------------------------------------------------------------------------
r18710 | msalle | 2016-08-25 22:47:41 +0200 (Thu, 25 Aug 2016) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix last warnings from released openssl 1.1
ASN1_STRING_data() has been deprecated and replaced with ASN1_STRING_get0_data()
which returns const unsigned char* instead of char of unsigned char*. Easiest to
handle is to rename verify_asn1TimeToTimeT(const char*) into
verify_str_asn1TimeToTimeT and make new verify_asn1TimeToTimeT(ASN1_TIME *)
which does the cast and calls the other.
Also final version of X509_get0_signature() and X509_ALGOR_get0() want resp.
const X509_ALGOR** and const ASN1_OBJECT ** as arguments.

------------------------------------------------------------------------
r18684 | msalle | 2016-08-01 17:15:35 +0200 (Mon, 01 Aug 2016) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix typo in openssl version number, remove unused variables and work around
ERR_PACK() mismatch with man-page (args should be unsigned, not signed).

------------------------------------------------------------------------
r18683 | msalle | 2016-08-01 14:33:29 +0200 (Mon, 01 Aug 2016) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Adapt code to work around OpenSSL 1.1 code changes. In OpenSSL 1.1 many struct
members have become private and setters/getters need to be used instead.
Since at the same time also the d2i and i2d macros have been removed
(asn1_mac.h) we rework the init_*_proxy_extension() functions to use an item ref
instead. This is slightly complicated for the GT3 proxy, which can have either a
GT3-style proxy cert info or a RFC-style proxy cert info (when created using
Java-based voms-proxy-init via canl). For that sub-case, we allow temporarily
changing the struct member.

------------------------------------------------------------------------
r18671 | msalle | 2016-05-30 12:04:37 +0200 (Mon, 30 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog

------------------------------------------------------------------------
r18670 | msalle | 2016-05-30 11:18:18 +0200 (Mon, 30 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Log whether a proxy is a VOMS proxy (contains a VOMS AC extension).

------------------------------------------------------------------------
r18669 | msalle | 2016-05-30 10:33:59 +0200 (Mon, 30 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Do proper self-signed cert test for CAs by checking signature.

------------------------------------------------------------------------
r18668 | msalle | 2016-05-29 21:21:57 +0200 (Sun, 29 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog

------------------------------------------------------------------------
r18667 | msalle | 2016-05-29 21:20:07 +0200 (Sun, 29 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix memleak introduces in 1.5.8

------------------------------------------------------------------------
r18665 | msalle | 2016-05-27 16:50:59 +0200 (Fri, 27 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix two spelling errors

------------------------------------------------------------------------
r18661 | msalle | 2016-05-27 16:09:05 +0200 (Fri, 27 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Updating Changelog

------------------------------------------------------------------------
r18660 | msalle | 2016-05-27 16:08:39 +0200 (Fri, 27 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS

Update BUGS file

------------------------------------------------------------------------
r18659 | msalle | 2016-05-27 15:59:41 +0200 (Fri, 27 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/README

Minor updates in the README (mostly URLs)

------------------------------------------------------------------------
r18658 | msalle | 2016-05-27 15:51:53 +0200 (Fri, 27 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog for 1.5.8 release

------------------------------------------------------------------------
r18657 | msalle | 2016-05-19 16:11:52 +0200 (Thu, 19 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix comment of grid_check_sigalg() to match the actual code

------------------------------------------------------------------------
r18656 | msalle | 2016-05-18 13:38:43 +0200 (Wed, 18 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Don't verify/log signing algorithm for root CAs

------------------------------------------------------------------------
r18655 | msalle | 2016-05-17 13:09:04 +0200 (Tue, 17 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS for key strength

------------------------------------------------------------------------
r18654 | msalle | 2016-05-17 13:08:10 +0200 (Tue, 17 May 2016) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Log key length of all certs, not just the proxies and warn for too small (<2048
for EECs and CAs). Only log once in case of warning. Use one #define for all
OBJ_obj2txt buffers of size 80.

------------------------------------------------------------------------
r18653 | msalle | 2016-05-13 11:14:24 +0200 (Fri, 13 May 2016) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

We log the signature algorithm for every certificate in the chain. For MD5 (or
older) algorithms we log on LOG_WARNING. We do not (yet) fail on MD*. Newest
Java already fails by default.

------------------------------------------------------------------------
r18650 | msalle | 2016-05-09 10:55:16 +0200 (Mon, 09 May 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS file for OpenSSL DigitialSignature workaround

------------------------------------------------------------------------
r18649 | msalle | 2016-05-09 10:49:11 +0200 (Mon, 09 May 2016) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Only set EXFLAG_PROXY for actual proxy certificates. Otherwise, OpenSSL
verification code fails for CA certificates not containing Digital Signature,
such as the CILogon Basic CA (thanks to Brian for finding it and Jan Just for
verifying why the workaround works).

------------------------------------------------------------------------
r18554 | msalle | 2016-01-21 17:51:39 +0100 (Thu, 21 Jan 2016) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/doc/verify-proxy-tool.1.in

Update manpage for new commandline option

------------------------------------------------------------------------
r18548 | msalle | 2015-12-18 11:56:32 +0100 (Fri, 18 Dec 2015) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Improvements. Version 1.5.8
-   verify-proxy-tool has extra option -t|--atnotbefore to verify the chain at
    the notBefore time (actually 5min afterwards)


------------------------------------------------------------------------
r18468 | msalle | 2015-07-16 11:27:12 +0200 (Thu, 16 Jul 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Clearify code flow.

------------------------------------------------------------------------
r18406 | msalle | 2015-05-13 15:31:47 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog

------------------------------------------------------------------------
r18405 | msalle | 2015-05-13 15:31:21 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c

Fix calling of verify_error()

------------------------------------------------------------------------
r18403 | msalle | 2015-05-13 14:18:40 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog for release

------------------------------------------------------------------------
r18402 | msalle | 2015-05-13 14:02:38 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c

Fix mem leak.

------------------------------------------------------------------------
r18401 | msalle | 2015-05-13 13:29:10 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c

Initialize verify data to prevent segv.

------------------------------------------------------------------------
r18400 | msalle | 2015-05-13 13:25:52 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Missed three...

------------------------------------------------------------------------
r18399 | msalle | 2015-05-13 13:24:18 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Fix calls to verify_error

------------------------------------------------------------------------
r18398 | msalle | 2015-05-13 13:11:02 +0200 (Wed, 13 May 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c

Check return value of stat.

------------------------------------------------------------------------
r18397 | msalle | 2015-05-13 12:31:27 +0200 (Wed, 13 May 2015) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/doc/Makefile.am
   D /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8
   A /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8.in (from /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8:18396)
   A /trunk/lcmaps-plugins-verify-proxy/doc/verify-proxy-tool.1.in
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c

Install commandline tool as verify-proxy-tool to prevent name-clash with Jan
Just's grid-proxy-verify. Add rudimentary manpage, update NEWS file and put
package name and version in manpage.

------------------------------------------------------------------------
r18389 | msalle | 2015-04-28 12:03:17 +0200 (Tue, 28 Apr 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Update logged function name to actual current function name.

------------------------------------------------------------------------
r18384 | msalle | 2015-04-22 17:21:55 +0200 (Wed, 22 Apr 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/scas/NEWS

Update NEWS files for latest changes.

------------------------------------------------------------------------
r18368 | msalle | 2015-04-21 13:03:51 +0200 (Tue, 21 Apr 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add clarification on the importance of initializing the certcheck counter.

------------------------------------------------------------------------
r18353 | msalle | 2015-04-16 14:40:11 +0200 (Thu, 16 Apr 2015) | 10 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/util/grid-proxy-verify.c

- Just define logstr, don't try to check whether __func__ is defined (we don't
  do with other functions either).
- Check for return val NULL of X509_NAME_oneline()
- unused grid-proxy-verify.c:
    * fix dereferencing bug
    * check for NULL return val of X509_NAME_oneline()
    * don't check for NULL when calling free()
    * reinsert main()


------------------------------------------------------------------------
r18341 | msalle | 2015-04-14 18:19:55 +0200 (Tue, 14 Apr 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c

Fix warnings from cppcheck

------------------------------------------------------------------------
r18338 | msalle | 2015-04-14 11:04:23 +0200 (Tue, 14 Apr 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix recognizing legacy proxies for empty subject EECs
Reuse a few strlen() calls.

------------------------------------------------------------------------
r18336 | msalle | 2015-03-31 14:09:28 +0200 (Tue, 31 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Few more additions

------------------------------------------------------------------------
r18335 | msalle | 2015-03-31 14:01:33 +0200 (Tue, 31 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS file with latest updates.

------------------------------------------------------------------------
r18333 | msalle | 2015-03-30 16:17:17 +0200 (Mon, 30 Mar 2015) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Continue to check (also) GT3 pci extension when we found a RFC pci, to catch
dual certificates having both (=evil).
Move istype() macro to verify-lib/src_internal/_verify_x509.h and rename in CERTISTYPE()


------------------------------------------------------------------------
r18332 | msalle | 2015-03-27 16:10:42 +0100 (Fri, 27 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c

Java voms-proxy-init creates GT3 proxies with RFC-ordered proxycertinfo: make
sure we can handle those. Try first 'official' GT3, then fallback on RFC-type

------------------------------------------------------------------------
r18331 | msalle | 2015-03-27 15:14:47 +0100 (Fri, 27 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c

Add comments to clarify compiler warnings coming from incorrect cast, due to
borked openssl macros (known issue).

------------------------------------------------------------------------
r18330 | msalle | 2015-03-27 14:40:52 +0100 (Fri, 27 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c

Make CA_dir const char * to suppress compiler warning.

------------------------------------------------------------------------
r18329 | msalle | 2015-03-27 14:15:32 +0100 (Fri, 27 Mar 2015) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Remove unused variable
Move sometimes unused macro to the right place
Fix invalid return of "" instead of strdup(""), since it will be freed.

------------------------------------------------------------------------
r18328 | msalle | 2015-03-27 13:07:55 +0100 (Fri, 27 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Minor changing in the logging. Also, delay both expired and not-yet-valid errors
till later.

------------------------------------------------------------------------
r18322 | msalle | 2015-03-20 16:33:45 +0100 (Fri, 20 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Only use proxy pathlen error code for newer (-; openssl versions.

------------------------------------------------------------------------
r18321 | msalle | 2015-03-20 16:21:23 +0100 (Fri, 20 Mar 2015) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

- Further fix logging of expected proxy:
  when all types of proxy are fine: "any type of ", when any language: "proxy of
  any language". This way we get e.g. 'any type of limited proxy' etc.
- update return values of grid_verifyChain() to be more instructive
- use istype() macro also in other places.

------------------------------------------------------------------------
r18320 | msalle | 2015-03-19 17:50:38 +0100 (Thu, 19 Mar 2015) | 23 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

- merge OLD_PROXYCERTINFO_OID with identical GLOBUS_PROXY_V3_OID, only use
  latter.
- Fully remove GLOBUS_PROXY_V2_OID
- Add support for Any Language policy language, 1.3.6.1.5.5.7.21.0
- Make much more use of flag structure: check type has limited flag instead of
  actual comparison for all types.
- New function get_proxy_lang() to get add proxy type from the proxy cert info
  extension: can use for both GT3 and RFC. This simplifies
  verify_type_of_proxy()
- fix mem leak when pc pathlen was exceeded (issuer dn)
- remove check for proxy CN for RFC and GT3 proxies, as that's already done
  elsewhere
- make grid_certificate_type_str() public in the form
  verify_certificate_type_str() and rework using macros to make it much cleaner.
- replace grid_generate_proxy_expectation_error_message() into
  grid_get_expected_proxy_string() which is also much cleaner, completer (and
  perhaps faster).
- rename grid_verifyPathLenConstraints() into grid_verifyChain() to reflect the
  actual function
- implement 'caching' for grid_verifyChain, to return X509_V_OK directly if we
  previously returned that: no point in checking the entire chain multiple
  times.

