrid/voms-build-centos7 + + steps: + - uses: actions/checkout@v2 + - name: Build + run: ./autogen.sh && configure && make && make install From 1d9da240f97787acd45d0e5cc7885a0f686d5f77 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 17:06:57 +0100 Subject: [PATCH 13/18] Keep root user in build dockerfile --- docker/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 2af7c598..dd768517 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -24,6 +24,5 @@ ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini RUN chmod +x /tini ENTRYPOINT ["/tini", "--"] - -USER $BUILD_USER -WORKDIR /home/$BUILD_USER +# USER $BUILD_USER +# WORKDIR /home/$BUILD_USER From 8b98409ac7a6520c845032fc55c186ba405d1690 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 17:13:31 +0100 Subject: [PATCH 14/18] Tentative fix for CI build command --- .github/workflows/centos7-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/centos7-build.yml b/.github/workflows/centos7-build.yml index eb8986d8..213ec7bf 100644 --- a/.github/workflows/centos7-build.yml +++ b/.github/workflows/centos7-build.yml @@ -14,7 +14,7 @@ # limitations under the License. # -name: Maven build +name: CENTOS 7 build on: push: @@ -30,4 +30,4 @@ jobs: steps: - uses: actions/checkout@v2 - name: Build - run: ./autogen.sh && configure && make && make install + run: ./autogen.sh && ./configure && make && make install From f76fe5c6ae9ecfdfe7624e7d55cbc2edd30ebb32 Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 17:16:51 +0100 Subject: [PATCH 15/18] Use latest build image in Jenkins --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 46c2d027..7b4af076 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -13,7 +13,7 @@ pipeline { inheritFrom 'ci-template' containerTemplate { name 'runner' - image 'italiangrid/voms-build-centos7:015edee' + image 'italiangrid/voms-build-centos7:latest' ttyEnabled true command 'cat' } From 749e45146f9b396bb1ee61cdbef5d9fe9419db6b Mon Sep 17 00:00:00 2001 From: Andrea Ceccanti Date: Thu, 25 Mar 2021 17:21:59 +0100 Subject: [PATCH 16/18] More verbosity on Jenkinsfile --- Jenkinsfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 7b4af076..d247e3c5 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -30,8 +30,14 @@ pipeline { stages { stage ('build') { steps { - sh "./autogen.sh" - sh "./configure && make" + sh '''#!/bin/bash + set -ex + pwd + ls -lR + ./autogen.sh + ./configure + make + ''' } } From 9dc4bcad5124f35d5f6ff3d405985e1cc8ad3d81 Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Thu, 1 Apr 2021 12:40:55 +0000 Subject: [PATCH 17/18] Check certs for NULL before dereferencing it Fix #87 --- src/api/ccapi/api_util.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc index 714b543c..8afc014f 100644 --- a/src/api/ccapi/api_util.cc +++ b/src/api/ccapi/api_util.cc @@ -609,7 +609,13 @@ X509 *vomsdata::check_from_file(AC *ac, std::ifstream &file, const std::string & X509_EXTENSION *ext=sk_X509_EXTENSION_value(exts, pos); AC_CERTS *certs = (AC_CERTS *)X509V3_EXT_d2i(ext); - STACK_OF(X509) *certstack = certs->stackcert; + STACK_OF(X509) *certstack = certs != NULL ? certs->stackcert : NULL; + + if (certs == NULL || certstack == NULL) { + AC_CERTS_free(certs); + seterror(VERR_SIGN, "AC does not contain certificate chain"); + return NULL; + } bool success = false; bool final = false; From fdbffdebdb3da73cb4a860c1c06462a20324e6cb Mon Sep 17 00:00:00 2001 From: Francesco Giacomini Date: Thu, 1 Apr 2021 16:57:59 +0200 Subject: [PATCH 18/18] Improve error message --- src/api/ccapi/api_util.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/api/ccapi/api_util.cc b/src/api/ccapi/api_util.cc index 8afc014f..b4c52bff 100644 --- a/src/api/ccapi/api_util.cc +++ b/src/api/ccapi/api_util.cc @@ -613,7 +613,7 @@ X509 *vomsdata::check_from_file(AC *ac, std::ifstream &file, const std::string & if (certs == NULL || certstack == NULL) { AC_CERTS_free(certs); - seterror(VERR_SIGN, "AC does not contain certificate chain"); + seterror(VERR_SIGN, "Malformed AC: the AC does not contain the issuer certificate chain"); return NULL; }