------------------------------------------------------------------------
r18319 | msalle | 2015-03-18 17:54:52 +0100 (Wed, 18 Mar 2015) | 20 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

- Merge grid_verifyProxy() into grid_verifyPathLenConstraints()
- Fix bug with obtaining proxy pathlen for GT3: have to do by hand, not using
  cert->ex_pcpathlen. We implement a generic get_proxy_pathlength() function.
- Use GLOBUS_PROXY_V3_SN and GLOBUS_PROXY_V3_LN for defining the object
- sync the PROXYPOLICY and PROXYCERTINFO with openssl internal
- use the _new and _free function created using the DECLARE_ASN1_FUNCTIONS() and
  IMPLEMENT_ASN1_FUNCTIONS() macros
- simplify and cleanup verify_X509_verify()
- replace looping over extension and obtaining right ones by hand using
  X509_get_ext_d2i() instead of X509_get_ext(), X509_EXTENSION_get_object(),
  OBJ_obj2txt() etc. 
- Add comments to _verify_proxy_certinfo.c and use the
  IMPLEMENT_ASN1_FUNCTIONS() macros
- only call d2i_myPROXYCERTINFO_v3 for a GT3 proxy, not both with failover.
- fix off-by-one error in myproxycertinfo_i2s()
- Replace bogus cast function into 'log-error-message' function for
  myproxycertinfo_s2i()
- Don't check extension GLOBUS_PROXY_V2_OID, it's defined as RFC. There is no
  GT2 proxy oid.

------------------------------------------------------------------------
r18318 | msalle | 2015-03-16 17:17:52 +0100 (Mon, 16 Mar 2015) | 7 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Further memory cleanup:
- should call myPROXYCERTINFO_free() on proxy certinfo, hence make it public.
- should call X509_STORE_CTX_free() and X509_STORE_free() also in case of failure.
Use definitions of PROXYPOLICY and PROXYCERTINFO in verify_x509_datatypes.h
(latter extended with version field) for those in _verify_proxy_certinfo.c


------------------------------------------------------------------------
r18317 | msalle | 2015-03-16 14:47:38 +0100 (Mon, 16 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix few memory leaks.

------------------------------------------------------------------------
r18316 | msalle | 2015-03-16 13:27:37 +0100 (Mon, 16 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.h

Add comments.

------------------------------------------------------------------------
r18315 | msalle | 2015-03-13 15:37:52 +0100 (Fri, 13 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c

Some parameters should be const looking at the openSSL prototypes.

------------------------------------------------------------------------
r18314 | msalle | 2015-03-13 15:08:34 +0100 (Fri, 13 Mar 2015) | 7 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile.standalone (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile:18305)
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_proxy_certinfo.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix building of standalone-tool: it needs the GT3 proxy definition:
- copy and slightly adapt the GT3 and RFC proxy cert info definitions and add as
  two new files: _verify_proxy_certinfo.[ch]
- also build the binary tool grid-proxy-verify
Fix minor two compiler warnings.


------------------------------------------------------------------------
r18312 | msalle | 2015-03-12 22:23:23 +0100 (Thu, 12 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Redefine proxy types in terms of basic proxy certinfo type (e.g. GT2, RFC) and
policy language type (e.g. IMPERSONATION, LIMITED).

------------------------------------------------------------------------
r18307 | msalle | 2015-03-12 16:09:31 +0100 (Thu, 12 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Next version should be 1.5.7

------------------------------------------------------------------------
r18306 | msalle | 2015-03-12 15:34:25 +0100 (Thu, 12 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Update NEWS file and version

------------------------------------------------------------------------
r18305 | msalle | 2015-03-12 15:26:25 +0100 (Thu, 12 Mar 2015) | 13 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add support and better logging of non-impersonation proxies such as independent
and limited. The old code would wrongly categorize the less standard proxies due
to undefined NIDs. E.g. an unknown policy language (which is a 'restricted
proxy') would be categorized as limited. We now explicitly check that all used
NIDs for the known types are actually defined.
We currently handle independent and restricted proxies almost identical to the
'normal' ones concerning mixed chains: limited may only be followed by limited,
but can follow anything.
For simplicity we do the same for GT3 proxies as for RFC proxies, although it's
unclear whether independent and restricted proxies make any sense for GT3.
We use grid_certificate_type_str() for logging the type, i.e. code reuse.


------------------------------------------------------------------------
r18304 | msalle | 2015-03-11 12:25:35 +0100 (Wed, 11 Mar 2015) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix two typos

------------------------------------------------------------------------
r18302 | msalle | 2015-03-11 10:49:16 +0100 (Wed, 11 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Remove code duplication for pathlength checks.
Also do pathlength checks for GT3 proxies.

------------------------------------------------------------------------
r18301 | msalle | 2015-03-11 10:18:02 +0100 (Wed, 11 Mar 2015) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add error message in case of verification failure: log depth and DN of failed
certificate in separate error message.

------------------------------------------------------------------------
r18115 | msalle | 2014-12-03 17:56:17 +0100 (Wed, 03 Dec 2014) | 2 lines
Changed paths:
   M /trunk/glexec/LICENSE
   M /trunk/jobrepository/LICENSE
   M /trunk/lcas/LICENSE
   M /trunk/lcas-plugins-basic/LICENSE
   M /trunk/lcas-plugins-check-executable/LICENSE
   M /trunk/lcas-plugins-voms/LICENSE
   M /trunk/lcmaps-plugins-afs/LICENSE
   M /trunk/lcmaps-plugins-basic/LICENSE
   M /trunk/lcmaps-plugins-tracking-groupid/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-voms/LICENSE
   M /trunk/scas/LICENSE

Change to pure Apache 2.0 license

------------------------------------------------------------------------
r17948 | dennisvd | 2014-08-07 18:31:05 +0200 (Thu, 07 Aug 2014) | 2 lines
Changed paths:
   M /trunk/glexec/LICENSE
   M /trunk/jobrepository/LICENSE
   M /trunk/lcas/LICENSE
   M /trunk/lcas-plugins-basic/LICENSE
   M /trunk/lcas-plugins-check-executable/LICENSE
   M /trunk/lcas-plugins-voms/LICENSE
   M /trunk/lcmaps-plugins-afs/LICENSE
   M /trunk/lcmaps-plugins-basic/LICENSE
   M /trunk/lcmaps-plugins-c-pep/LICENSE
   M /trunk/lcmaps-plugins-gums/LICENSE
   M /trunk/lcmaps-plugins-jobrep/LICENSE
   M /trunk/lcmaps-plugins-lcas/LICENSE
   M /trunk/lcmaps-plugins-scas-client/LICENSE
   M /trunk/lcmaps-plugins-tracking-groupid/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-voms/LICENSE
   M /trunk/scas/LICENSE

Replaced license text with the Apache License 2.0

------------------------------------------------------------------------
r17852 | msalle | 2014-07-08 20:34:10 +0200 (Tue, 08 Jul 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c

Fix missing )

------------------------------------------------------------------------
r17851 | msalle | 2014-07-08 19:23:48 +0200 (Tue, 08 Jul 2014) | 3 lines
Changed paths:
   M /trunk/ees/src/main/main.c
   M /trunk/glexec/src/main_util.c
   M /trunk/lcas-lcmaps-gt4-interface/src/llgt_utils.c
   M /trunk/lcmaps/src/pluginmanager/lcmaps_log.c
   M /trunk/lcmaps-plugins-afs/src/afs/lcmaps_afs.c
   M /trunk/lcmaps-plugins-basic/src/ban_dn/lcmaps_ban_dn.c
   M /trunk/lcmaps-plugins-basic/src/dummy/lcmaps_dummy_bad.c
   M /trunk/lcmaps-plugins-basic/src/dummy/lcmaps_dummy_good.c
   M /trunk/lcmaps-plugins-basic/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-basic/src/ldap_enf/lcmaps_ldap.c
   M /trunk/lcmaps-plugins-basic/src/localaccount/lcmaps_localaccount.c
   M /trunk/lcmaps-plugins-basic/src/poolaccount/lcmaps_poolaccount.c
   M /trunk/lcmaps-plugins-basic/src/posix_enf/lcmaps_posix.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/lcmaps_c_pep.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-obligation-handlers.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-obligation-handlers_helpers.c
   M /trunk/lcmaps-plugins-jobrep/src/api/jobrep_odbc_api.c
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/jobrep_data_handling.c
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/lcmaps_jobrep.c
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/lcmaps_tracking_groupid.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c
   M /trunk/lcmaps-plugins-voms/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_ban_fqan.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localgroup.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_poolaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_poolgroup.c
   M /trunk/scas/src/scas-server/logging/scas_log.c
   M /trunk/scas/src/scas-server/main.c

Fix compiler warnings resulting from casts, format etc.


------------------------------------------------------------------------
r17841 | msalle | 2014-07-07 21:41:18 +0200 (Mon, 07 Jul 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fix format problems

------------------------------------------------------------------------
r17834 | msalle | 2014-07-07 17:53:13 +0200 (Mon, 07 Jul 2014) | 2 lines
Changed paths:
   M /trunk/glexec/src/glexec_environ.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.h
   M /trunk/scas/src/scas-server/logging/scas_log.h

Add format attribute to log-type functions

------------------------------------------------------------------------
r17739 | msalle | 2014-04-11 16:32:51 +0200 (Fri, 11 Apr 2014) | 8 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

For the EEC as determined in the grid_verifyPathLenConstraints() function, also
print the CA hash, the serial number, the dNSName and rfc822name Subject
Alternative Names, and the certificate policy OIDs.
Simplify the code for the grid_get_serialStr() using the ASN1_INTEGER_to_BN()
and BN_bn2hex() calls.
Do not write Info: etc. in front of the messages in case we're logging via
LCMAPS, use the __func__ prefix instead.

------------------------------------------------------------------------
r17729 | msalle | 2014-04-09 16:14:36 +0200 (Wed, 09 Apr 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Update version and NEWS file

------------------------------------------------------------------------
r17728 | msalle | 2014-04-09 16:08:07 +0200 (Wed, 09 Apr 2014) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Improve logging to be more concise and at the same time informative both on INFO
and DEBUG level.

------------------------------------------------------------------------
r17718 | msalle | 2014-04-02 09:16:19 +0200 (Wed, 02 Apr 2014) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Only print ERR_{reason,func,lib}_error_string() when reason is non-zero.
Otherwise print ERR_error_string().

------------------------------------------------------------------------
r17624 | msalle | 2014-03-10 15:39:13 +0100 (Mon, 10 Mar 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-lcas/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Fix typo in reverting the CPPFLAGS

------------------------------------------------------------------------
r17611 | msalle | 2014-03-06 11:38:59 +0100 (Thu, 06 Mar 2014) | 4 lines
Changed paths:
   A /trunk/lcmaps-plugins-basic/BUGS
   M /trunk/lcmaps-plugins-basic/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/BUGS
   M /trunk/lcmaps-plugins-jobrep/BUGS
   M /trunk/lcmaps-plugins-jobrep/Makefile.am
   M /trunk/lcmaps-plugins-lcas/Makefile.am
   A /trunk/lcmaps-plugins-tracking-groupid/BUGS
   M /trunk/lcmaps-plugins-tracking-groupid/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am

Add empty BUGS files for lcmaps-plugins-basic and
lcmaps-plugins-tracking-groupid with basic bug filing information.
Make sure BUGS file is packaged and distributed.

------------------------------------------------------------------------
r17567 | msalle | 2014-02-28 13:37:07 +0100 (Fri, 28 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Update ChangeLog

------------------------------------------------------------------------
r17566 | msalle | 2014-02-28 13:36:44 +0100 (Fri, 28 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS file

------------------------------------------------------------------------
r17552 | msalle | 2014-02-27 17:41:02 +0100 (Thu, 27 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/scas/src/saml2-xacml2/io_handler/ssl/ssl-common.c

i2c_ASN1_INTEGER needs a char** and will update it, proper way is via a temp

------------------------------------------------------------------------
r17551 | msalle | 2014-02-27 17:31:58 +0100 (Thu, 27 Feb 2014) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/scas/NEWS
   M /trunk/scas/src/saml2-xacml2/io_handler/ssl/ssl-common.c

Bug fix for lcmaps-plugins-verify-proxy: declared the wrong variable static
(pointer to buffer instead of buffer itself).
Syncing with scas-client and SCAS


------------------------------------------------------------------------
r17536 | msalle | 2014-02-27 11:12:15 +0100 (Thu, 27 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps/src/evaluationmanager/pdl.h
   M /trunk/lcmaps/src/evaluationmanager/pdl_main.c
   M /trunk/lcmaps/src/evaluationmanager/pdl_policy.c
   M /trunk/lcmaps/src/evaluationmanager/pdl_rule.h
   M /trunk/lcmaps/src/pluginmanager/lcmaps_utils.c
   M /trunk/lcmaps-plugins-afs/src/afs/lcmaps_afs.c
   M /trunk/lcmaps-plugins-basic/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-basic/src/ldap_enf/lcmaps_ldap.c
   M /trunk/lcmaps-plugins-basic/src/localaccount/lcmaps_localaccount.c
   M /trunk/lcmaps-plugins-basic/src/poolaccount/lcmaps_poolaccount.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-interact.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-obligation-handlers.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-obligation-handlers_helpers.c
   M /trunk/lcmaps-plugins-jobrep/src/api/jobrep_odbc_api.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/xacml_io_ssl.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-voms/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localgroup.c
   M /trunk/scas/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/scas/src/saml2-xacml2/io_handler/xacml_io_ssl.c
   M /trunk/scas/src/saml2-xacml2/server/pdp_xacml_authz_process.c
   M /trunk/scas/src/saml2-xacml2/server/pdp_xacml_lcas_lcmaps.c
   M /trunk/scas/src/scas-server/logging/scas_log.c
   M /trunk/scas/src/scas-server/main.c

Fix GNU/pedantic compiler warnings

------------------------------------------------------------------------
r17529 | msalle | 2014-02-26 16:01:45 +0100 (Wed, 26 Feb 2014) | 7 lines
Changed paths:
   M /trunk/glexec/src/glexec_ipc.c
   M /trunk/lcmaps/src/evaluationmanager/pdl_rule.c
   M /trunk/lcmaps/src/grid_credential_handling/gsi_handling/lcmaps_voms_attributes.c
   M /trunk/lcmaps/src/grid_credential_handling/lcmaps_credential.c
   M /trunk/lcmaps/src/grid_credential_handling/x509_handling/lcmaps_x509_utils.c
   M /trunk/lcmaps/src/lcmaps.c
   M /trunk/lcmaps/src/lcmaps_gss_assist_gridmap.c
   M /trunk/lcmaps/src/lcmaps_return_account_from_pem.c
   M /trunk/lcmaps/src/lcmaps_return_poolindex.c
   M /trunk/lcmaps/src/pluginmanager/lcmaps_db_read.c
   M /trunk/lcmaps/src/pluginmanager/lcmaps_pluginmanager.c
   M /trunk/lcmaps-plugins-basic/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-basic/src/posix_enf/lcmaps_posix.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/lcmaps_c_pep.c
   M /trunk/lcmaps-plugins-scas-client/interface/pep_obligation_handlers.h
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/client/pep_obligation_handlers.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/network/net_common.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/lcmaps_tracking_groupid.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-voms/src/gridlist/lcmaps_gridlist.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c
   M /trunk/scas/src/saml2-xacml2/io_handler/network/net_common.c
   M /trunk/scas/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/scas/src/saml2-xacml2/io_handler/xacml_io_ssl.c

Fix numerous small warnings:
- break; after a return; is unreachable
- unused macros
Change back signature of the scas obligation handlers to be compatible with the
type in the XACML library.
Sync SCAS with lcmaps-plugins-scas-client

------------------------------------------------------------------------
r17526 | msalle | 2014-02-26 14:36:18 +0100 (Wed, 26 Feb 2014) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/src/afs/lcmaps_afs.c
   M /trunk/lcmaps-plugins-scas-client/interface/pep_obligation_handlers.h
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/client/pep_obligation_handlers.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Fix parsing of cmdline args in lcmaps_afs
Fix use of proxy_type_t (when |-ing them they go outside the enum) in
lcmaps-plugins-verify-proxy
Fix use of global variable in lcmaps-plugins-scas-client
Fix (hopefully) casting of char** to const char**: define them
(const char*) const x[] in function and cast the char** explicitly to
a (const char)**


------------------------------------------------------------------------
r17521 | msalle | 2014-02-26 12:24:08 +0100 (Wed, 26 Feb 2014) | 38 lines
Changed paths:
   M /trunk/cgul/environ/environ.c
   M /trunk/cgul/fileutil/fileutil.c
   M /trunk/lcmaps-plugins-afs/src/afs/lcmaps_afs.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/lcmaps_c_pep.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-interact.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-interact.h
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-obligation-handlers.c
   M /trunk/lcmaps-plugins-jobrep/src/api/jobrep_odbc_api.c
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/jobrep_data_handling.c
   M /trunk/lcmaps-plugins-scas-client/interface/pep_obligation_handlers.h
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/client/pep_obligation_handlers.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/network/net_common.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/io_handler/ssl/ssl-common.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_poolaccount.c

Fix clang compiler warnings, in particular uninitialized variables and char*
const char* inconsistencies:
cgul:
- fix harmless uninitialized vars warnings: we checked with a flag in any case

all plugins:
- char * -> const char * for functions where possible and for char* used only as
  literals.

c-pep:
- treat pep_error_t properly
- use a strdup for the oh.id since we cannot guarantee they are constant
  pepc_initialize() returns number of oh-s so that we can properly clean all
  of them.
  pepc_initialize() also makes sure that oh is properly initialized and that the
  right variable is free-ed (it should have been *oh in the old version, not oh
  itself).
- do not log that addCredentialData() failed as we don't call it.

jobrep:
- define a variable emptyname instead of using the string literal. Note that
  getgrname also reuses the same buffer...

scas-client:
- getnameinfo() is wrongly described in (my) Linux manpage to use a size_t
  hostlen which not only in POSIX is nowadays a socklen_t nodelen, but also in
  the actual Linux header file /usr/include/netdb.h, at least since
  glibc-2.1.91.
- define variable name in order to call X509_PURPOSE_get_by_sname() with a
  char*. The OpenSSL implementation (anything since its introduction in OpenSSL
  0.9.5) only uses it in a strcmp so it could have been a const char *, but we
  don't rely on the implementation.

verify-proxy:
- treat verify_x509_error_t properly
- remove useless statement nfqan = nfqan 


------------------------------------------------------------------------
r17517 | msalle | 2014-02-25 16:58:59 +0100 (Tue, 25 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/src/afs/lcmaps_afs.c
   M /trunk/lcmaps-plugins-basic/src/ban_dn/lcmaps_ban_dn.c
   M /trunk/lcmaps-plugins-basic/src/localaccount/lcmaps_localaccount.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/lcmaps_c_pep.c
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/lcmaps_jobrep.c
   M /trunk/lcmaps-plugins-lcas/src/lcas/lcmaps_lcas.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/client/pep_obligation_handlers.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_ban_fqan.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_localgroup.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_poolaccount.c
   M /trunk/lcmaps-plugins-voms/src/voms/lcmaps_voms_poolgroup.c

Fix remaining logstr.

------------------------------------------------------------------------
r17514 | msalle | 2014-02-25 16:38:20 +0100 (Tue, 25 Feb 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/lcmaps_c_pep.c
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/pep-c-interact.c
   M /trunk/lcmaps-plugins-lcas/src/lcas/lcmaps_lcas.c
   M /trunk/lcmaps-plugins-scas-client/src/saml2-xacml2/client/pep_obligation_handlers.c
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/lcmaps_tracking_groupid.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/scas/src/saml2-xacml2/server/pdp_xacml_authz_process.c
   M /trunk/scas/src/saml2-xacml2/server/pdp_xacml_lcas_lcmaps.c
   M /trunk/scas/src/scas-server/main.c

String constant logstr should be declared const char *

------------------------------------------------------------------------
r17497 | msalle | 2014-02-24 22:28:52 +0100 (Mon, 24 Feb 2014) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Make proxy-cert pathlen checks dependent on OpenSSL version: they don't exist
pre-0.9.8

------------------------------------------------------------------------
r17480 | msalle | 2014-02-21 15:04:47 +0100 (Fri, 21 Feb 2014) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-scas-client/NEWS
   M /trunk/lcmaps-plugins-scas-client/doc/man/lcmaps_plugins_scas_client.8.src
   M /trunk/lcmaps-plugins-scas-client/src/scas-client/lcmaps_scas_client.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Add support for X509_CERT_DIR into lcmaps-plugins-scas-client: it used to
fallback directly to /etc/grid-security/certificates, now - when no -capath is
given - look first at X509_CERT_DIR. Update manpage and NEWS file.

------------------------------------------------------------------------
r17479 | msalle | 2014-02-21 14:52:41 +0100 (Fri, 21 Feb 2014) | 7 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Add better support for (default) CA certificate directory: can now also specify
-capath (or --capath). When unset as commandline arg, look at $X509_CERT_DIR
(e.g. from gLExec and/or LCMAPS) or ultimately at
/etc/grid-security/certificates.
Updating version, NEWS file and manpage


------------------------------------------------------------------------
r17405 | msalle | 2014-02-11 10:32:14 +0100 (Tue, 11 Feb 2014) | 3 lines
Changed paths:
   M /trunk/ees/bootstrap
   M /trunk/glexec/bootstrap
   M /trunk/lcas/bootstrap
   M /trunk/lcas-lcmaps-gt4-interface/bootstrap
   M /trunk/lcas-plugins-basic/bootstrap
   M /trunk/lcas-plugins-check-executable/bootstrap
   M /trunk/lcas-plugins-voms/bootstrap
   M /trunk/lcmaps/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-jobrep/bootstrap
   M /trunk/lcmaps-plugins-lcas/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-tracking-groupid/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/scas/bootstrap

Add --force to autoheader: we do not provide our own headerfile template, so we
want want to get that from autoheader.

------------------------------------------------------------------------
r17403 | msalle | 2014-02-10 11:56:07 +0100 (Mon, 10 Feb 2014) | 2 lines
Changed paths:
   M /trunk/ees/bootstrap
   M /trunk/glexec/bootstrap
   M /trunk/lcas/bootstrap
   M /trunk/lcas-lcmaps-gt4-interface/bootstrap
   M /trunk/lcas-plugins-basic/bootstrap
   M /trunk/lcas-plugins-check-executable/bootstrap
   M /trunk/lcas-plugins-voms/bootstrap
   M /trunk/lcmaps/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-jobrep/bootstrap
   M /trunk/lcmaps-plugins-lcas/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-tracking-groupid/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/saml2-xacml2-c-lib/xacml/bootstrap
   M /trunk/scas/bootstrap

Update bootstrap scripts: should run libtoolize before aclocal

------------------------------------------------------------------------
r17356 | msalle | 2014-02-06 17:11:01 +0100 (Thu, 06 Feb 2014) | 2 lines
Changed paths:
   M /trunk/glexec/ChangeLog
   M /trunk/lcmaps/ChangeLog
   M /trunk/lcmaps-plugins-afs/ChangeLog
   M /trunk/lcmaps-plugins-basic/ChangeLog
   M /trunk/lcmaps-plugins-c-pep/ChangeLog
   M /trunk/lcmaps-plugins-jobrep/ChangeLog
   M /trunk/lcmaps-plugins-lcas/ChangeLog
   M /trunk/lcmaps-plugins-scas-client/ChangeLog
   M /trunk/lcmaps-plugins-tracking-groupid/ChangeLog
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog
   M /trunk/lcmaps-plugins-voms/ChangeLog
   M /trunk/scas/ChangeLog

Update ChangeLog files. We are (hopefully) ready to release.

------------------------------------------------------------------------
r17294 | msalle | 2014-01-16 16:19:34 +0100 (Thu, 16 Jan 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Fix typo: LOG_NOTICE should have been LOG_DEBUG

------------------------------------------------------------------------
r17293 | msalle | 2014-01-16 10:47:59 +0100 (Thu, 16 Jan 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS file

------------------------------------------------------------------------
r17292 | msalle | 2014-01-16 10:47:01 +0100 (Thu, 16 Jan 2014) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Log info messages from verify lib to LOG_INFO instead of LOG_DEBUG.
Log reason (on LOG_INFO) for ignored verification errors such as missing CRL.

------------------------------------------------------------------------
r17274 | msalle | 2014-01-07 15:53:34 +0100 (Tue, 07 Jan 2014) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add missing pkey definition.

------------------------------------------------------------------------
r17273 | msalle | 2014-01-07 15:50:46 +0100 (Tue, 07 Jan 2014) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Update with latest from Jan Just's grid-proxy-verify.c, warning when keylength
is less than 1024 bits.

------------------------------------------------------------------------
r17267 | msalle | 2013-12-20 13:45:34 +0100 (Fri, 20 Dec 2013) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Bugfix: when we run alternative RFC5280 and RFC3820 compliance tests for the
pathlen (i.e. when a X509_V_ERR_PATH_LENGTH_EXCEEDED or
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED has occurred, and the alternative test
succeeds, we need to set ok to 1.

------------------------------------------------------------------------
r17263 | msalle | 2013-12-19 14:09:14 +0100 (Thu, 19 Dec 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add comment to clarify

------------------------------------------------------------------------
r17235 | msalle | 2013-12-11 14:57:22 +0100 (Wed, 11 Dec 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c

Move variable declaration to top (needed for the const int )

------------------------------------------------------------------------
r17230 | msalle | 2013-12-11 12:42:12 +0100 (Wed, 11 Dec 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Cast numerical constants to right type

------------------------------------------------------------------------
r17228 | msalle | 2013-12-11 11:19:16 +0100 (Wed, 11 Dec 2013) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Update configure.ac to use the just determined LCMAPS_CFLAGS for checking for
lcmaps_plugin_prototypes.h

------------------------------------------------------------------------
r17224 | msalle | 2013-12-10 17:39:25 +0100 (Tue, 10 Dec 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c

Replace index name by myindex to prevent shadowing global.

------------------------------------------------------------------------
r17184 | msalle | 2013-11-29 11:13:23 +0100 (Fri, 29 Nov 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Update NEWS file

------------------------------------------------------------------------
r17179 | msalle | 2013-11-28 16:17:32 +0100 (Thu, 28 Nov 2013) | 110 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_plugin_prototypes.h (from /trunk/lcmaps-plugins-voms/src/voms/lcmaps_plugin_prototypes.h:17163)
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c:17163)
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/lcmaps_proxylifetime.h (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h:17163)
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509_utils.c (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c:17163)
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.c (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c:17163)
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_log.h (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h:17163)
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c
   A /trunk/lcmaps-plugins-verify-proxy/util
   A /trunk/lcmaps-plugins-verify-proxy/util/grid-proxy-verify.c (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c:17163)
   A /trunk/lcmaps-plugins-verify-proxy/util/grid-proxy-verify.h (from /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h:17163)

General cleanup of the code, few minor bugfixes, cleanup of compiler warnings.

- move grid-proxy-verify.? out of src tree into new util/ dir
- add support for lcmaps_plugin_prototypes.h when available, or use local one
  otherwise
- rename verify-lib/src_internal/log.? into _verify_log.?
- move src_internal/verify_x509_utils.c to src/
- much more comments in code
- cleanup configure.ac:
    * remove unused or obsolete tests
    * add test for lcmaps plugin prototypes
    * enable ENABLE_LCMAPS_LOGGING here instead of always and in the .c file
    * update version to 1.5.5
- cleanup src/verify-proxy/Makefile.am:
    * should not link to libssl and libcrypto already comes from the test in
      configure.ac
    * move some from the EXTRA_DIST to _SOURCES as they are actually used
- src/verify-proxy/lcmaps_verify_proxy.c
    * removal plugin prototypes (moved to header file)
    * update list of #include files
    * move #define to top here since it's only used here
    * atoi -> strtol
    * remove restriction to set at most 9 TTL levels
    * update logging of TTLs
    * fix logging of TTL at wrong place (before it's determined).
    * treat the error/reason codes consistently (see ERR_get_error() and
      friends), see also in other files.
    * flush and log OpenSSL error queue at the end (in case of failure)
    * move static function to end
- src/verify-proxy/proxylifetime/lcmaps_proxylifetime.c and
  src/verify-proxy/proxylifetime/lcmaps_proxylifetime.h
    * renamed from proxylifetime.?
    * functions are properly prefixed with lcmaps_lifetime_
    * update list of headers
    * bugfix: definition of timeIsInBetween: it returned either 1 or 2, changed
      into 1 or 0, so that the test if (time...) actually works
    * check (more) return values for errors, including from malloc/calloc.
    * generally clean up code
- src/verify-proxy/verify-lib/Makefile
    * remove ansi and pedantic flags, replace with Wextra and Wconversion
- src/verify-proxy/verify-lib/main.c
    * cleanup #include headers
    * handle difference between reasons and err-s.
    * dump error queue at end
    * return 1 on param failure, 2 on verification failure
- src/verify-proxy/verify-lib/src_internal/_verify_log.c
  src/verify-proxy/verify-lib/src_internal/_verify_log.h
    * renamed from log.?
    * cleanup #include
    * rename function to start with verify_
    * only define log_level related code in non-LCMAPS
    * include lcmaps header when in LCMAPS mode
    * move VERIFY_LOG_BUFFER_SIZE #define to .c file.
    * define log_level as static
    * bugfix: code did not compile in non-LCMAPS mode due to extra bogus
      vsprintf
    * properly check return value of vsnprintf
- src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
    * cleanup list of #include
    * remove (uninteresting) unused #define
    * change VERIFY_X509_* #defines into enum verify_x509_option_t
    * change ERR_VERIFY_X509_PARAMS_* #defines into part of enum
      verify_x509_error_t with renaming into VER_R_X509_PARAMS_ (they are
      'reasons')
    * Add new reasons to verify_x509_error_t
    * change some types, e.g. short-s cannot be passed into a ... (va_arg) and
      will become int in any case
    * reorder #define for clarity
- src/verify-proxy/verify-lib/interface/verify_x509.h
  src/verify-proxy/verify-lib/src/verify_x509.c
  src/verify-proxy/verify-lib/src/verify_x509_utils.c
    * verify_x509_utils.c is moved from src_internal to src, since it contains
      public fcies.
    * public prototypes for both .c are in same verify_x509.h (utils are moved
      from _verify_x509.h)
    * rename lcmaps_type_of_proxy() into verify_type_of_proxy()
    * different versions of asn1TimeToTimeT() are merged into
      verify_asn1TimeToTimeT() in _utils.c
    * cleanup list of #include
    * properly treat OpenSSL reasons and errors (int and long unsigned) and
      implement our own extensions via ERR_load_strings etc.:
	- errors are pushed onto the error stack and printed at the end of the
	  run.
	- verify_X509_init calls verify_init_library()
	- verify_X509_setParameter() returns verify_x509_error_t, not an int
	- verify_X509_verify() returns ERR_peek_error() or likewise from our
	  library
	- process_internal_verify_data returns ERR_peek_error() or likewise from
	  our library
    * process_internal_verify_data becomes static
- src/verify-proxy/verify-lib/src_internal/_verify_x509.h
    * add verify_func_t enum with function constants, used by the error
      handling.
    * add macros VERIFY_errval() and VERIFY_reasonval() which push the error on
      the stack and return the (long unsigned) error or (int) reason.
    * cleanup list of #include
    * only declare functions that are used outside _verify_x509.c
- src/verify-proxy/verify-lib/src_internal/_verify_x509.c
    * many functions become static as they are only used internally
    * new functions verify_errval() and verify_reasonval() which are called by
      the new macros VERIFY_errval() and VERIFY_reasonval() (see above) and call
      ERR_put_error().
    * new function verify_init_library which initialized our library extensions
      and loads the corresponding error and function strings.
    * public (non-static) function start with verify_, static with grid_
    * consistently and correctly treat the return values of all the functions,
      do not mix int and long unsigned.
    * remove dead functions and code


------------------------------------------------------------------------
r17163 | msalle | 2013-11-15 14:19:46 +0100 (Fri, 15 Nov 2013) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Fix some implicit casts and a missing prototype

------------------------------------------------------------------------
r16767 | msalle | 2012-11-08 15:54:59 +0100 (Thu, 08 Nov 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am

Adding BUGS to doc_data and hence distribute and install it as doc

------------------------------------------------------------------------
r16738 | dennisvd | 2012-11-01 12:08:58 +0100 (Thu, 01 Nov 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c

fixed typo: Succesfully -> Successfully (3x) (Thanks to lintian)

------------------------------------------------------------------------
r16737 | dennisvd | 2012-11-01 12:07:35 +0100 (Thu, 01 Nov 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

fixed typo: explict -> explicit (Thanks to lintian)

------------------------------------------------------------------------
r16707 | okoeroo | 2012-10-31 01:04:23 +0100 (Wed, 31 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

ChangeLog file update
------------------------------------------------------------------------
r16706 | okoeroo | 2012-10-31 01:02:10 +0100 (Wed, 31 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Additions to the man page
------------------------------------------------------------------------
r16705 | okoeroo | 2012-10-31 00:57:43 +0100 (Wed, 31 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Updated the man page
------------------------------------------------------------------------
r16704 | okoeroo | 2012-10-30 16:22:55 +0100 (Tue, 30 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixed a bug in the proxy sanity checking and enabled USE_STRICT_PATH_VALIDATION.
------------------------------------------------------------------------
r16657 | okoeroo | 2012-10-26 17:18:20 +0200 (Fri, 26 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Cleaned up code segments, removed debug code, added function prototypes, debugged and fixed the Limited proxy restriction and added GT3 Limited proxy to the test list. Removed a lot of duplicate code where the certificate chain expectations are tested and error reported. This is now a lot more readable and the error output doesnt mix the chain validation code.
------------------------------------------------------------------------
r16646 | okoeroo | 2012-10-26 15:42:32 +0200 (Fri, 26 Oct 2012) | 10 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Version 1.5.4
-------------
-   Added the option --disallow-limited-proxy on request by Igor Sfiligoi to be
    able to disallow limited proxies.
-   Added full support for RFC and GT3 proxies. Properly detecting the proxy
    types, including limited proxies is now fully supported. RESTRICTED and
    INDEPENDENT in (pre-)RFC proxies WILL be treated as an IMPERSONATION proxy
    type, which is the default.


------------------------------------------------------------------------
r16545 | okoeroo | 2012-10-15 22:33:40 +0200 (Mon, 15 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Replacing false OSPF statements with OCSP statements. Implementing the option --disallow-limited-proxy.
------------------------------------------------------------------------
r16544 | okoeroo | 2012-10-15 22:31:17 +0200 (Mon, 15 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Replacing false OSPF statements with OCSP statements. Implementing the option --disallow-limited-proxy.
------------------------------------------------------------------------
r16417 | okoeroo | 2012-06-18 12:23:10 +0200 (Mon, 18 Jun 2012) | 12 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

The first delegation can now be a GT2/old-style Limited proxy.

Note:
The proxy certificate semantic checks do support the complete semantics for CA,
EEC, old-style proxy, RFC3820 proxy, old-style limited proxy and RFC3820
Limited proxy certificate types. 

BUT! The RFC3820 proxy types are not yet distinguishable. So all RFC3820 type
certificate are all tagged as type 'normal'



------------------------------------------------------------------------
r16416 | okoeroo | 2012-06-16 01:52:42 +0200 (Sat, 16 Jun 2012) | 25 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.5.3
-------------
-   Brain Bockelman reported a verification failure when a certificate chain
    contains at least two limited proxies. This version exclusively fixes this
    problem.
-   The add-on verification routines to semantically check the certificate
    chain was not launched when the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error
    was set. Only OpenSSL versions older then 0.9.8 would have this #ifdef
    enable.
-   OpenSSL casts an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED where it doesn't
    make sense as the test used a non-RFC3820 proxy. OpenSSL is not capable of
    extracting a path length constraint out of non-RFC proxy.  OpenSSL also
    tagged all  certificates in the chain to be showing the
    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error. The add-on evaluator performs
    a proper check to compensate.
-   The add-on verification routines did not take limited proxies into account.
    This mistake was gracefully neglected, because proxy chains with only one
    Limited proxy at the end was perfectly tolerated. A double limited proxy or
    proxy certificate chain with at least two (or more) Limited proxy
    delegations of the RFC3820 and old-style proxy type would fail the
    verification with the previously mentioned anomalies.




------------------------------------------------------------------------
r16156 | msalle | 2012-03-15 16:46:09 +0100 (Thu, 15 Mar 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c

Remove \t from log strings..

------------------------------------------------------------------------
r16087 | okoeroo | 2012-03-04 19:07:28 +0100 (Sun, 04 Mar 2012) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Updated the ChangeLog file on SVN and updated the NEWS file.



------------------------------------------------------------------------
r15906 | okoeroo | 2012-01-30 14:12:50 +0100 (Mon, 30 Jan 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Updated the ChangeLog from svn log -v
------------------------------------------------------------------------
r15890 | okoeroo | 2012-01-27 17:15:26 +0100 (Fri, 27 Jan 2012) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Removed debugging messages.



------------------------------------------------------------------------
r15855 | okoeroo | 2012-01-18 19:28:33 +0100 (Wed, 18 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Bumped version.


------------------------------------------------------------------------
r15853 | okoeroo | 2012-01-17 20:04:36 +0100 (Tue, 17 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Renewed LCMAPS verify-proxy plug-in. Now with better internal memory handling.


------------------------------------------------------------------------
r15834 | msalle | 2012-01-09 16:00:06 +0100 (Mon, 09 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add further clarifications about why the X509_STORE_* functions should not be
called.

------------------------------------------------------------------------
r15833 | msalle | 2012-01-09 15:06:31 +0100 (Mon, 09 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixing invalid read. It seems we initialized the CA dirs twice. Once with
X509_STORE_load_locations and once with X509_LOOKUP_add_dir.

------------------------------------------------------------------------
r15832 | msalle | 2012-01-09 14:14:44 +0100 (Mon, 09 Jan 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Cleanup evp_pkey and initialize entire struct tm to zero.

------------------------------------------------------------------------
r15680 | okoeroo | 2011-12-10 21:14:46 +0100 (Sat, 10 Dec 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Tiny tweaks.



------------------------------------------------------------------------
r15679 | okoeroo | 2011-12-09 23:10:24 +0100 (Fri, 09 Dec 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Typo
------------------------------------------------------------------------
r15678 | okoeroo | 2011-12-09 23:07:47 +0100 (Fri, 09 Dec 2011) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/doc/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Fixing make/build and install stuff. Also fixed some formating in the man page
file lcmaps_verify_proxy.mod.8



------------------------------------------------------------------------
r15677 | okoeroo | 2011-12-09 22:16:18 +0100 (Fri, 09 Dec 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/doc
   A /trunk/lcmaps-plugins-verify-proxy/doc/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c

Added man page for lcmaps_verify_proxy.mod.8



------------------------------------------------------------------------
r15676 | okoeroo | 2011-12-09 15:20:14 +0100 (Fri, 09 Dec 2011) | 33 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

New feature to be able to REQUIRE the final certificate in a chain to be a
LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce this.

This version DOES NOT WORK with RFC3820 limited proxy. This will be added in an
update.




Updated NEWS file:

Version 1.5.0
-------------
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.
-   The plugin will fail to initialize when the configured -cadir or -certdir
    directory does not exist. This was a run-time error.
-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".
-   New feature to be able to REQUIRE the final certificate in a chain to be a
    LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce
    this.
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added
    in an update.




------------------------------------------------------------------------
r15653 | okoeroo | 2011-11-30 21:16:57 +0100 (Wed, 30 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Removed datetime creation and destruction, without use.



------------------------------------------------------------------------
r15629 | okoeroo | 2011-11-24 13:07:42 +0100 (Thu, 24 Nov 2011) | 10 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".



------------------------------------------------------------------------
r15628 | msalle | 2011-11-24 13:03:32 +0100 (Thu, 24 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-c-pep/doc/man/lcmaps-plugins-c-pep.8.src
   M /trunk/lcmaps-plugins-c-pep/doc/man/sed.template.in
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-scas-client/doc/man/lcmaps_plugins_scas_client.8.src
   M /trunk/lcmaps-plugins-scas-client/doc/man/sed.template.in
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Determine dynamic library extension in configure and use that for creating
.mod symlinks.


------------------------------------------------------------------------
r15535 | okoeroo | 2011-11-08 10:57:27 +0100 (Tue, 08 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The plugin will fail to initialize when the configured -cadir or -certdir
directory does not exist. This was a run-time error.


------------------------------------------------------------------------
r15532 | okoeroo | 2011-11-07 22:36:21 +0100 (Mon, 07 Nov 2011) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c

Version 1.5.0:
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.



------------------------------------------------------------------------
r15437 | msalle | 2011-08-15 17:32:33 +0200 (Mon, 15 Aug 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Use AC_LCMAPS_INTERFACE([basic])
Rename lcmaps_config.h into lcmaps_verify_proxy_config.h

------------------------------------------------------------------------
r15385 | okoeroo | 2011-08-02 14:17:16 +0200 (Tue, 02 Aug 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Adding.


------------------------------------------------------------------------
r15384 | okoeroo | 2011-08-02 13:38:33 +0200 (Tue, 02 Aug 2011) | 25 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.12 - Try number two
-------------------------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

The certificate rejection is only triggered when the following #define is
enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated
as a warning only seen on a verbose loglevel.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.

A bunch of useless debugging messages are no longer visable in the log file.
They can be revived when you upgrade the loglevel for more verbosity.






------------------------------------------------------------------------
r15383 | okoeroo | 2011-08-02 10:51:10 +0200 (Tue, 02 Aug 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Minor logging output tweak.
------------------------------------------------------------------------
r15382 | okoeroo | 2011-08-01 20:19:49 +0200 (Mon, 01 Aug 2011) | 16 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.12
--------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.




------------------------------------------------------------------------
r15370 | okoeroo | 2011-07-21 14:20:00 +0200 (Thu, 21 Jul 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   A /trunk/lcmaps-plugins-verify-proxy/README

Preparing release for 1.4.11


------------------------------------------------------------------------
r15369 | okoeroo | 2011-07-21 12:37:11 +0200 (Thu, 21 Jul 2011) | 59 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

In short (inspired by the game Cluedo):
CREAM did it, using bugs in path length constraints, in OpenSSL/Globus


And now the slightly more elaborate explanation about the problem, how we analyzed it, interpreted the information and implemented a reliable workaround. It also shows that the CREAM CE itself is not directly the cause, but a trigger of the bug. This problem can occur in a lot of other places too and is a pain to analyse. One added motivation on why its such a pain to analyse is that I'm seeing known effects and problems occur along the analyses steering me in mildly the right direction, while I'm already mind-programming a workaround.

Reproducing the problem was hard:
The effects observed by users is a failure in job submission to any gLite 3.2 CREAM CE, when its submitted through a WMS. Probably also on all EMI-1 CREAM CE too. The error message returned from the CREAM CE indicates a failure in gLExec's LCMAPS plugin that verifies a proxy certificate chain.

Prerequisites (all of this must be true aka logical AND) to trigger the faulty situation:
- Use the Terena eScience Personal TCS, which has a pathlen = 0 set on the final CA.
- Use old style proxies (GT2), note: they don't feature a path length constraint field.
- Use a CREAM CE on gLite 3.2 (uses Globus GT4 from VDT)
- Access the CREAM CE through a WMS to use sufficient delegations or MyProxy

Change any of the above parameters and it will work. Meaning, the problem did NOT occure when the following was used:
- Direct job submission (only ONE proxy delegation may be used)
- Direct gLExec test on the shell, which just works.

Unverified situations:
- The effects when using RFC 3820 proxies
- Using EMI-1's CREAM CE

Hypothesis:
Tests have shown that the certificate chain is constructed properly. The hypothesis is that the GT4 from the VDT is interfering with OpenSSL sequences that we rely on in LCMAPS.

Cause(s) of the problem and analyses so far:
The gLExec in the CREAM CE uses LCMAPS to perform the account mapping in gLite 3.2. LCMAPS is dynamically linked to Globus to support its direct Globus based interfaces. The LCMAPS framelaunched several plugins, of which the verify-proxy is the first, from the lcmaps-plugins-verify-proxy package.

The verify-proxy fails with an error in the log file, originating from OpenSSL, that the path length of the certificate chain exceeded the constraint bound from the certificate chain itself. Analyses of the chain has shown that both the RFC5280 path length constraint and the RFC3820 path length constraint did not apply here. The Terena eScence TERENA eScience Personal CA has a critical basic constraint set to indicate a path length is 0 (=zero). This means that no other CA certificate can follow this CA certificate in a chain. The RFC 3820 path length constraint doesn't apply on old-style (i.e. GT2) proxy certificates.

Despite the installation and the certificate chain involved; OpenSSL triggers an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error code, indicating the path length exceeded in the proxy certificates. Given the research on the certificate chain we will assume that this is a false-positive (or true-negative).

See wiki for details: http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/How_to_handle_OpenSSL_and_not_get_hurt_and_what_does_that_library_call_really_do%3F#Path_length_constraints

The interesting details here is that the Terena eScience Personal CA, Terena eScience SSL CA and the FNAL SLCS are the only CAs using a Path Length Constraint of 0 (=zero) in the IGTF. This gives a motivation to search in this direction as similar certificate chains are not affected at all.

On both our EMI and gLite 3.2 test nodes running gLExec we couldn't reproduce the problem. We tried a gLite 3.2 CREAM CE and could reproduce the failure when we introduced a few extra delegations to the certificate chain before we submitted a test job.

After looking at the libraries used on the CREAM CE, being GT4 from the VDT, and knowing that the OpenSSL interaction is significantly different made us put the blame on the GT4 libraries. They are known to have changed parts of OpenSSL itself and their own callbacks. This might cause the weird effect in the verification stage. We've experienced race condition in library loading where the order of dynamic library resolvement and loading was significant for the observed failures. This problem has characteristics of it as the problem seemed to be specifc to the machine. We would need to investigate the GT4 OpenSSL interacting code to be certain about it. This is not an easy task and might be too expensive, while a work around is possible.

We looked at the CREAM CE interaction some more, installed a new CREAM CE from scratch and were interested to reproduce the problem in gLExec. Somehow we couldn't reproduce it when we ran gLExec standalone on the CREAM CE. This should not happen. It should have failed. We tried another proxy chain (mine this time) created from my OSX build of voms-proxy-init version 1.8.8. Again, the problem didn't occure. I hacked the gLExec script that was executing on the failing CREAM CE, which I tested using the glite-ce-job-submit tool, to copy the proxy certificate before deleting itself. We used this chain in the bare gLExec run and then it failed. This certificate chain was examined, turned out to be OK, but is different as it had CA certificates in it.

This seemed to be the root cause of the problem. The CREAM CE (or perhaps its delegation service) is writing the proxy certificate chain from the SSL contect in the Tomcat instance from the user's interaction. This certificate chain was writing including all the CA certificates up to the root CA.

We tested the gLExec with the output of voms-proxy-init/grid-proxy-init which do *not* include the CA certificates in the certificate chain. As this is not added, the CA certificates will be added to the verification sequences in a different way by the OpenSSL routines. This is required to verify the full chain. There is a use case for adding your own (intermediate) CA to the client/host certificate chain, but this doesn't count in the Grid world with the IGTF. As the CA certificates are added in a different way later and treated differently, OpenSSL will verify the certificate chain differently. Either the Globus OpenSSL or the OpenSSL 0.9.8a is to blame that certificate chains with old-style proxies have the path length constraint field, used exlusively for RFC 3820 proxies, set to 0 (=zero) instead of -1 (=minus one) aka uninitialized. This nullification is most probably triggered by the path length constraint value in the Terena sub-CA certificate added to the normal certificate chain evaluation sequences, instead of kept aside in the list of used CA certificates for a certificate chain in an SSL context.

Workaround:
Build a DIY (=Do It Yourself) Path Length Constraint a la RFC 5280 and RFC 3820 in the verify proxy LCMAPS plugin. This will work around any potential library loading issue that could possibly happen. It also works around odd implementations of the verification sequences and it can work around the bug of wrong initialization values for path length constraint. Another possible workaround would be to alter the certificate chain before it hits the verification stage. This could work, but needs research in the right code-wise location in OpenSSL to let this work reliably. We're also going to introduce a duplication of the certificate chain to not tamper with the original input and pragmatically we need to work with two different certificate chains. The first option is significantly less work and straight forward.

To consider for other tools:
OpenSSL and possibly GT5 needs double checking if the support for RFC proxies is capable of handling edge-case input, demonstrated by the CREAM CE (or a component thereof). The CREAM CE should not add the CA certificates to the gLExec input. We should be tolerant on the gLExec side, but regardless the CREAM CE should not have done this and should have followed the same approach with gLExec as to setting up an SSL context. This means that you do not send CA certificates over the wire unless you are absolutely sure that this is really needed.

Output:
lcmaps-plugins-verify version 1.4.11 is to be certified featuring a function to catch the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error and check the certificate chain for its RFC 5280 and RFC 3820 compliance regarding path length constraints.




------------------------------------------------------------------------
r15310 | dennisvd | 2011-07-11 12:11:39 +0200 (Mon, 11 Jul 2011) | 2 lines
Changed paths:
   M /trunk/lcas/examples/Makefile.am
   M /trunk/lcas-plugins-check-executable/src/check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Make all plugins without versioned names (using -avoid-version)

------------------------------------------------------------------------
r15309 | dennisvd | 2011-07-11 12:05:16 +0200 (Mon, 11 Jul 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Update the default moduledir to be 'lcas' resp. 'lcmaps' instead of 'modules'.

------------------------------------------------------------------------
r15298 | okoeroo | 2011-07-07 02:02:24 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS

Updated BUGS
------------------------------------------------------------------------
r15297 | okoeroo | 2011-07-07 02:01:30 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Updated NEWS
------------------------------------------------------------------------
r15296 | okoeroo | 2011-07-07 01:59:36 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.10 : Fixing path length constraint problem. It seems to be different then the normal path len constraint, as this triggers X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED and not X509_V_ERR_PATH_LENGTH_EXCEEDED
------------------------------------------------------------------------
r15271 | okoeroo | 2011-04-19 16:32:02 +0200 (Tue, 19 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/BUGS

Adding BUGS file
------------------------------------------------------------------------
r15268 | okoeroo | 2011-04-19 16:20:08 +0200 (Tue, 19 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/NEWS

Adding NEWS file
------------------------------------------------------------------------
r15257 | okoeroo | 2011-04-15 14:02:36 +0200 (Fri, 15 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Adding ChangeLog from svn log
------------------------------------------------------------------------
r15241 | msalle | 2011-04-14 12:29:43 +0200 (Thu, 14 Apr 2011) | 2 lines
Changed paths:
   M /trunk/glexec/bootstrap
   M /trunk/jobrepository/bootstrap
   M /trunk/lcas/bootstrap
   M /trunk/lcas-plugins-basic/bootstrap
   M /trunk/lcas-plugins-check-executable/bootstrap
   M /trunk/lcas-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-jobrep/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-tracking-groupid/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/scas/bootstrap

Adding --copy flag to libtoolize, which eases packaging.

------------------------------------------------------------------------
r15213 | dennisvd | 2011-04-07 15:29:01 +0200 (Thu, 07 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am

removed trailing whitespace

------------------------------------------------------------------------
r15212 | dennisvd | 2011-04-07 15:28:43 +0200 (Thu, 07 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

fixed include path references with $(srcdir) prefix

------------------------------------------------------------------------
r15182 | dennisvd | 2011-04-05 09:57:47 +0200 (Tue, 05 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-basic/configure.ac
   M /trunk/lcas-plugins-basic/src/timeslots/Makefile.am
   M /trunk/lcas-plugins-basic/src/userallow/Makefile.am
   M /trunk/lcas-plugins-basic/src/userban/Makefile.am
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-check-executable/src/check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Added --with-moduledir to set the install location for plug-ins.

------------------------------------------------------------------------
r14914 | msalle | 2011-03-06 11:17:47 +0100 (Sun, 06 Mar 2011) | 2 lines
Changed paths:
   M /trunk/jobrepository/configure.ac
   M /trunk/lcas/configure.ac
   M /trunk/lcas-lcmaps-gt4-interface/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/scas/configure.ac

Bumping versions for components with fixed globus / crypto deps.

------------------------------------------------------------------------
r14880 | dennisvd | 2011-03-04 22:08:09 +0100 (Fri, 04 Mar 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am

removed executable bit
------------------------------------------------------------------------
r14879 | dennisvd | 2011-03-04 22:07:46 +0100 (Fri, 04 Mar 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/AUTHORS
   M /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/lcmaps.m4
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

add keyword propery
------------------------------------------------------------------------
r14846 | msalle | 2011-03-04 16:22:33 +0100 (Fri, 04 Mar 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Add check for libcrypto in essential components.

------------------------------------------------------------------------
r14690 | msalle | 2011-02-25 15:38:01 +0100 (Fri, 25 Feb 2011) | 2 lines
Changed paths:
   M /trunk/jobrepository/Makefile.am
   M /trunk/jobrepository/configure.ac
   M /trunk/lcas-lcmaps-gt4-interface/configure.ac
   M /trunk/lcas-plugins-basic/configure.ac
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/scas/configure.ac

Re-syncing all the versions with branch EMI-1

------------------------------------------------------------------------
r14618 | msalle | 2011-02-23 12:58:46 +0100 (Wed, 23 Feb 2011) | 3 lines
Changed paths:
   M /trunk
   M /trunk/ees
   M /trunk/ees-plugins-one
   M /trunk/glexec
   M /trunk/lcas
   M /trunk/lcas-lcmaps-gt4-interface
   M /trunk/lcas-plugins-basic
   M /trunk/lcas-plugins-check-executable
   M /trunk/lcas-plugins-voms
   M /trunk/lcmaps-plugins-afs
   M /trunk/lcmaps-plugins-basic
   M /trunk/lcmaps-plugins-c-pep
   M /trunk/lcmaps-plugins-gums
   M /trunk/lcmaps-plugins-jobrep
   M /trunk/lcmaps-plugins-scas-client
   M /trunk/lcmaps-plugins-verify-proxy
   M /trunk/lcmaps-plugins-voms
   M /trunk/scas

Updating externals to use http://ndpfsvn.nikhef.nl/ro instead of
https://ndpfsvn.nikhef.nl/repos

------------------------------------------------------------------------
r11958 | msalle | 2011-01-07 14:18:38 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-basic/Makefile.am
   M /trunk/lcas-plugins-check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-basic/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/ldap_enf/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/localaccount/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/poolaccount/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/posix_enf/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Updating EXTRA_DIST etc. to include missing files in dist's

------------------------------------------------------------------------
r11953 | msalle | 2011-01-07 13:18:30 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   D /trunk/lcas-plugins-basic/src/lcas_config.h.in
   D /trunk/lcas-plugins-check-executable/src/lcas_config.h.in
   D /trunk/lcas-plugins-voms/src/lcas_config.h.in
   D /trunk/lcmaps-plugins-afs/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-gums/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-verify-proxy/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-voms/src/lcmaps_config.h.in

Removing automatically created _config.h.in files.

------------------------------------------------------------------------
r11951 | msalle | 2011-01-07 13:02:43 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   A /trunk/glexec/AUTHORS (from /trunk/glexec/MAINTAINERS:11944)
   D /trunk/glexec/MAINTAINERS
   M /trunk/glexec/Makefile.am
   A /trunk/lcas/AUTHORS (from /trunk/lcas/MAINTAINERS:11950)
   D /trunk/lcas/MAINTAINERS
   M /trunk/lcas/doc/Makefile.am
   M /trunk/lcas-lcmaps-gt4-interface/Makefile.am
   A /trunk/lcas-plugins-basic/AUTHORS (from /trunk/lcas-plugins-basic/MAINTAINERS:11946)
   D /trunk/lcas-plugins-basic/MAINTAINERS
   M /trunk/lcas-plugins-basic/Makefile.am
   A /trunk/lcas-plugins-check-executable/AUTHORS (from /trunk/lcas-plugins-check-executable/MAINTAINERS:11947)
   D /trunk/lcas-plugins-check-executable/MAINTAINERS
   M /trunk/lcas-plugins-check-executable/Makefile.am
   A /trunk/lcas-plugins-voms/AUTHORS (from /trunk/lcas-plugins-voms/MAINTAINERS:11947)
   D /trunk/lcas-plugins-voms/MAINTAINERS
   M /trunk/lcas-plugins-voms/Makefile.am
   A /trunk/lcmaps/AUTHORS (from /trunk/lcmaps/MAINTAINERS:11927)
   D /trunk/lcmaps/MAINTAINERS
   M /trunk/lcmaps/doc/Makefile.am
   A /trunk/lcmaps-plugins-afs/AUTHORS (from /trunk/lcmaps-plugins-afs/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-afs/MAINTAINERS
   M /trunk/lcmaps-plugins-afs/Makefile.am
   A /trunk/lcmaps-plugins-basic/AUTHORS (from /trunk/lcmaps-plugins-basic/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-basic/MAINTAINERS
   M /trunk/lcmaps-plugins-basic/Makefile.am
   A /trunk/lcmaps-plugins-c-pep/AUTHORS (from /trunk/lcmaps-plugins-c-pep/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-c-pep/MAINTAINERS
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   A /trunk/lcmaps-plugins-gums/AUTHORS (from /trunk/lcmaps-plugins-gums/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-gums/MAINTAINERS
   M /trunk/lcmaps-plugins-gums/Makefile.am
   A /trunk/lcmaps-plugins-scas-client/AUTHORS (from /trunk/lcmaps-plugins-scas-client/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-scas-client/MAINTAINERS
   M /trunk/lcmaps-plugins-scas-client/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/AUTHORS (from /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-voms/AUTHORS (from /trunk/lcmaps-plugins-voms/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-voms/MAINTAINERS
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/scas/Makefile.am

Renaming MAINTAINERS in AUTHORS and let them be installed.

------------------------------------------------------------------------
r11948 | msalle | 2011-01-06 17:46:36 +0100 (Thu, 06 Jan 2011) | 4 lines
Changed paths:
   M /trunk/lcas-plugins-basic/Makefile.am
   M /trunk/lcas-plugins-check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/Makefile.am
   A /trunk/lcmaps-plugins-afs/MAINTAINERS
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-afs/configure.ac
   A /trunk/lcmaps-plugins-basic/MAINTAINERS
   M /trunk/lcmaps-plugins-basic/Makefile.am
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-basic/configure.ac
   A /trunk/lcmaps-plugins-c-pep/MAINTAINERS
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   A /trunk/lcmaps-plugins-gums/MAINTAINERS
   M /trunk/lcmaps-plugins-gums/Makefile.am
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-gums/configure.ac
   A /trunk/lcmaps-plugins-scas-client/MAINTAINERS
   M /trunk/lcmaps-plugins-scas-client/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   A /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   A /trunk/lcmaps-plugins-voms/MAINTAINERS
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-voms/configure.ac

Add missing files for dist
Add MAINTAINERS and LICENSE files for doc
resync bootstrap

------------------------------------------------------------------------
r11871 | msalle | 2010-12-31 14:07:47 +0100 (Fri, 31 Dec 2010) | 3 lines
Changed paths:
   M /trunk/glexec/bootstrap
   M /trunk/lcmaps/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap

Syncing all bootstrap files and removing reference to src/autogen which is no
longer used.

------------------------------------------------------------------------
r11847 | msalle | 2010-12-28 13:21:44 +0100 (Tue, 28 Dec 2010) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Changing deprecated AM_CONFIG_HEADER to AC_CONFIG_HEADERS and move output to
src/ directory.

------------------------------------------------------------------------
r11810 | msalle | 2010-12-23 11:55:42 +0100 (Thu, 23 Dec 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

- remove FLAVOUR dependency: interface is now general.

------------------------------------------------------------------------
r11795 | msalle | 2010-12-22 16:00:53 +0100 (Wed, 22 Dec 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Bail out when LCMAPS interface cannot be found

------------------------------------------------------------------------
r11780 | msalle | 2010-12-21 13:37:04 +0100 (Tue, 21 Dec 2010) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   D /trunk/lcmaps-plugins-verify-proxy/build.xml
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   D /trunk/lcmaps-plugins-verify-proxy/project/build.number
   D /trunk/lcmaps-plugins-verify-proxy/project/build.properties
   D /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/lcmaps.m4
   D /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   D /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   D /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h

Fixing for EMI and cleanup:
- lcmaps.m4 macro to check for LCMAPS_CFLAGS.
- lcmaps headers 
- no glite dependency
- removal of unused files (in project/)

------------------------------------------------------------------------
r11590 | msalle | 2010-06-28 14:05:09 +0200 (Mon, 28 Jun 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c

Removing one my_timegm() definition as it is superfluous.

------------------------------------------------------------------------
r11589 | msalle | 2010-06-28 14:00:06 +0200 (Mon, 28 Jun 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

substituting timegm() for portable my_timegm()

------------------------------------------------------------------------
r11502 | okoeroo | 2010-03-31 16:01:39 +0200 (Wed, 31 Mar 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-voms/project/version.properties
   M /trunk/lcmaps-plugins-voms/runautotools

Bumped version and updated L & C

------------------------------------------------------------------------
r11449 | okoeroo | 2010-02-18 18:41:56 +0100 (Thu, 18 Feb 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Added licence

------------------------------------------------------------------------
r11435 | okoeroo | 2010-02-17 22:37:03 +0100 (Wed, 17 Feb 2010) | 13 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Fixed the Proxy Life Time Policy enforcement functionality.
Fixed the VOMS Life Time Policy enforcement functionality.

Found by Jan Just Keijser at internal testing with the policies. It was broken due to the change over to the extended internal library that I created to better verify proxy certificates.

Resurrected an option with a different name:
--only-enforce-lifetime-checks

When this option is set the verification routines are skipped to enforce the proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools like GridFTPd and the Gatekeeper as they already perform full authentication on the SSL layer. In gLExec this plug-in MUST run in full mode.


Bumped version to 1.4.7.

------------------------------------------------------------------------
r11296 | okoeroo | 2009-10-27 12:18:19 +0100 (Tue, 27 Oct 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Now using X509_STORE_CTX_set_depth() without the hack.

Savannah bug #57642

------------------------------------------------------------------------
r11295 | okoeroo | 2009-10-26 21:05:34 +0100 (Mon, 26 Oct 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

OpenSSL uses a default depth of 9 (don't ask why, it just is).

To cope with Subordinate CAs we have to extend the verification depth to be able to hold the certificate chain (could contain a lot of delegations) and all the CA certificate, which might not be added to the certificate chain itself but would still be lingering in the X509 CA directory lookup functions.

------------------------------------------------------------------------
r11205 | okoeroo | 2009-06-26 12:33:28 +0200 (Fri, 26 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h

Perfecting the new versions log message cap.

------------------------------------------------------------------------
r11204 | okoeroo | 2009-06-26 12:00:03 +0200 (Fri, 26 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumping version

------------------------------------------------------------------------
r11203 | okoeroo | 2009-06-26 11:59:01 +0200 (Fri, 26 Jun 2009) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c

Fixes made in the log function. This was discovered when the DN string exceeded the buffer length that would be written to the log.
This is now capped properly.

------------------------------------------------------------------------
r11201 | okoeroo | 2009-06-25 14:43:54 +0200 (Thu, 25 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version and added Mac OSX autotools support.

------------------------------------------------------------------------
r11200 | okoeroo | 2009-06-25 14:40:18 +0200 (Thu, 25 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Upgrading certificate chain depth limit to the depth of the certificate chain. This sounds pedantic, but the OpenSSL library seems to have a build in limit of 9 certificates. This means that the verify-proxy will fail when having to check more then 9 certificate (including the CA, personal/service and proxies).

------------------------------------------------------------------------
r10956 | okoeroo | 2009-02-18 21:43:36 +0100 (Wed, 18 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Properly free'ing the certificate chain. (patch provided by Jan Just).

------------------------------------------------------------------------
r10912 | okoeroo | 2009-02-11 12:51:23 +0100 (Wed, 11 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile

Bunped version to reflect the change.

------------------------------------------------------------------------
r10911 | okoeroo | 2009-02-11 12:49:21 +0100 (Wed, 11 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixed the verification failure of limited proxies, delegated from a regular proxy on a CentOS-5 32bit or 64bit machine (openssl 0.9.8 and higher).

------------------------------------------------------------------------
r10873 | okoeroo | 2009-01-27 22:11:35 +0100 (Tue, 27 Jan 2009) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Rewritten generic verification library part to use vararg instead of void * juggling.
Although it worked perfectly, this is a more flexible and the Good thing (tm) to do.

------------------------------------------------------------------------
r10872 | okoeroo | 2009-01-27 21:43:44 +0100 (Tue, 27 Jan 2009) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

The default (no explicity setting) will demand the presence of a private key and it must match the certificate chain.
You can set the ommission of the key by declaring the "--discard_private_key_absence". Glexec has the opportunity to provide an equivelent when it's setting of "ommission_private_key" is set to yes in the glexec.conf file.

To counter this ommission of the private key explictly in all case (no override possible), the "--never_discard_private_key_absence" option can be set to express this.

------------------------------------------------------------------------
r10871 | okoeroo | 2009-01-27 20:43:40 +0100 (Tue, 27 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Enabled the generic verify-lib to enforce the presence of the private key with the presented chain.

------------------------------------------------------------------------
r10870 | okoeroo | 2009-01-27 20:27:27 +0100 (Tue, 27 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h

Reviving ommission of private key and enforcing of the presence of the private key in the presented chain.

------------------------------------------------------------------------
r10855 | okoeroo | 2009-01-21 10:34:42 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Another bump

------------------------------------------------------------------------
r10854 | okoeroo | 2009-01-21 10:33:28 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumping version

------------------------------------------------------------------------
r10853 | okoeroo | 2009-01-21 10:32:57 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Should fix the build issue on RHEL 5 systems (more strict gcc compiler rulings).

------------------------------------------------------------------------
r10845 | okoeroo | 2009-01-19 12:05:49 +0100 (Mon, 19 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Removing Globus and Grid site macros

------------------------------------------------------------------------
r10843 | okoeroo | 2009-01-19 11:29:33 +0100 (Mon, 19 Jan 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

New version of lcmaps-plugins-verify-proxy.

Does not require GridSite code anymore. This will allow for its utilization on more platforms that we can currently cope with (OSG/Privilege project request for CentOS5 based systems).

------------------------------------------------------------------------
r10840 | okoeroo | 2009-01-18 22:01:20 +0100 (Sun, 18 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

builds nicely

------------------------------------------------------------------------
r10839 | okoeroo | 2009-01-16 23:00:35 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixerony

------------------------------------------------------------------------
r10838 | okoeroo | 2009-01-16 18:56:19 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Making ready to use the new functions.

------------------------------------------------------------------------
r10836 | okoeroo | 2009-01-16 14:33:31 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Adding new code

------------------------------------------------------------------------
r10835 | okoeroo | 2009-01-16 14:27:44 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Splitted the proxy lifetime check routines.

------------------------------------------------------------------------
r10834 | okoeroo | 2009-01-16 14:26:59 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixing verify proxy

------------------------------------------------------------------------
r10666 | okoeroo | 2008-09-18 10:04:46 +0200 (Thu, 18 Sep 2008) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added new routines from Jan Just Keijser's test program.

------------------------------------------------------------------------
r10606 | okoeroo | 2008-09-03 16:03:23 +0200 (Wed, 03 Sep 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Version bump

------------------------------------------------------------------------
r10605 | okoeroo | 2008-09-03 15:20:22 +0200 (Wed, 03 Sep 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Solution to bug #40822: Changed the behaviour in the proxy certificate semantic checks.
According to the test, a limited proxy couldn't be followed by any proxy certificate. This is a false statement, because it may be followed by another limited proxy.

Also enforced now is the semantic correctness of the chain that a limited proxy may only be followed by limited proxies and not anything else.

------------------------------------------------------------------------
r10493 | okoeroo | 2008-06-12 09:25:13 +0200 (Thu, 12 Jun 2008) | 7 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Check if processes has set the option to allow to discard the private key verification.
The environment variable that provided this choice will be cleared. $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE

The New variable "--never_discard_private_key_absence" will mute the environment variable that can override the private key verification functionality. The environment variable that would allow for the discard of the check for the private key will be useless.

This is to be used in situation where the private key check is mandatory AND non-overrideable.

------------------------------------------------------------------------
r10489 | okoeroo | 2008-06-11 15:47:47 +0200 (Wed, 11 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Bumped version to a new minor version: 1.3.1.1

------------------------------------------------------------------------
r10488 | okoeroo | 2008-06-11 15:08:07 +0200 (Wed, 11 Jun 2008) | 17 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

New tag candidate

Features a new initialization parameter:
--discard_private_key_absence


The NEW default is to check and verify the now obligatory Private key from the PEM string. The PEM string is fetched from the LCMAPS framework (when provided).
If LCMAPS fails to provide that PEM string (maybe legitimate in LCG-CE gatekeeper or gridftpd scenarios), then the check is discarded.

The Private key must match with one of the certificates in the chain. If the Private key is not found in the PEM string, then this is an error condition.
This behavior can be overriden for the absence of the Private key. If the Private key is not provided and when the --discard_private_key_absence option is set, then only a warning message at level 5 ($LCMAPS_LOG_LEVEL=5) will be given.

In the case where the --discard_private_key_absence is set and when a Private key is present in the PEM string, then the check will proceed and the given Private key MUST match one of the certificates in the chain. So in either case when the --discard_private_key_absence is set or not, the Private key will be checked. Only its absense can be discarded when the --discard_private_key_absence option is set.


Other fixes include the prevention of segmentation faults.

------------------------------------------------------------------------
r10484 | okoeroo | 2008-06-10 16:29:29 +0200 (Tue, 10 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Building in the private key check

------------------------------------------------------------------------
r10483 | okoeroo | 2008-06-10 10:26:59 +0200 (Tue, 10 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added lots of CFLAGS for GCC and fixed all issues regarding unused and uninitialized variables.

------------------------------------------------------------------------
r10480 | okoeroo | 2008-06-05 16:12:12 +0200 (Thu, 05 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Version 1.2.9.1 solves bug #37303

------------------------------------------------------------------------
r10479 | okoeroo | 2008-06-05 16:10:20 +0200 (Thu, 05 Jun 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

This works and seems to solve bug #37303.
Tested with a proxy chain (with and without VOMS) from Dennis which was signed by the PVier testbed CA.

gLExec's execution of LCMAPS failed on the verification of the chain. It succeeded on my proxy chain.

------------------------------------------------------------------------
r10478 | okoeroo | 2008-06-05 10:57:06 +0200 (Thu, 05 Jun 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Included the use of GridSite core to evaluate the certificate chain.
This should solve bug #37303 and the original #37304. The later bug changed name and goal.

Besides testing the verification process the Private Key check is not performed yet.

------------------------------------------------------------------------
r10327 | okoeroo | 2007-08-27 16:03:32 +0200 (Mon, 27 Aug 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped age: No code change but needed to stay in sync for the next jump to LCMAPS 1.4.x

------------------------------------------------------------------------
r10284 | okoeroo | 2007-08-03 00:25:51 +0200 (Fri, 03 Aug 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

bump

------------------------------------------------------------------------
r10196 | venekamp | 2007-05-23 19:20:53 +0200 (Wed, 23 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

o  Update Makefile.am to make 32/64 bit build possible.

------------------------------------------------------------------------
r10169 | okoeroo | 2007-05-04 15:39:47 +0200 (Fri, 04 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version

------------------------------------------------------------------------
r10168 | okoeroo | 2007-05-04 14:54:26 +0200 (Fri, 04 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Freeing to much stuff and updated the runautotools script for this component

------------------------------------------------------------------------
r10080 | okoeroo | 2006-12-19 16:28:43 +0100 (Tue, 19 Dec 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Mistakenly I messed-up a few tagnumbers, but all is corrected again.

------------------------------------------------------------------------
r10076 | okoeroo | 2006-12-13 14:21:20 +0100 (Wed, 13 Dec 2006) | 14 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Finally just took the time to finish the VOMS LifeTime check in the LCMAPS verify_proxy plugin.


Example for the 'lcmaps.db' file:

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --max-proxy-level-ttl=0 12:05"
" --max-proxy-level-ttl=L 12:05"
" --max-proxy-level-ttl=1 12:00"
" --max-voms-ttl 11:00"

The last line is the new feature. Also using the 2d-11:00 format (2 days and 11 hours) to set the maximum lifetime.

------------------------------------------------------------------------
r10056 | okoeroo | 2006-11-30 11:18:17 +0100 (Thu, 30 Nov 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

Includes the CFLAGS fix for etics, plus bumped version to 1.2.3


note: mind the $(libdir)

------------------------------------------------------------------------
r10012 | okoeroo | 2006-10-24 13:28:20 +0200 (Tue, 24 Oct 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

checked and updated a few messages.

------------------------------------------------------------------------
r9984 | okoeroo | 2006-10-16 14:40:39 +0200 (Mon, 16 Oct 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

getting closer and closer on finally implementing VOMS LifeTime restrictions

------------------------------------------------------------------------
r9922 | okoeroo | 2006-08-31 14:17:32 +0200 (Thu, 31 Aug 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The lcmaps_vomsdata_t is not needed to function succesfully.
When VOMS credentials passthough, then the VOMS credentials need to be evaluated, otherwise it shouldn't be the show stopper

------------------------------------------------------------------------
r9898 | okoeroo | 2006-08-18 15:13:07 +0200 (Fri, 18 Aug 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

VOMS lifetime support initiatiation finished, need to implement the functionas that parse the date strings and figure out what to do next.

------------------------------------------------------------------------
r9895 | okoeroo | 2006-08-17 10:59:31 +0200 (Thu, 17 Aug 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Altered the lcmaps_voms_t to lcmaps_vomsdata_t as the main non-dependant VOMS data structure for internal use.

Basicly a remake of the existing structure, but now in our own code.
Which creates a more detailed structure of all known VOMS values from the proxy.

------------------------------------------------------------------------
r9831 | okoeroo | 2006-05-12 12:01:51 +0200 (Fri, 12 May 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version to 1.2.2 to sync with the tagname

------------------------------------------------------------------------
r9826 | okoeroo | 2006-05-12 11:39:00 +0200 (Fri, 12 May 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Solved the initialization problem of the multiple proxy level max TTLs

------------------------------------------------------------------------
r9821 | okoeroo | 2006-05-08 12:40:22 +0200 (Mon, 08 May 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixed the proxy life time per proxy level (in the cert chain).
It works succesfully and the code is more efficiently then before.

------------------------------------------------------------------------
r9818 | okoeroo | 2006-05-02 16:11:30 +0200 (Tue, 02 May 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Changed the #define LCMAPS_USE_GSI to #define LCMAPS_VERIFY_USE_GSI to indicate a difference between the one in the framework and this define.
It is defaulted to #undef

This will let the plugin be compiled without GSI and only with X.509. This works when using the glexec.
This is tested and succesfull.

Yet to come:
   ...is to run in default X.509 mode but also (when compiled with GSI) being able to hot-switch to grab a gss_cred_t which needs to be translated to X.509. Only done in absence of a X.509 chain AND compiled with GSI libs.

------------------------------------------------------------------------
r9791 | okoeroo | 2006-03-31 15:34:54 +0200 (Fri, 31 Mar 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version accordingly to 1.2.0

------------------------------------------------------------------------
r9790 | okoeroo | 2006-03-31 15:32:39 +0200 (Fri, 31 Mar 2006) | 14 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

All parameters are now case insensitive for this plugin:
Like:
-certdir <example: /etc/grid-security/certificates>
   certificates and crls dir

--only-post-verify-checks (synonymous to --only-post-verify)
   perform only the post verification checks, like validation checks throughout the cert-chain proxy DN naming policies, and the proxy-lifetime checks

--allow-limited-proxy
   Will not fail the plugin because the last proxy in the chain is a limited proxy; thou shouldn't use a limited proxy to do user mapping (and sudo actions)

--max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>
   Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)

------------------------------------------------------------------------
r9789 | okoeroo | 2006-03-31 14:58:12 +0200 (Fri, 31 Mar 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Performed:
- Code clean up
- change in init parameter '-pttl'; it is now '--max-proxy-level-ttl=' where it expects a value of 0-9 or 'l' or 'L'. The L stand for Leaf proxy (the last one in the change).
- More effient code, less expensive operations

------------------------------------------------------------------------
r9532 | okoeroo | 2006-02-27 14:17:22 +0100 (Mon, 27 Feb 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Changing the default runarg for a certificate stack from GSI to STACK_OF(X509) to work correctly with glexec

Note: This could give problems when used in a GSI frontended setup like the gatekeeper if
the LCMAPS framework is not supplying the STACK_OF(X509)

------------------------------------------------------------------------
r9364 | msteenba | 2006-02-16 14:20:12 +0100 (Thu, 16 Feb 2006) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

version 1.1.0
- proxy lifetime check per proxy depth
- optional certificate chain cerification

------------------------------------------------------------------------
r9275 | okoeroo | 2006-02-10 16:44:50 +0100 (Fri, 10 Feb 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Implemented the checks which belong to the [-pttl<level>|-pTTL<level>] <time length>

Where <level> can be one of the following characters [0-9lL] and the 'lL' part reverse to the Leaf proxy.
Which is the proxy that is the last one in the chain and will be a interesting to treat with special care.

<time length> is still in the format 2d-13:37 where a minimum is set on five characters like 13:37

It still needs testing!

------------------------------------------------------------------------
r9219 | okoeroo | 2006-02-09 01:13:28 +0100 (Thu, 09 Feb 2006) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

I'm going to fail the procedure when an unspecified proxylevel is evaluated (for the moment).
Atleast until the plugin will understand the noticion of a LEAF Proxy.
A LEAF Proxy (or just leaf) is the last and final proxy in a chain, which is usually the most interesting to evaluate at the moment.

------------------------------------------------------------------------
r9203 | okoeroo | 2006-02-07 16:56:12 +0100 (Tue, 07 Feb 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added seperate function to test proxy lifetime as wished
Added extra time conversion function

------------------------------------------------------------------------
r9099 | okoeroo | 2006-02-02 03:16:51 +0100 (Thu, 02 Feb 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Written the ability to do the multi-level proxy checks, which I still
need to write.

The possible options are:
-certdir <CA cert dir> || -CERTDIR <CA cert dir>
--only-post-verify-checks || --only-post-verify
--allow-limited-proxy || --ALLOW-LIMITED-PROXY || --allow-limited-proxy || -ALLOW-LIMITED-PROXY || -ALLOW-LIMITED-PROXY
-pttl[0-9] 2d-13:37  || -pTTL[0-9] 2d-13:37

------------------------------------------------------------------------
r8711 | okoeroo | 2006-01-04 15:04:29 +0100 (Wed, 04 Jan 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixed two memory leaks and changed one procedure in a more light wait fashion.

Like: using sk_X509_pop_free (dupChain, X509_free) on a duplicated stack, using a buffer when wanting to use a string for logging purposes instead of 2 convertion procedures.
and cleaning two used string on the right moment.

------------------------------------------------------------------------
r8109 | okoeroo | 2005-12-22 17:52:38 +0100 (Thu, 22 Dec 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Build in new option: "-check-proxy-max-ttl 10d-12:37"
This will check if a proxy in the chain exceeds the maximum lifetime.
This check needs to be refined to only effect the leaf proxy of the chain.
But... it works :D

------------------------------------------------------------------------
r8037 | msteenba | 2005-12-20 16:05:50 +0100 (Tue, 20 Dec 2005) | 2 lines
Changed paths:
   M /trunk/lcas/src/lcas.c
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps/src/Makefile.am
   M /trunk/lcmaps/src/pluginmanager/lcmaps_pluginmanager.c
   M /trunk/lcmaps/src/test/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

use libvomsapi instead of libvomsc (for voms > 1.6.0)

------------------------------------------------------------------------
r7769 | okoeroo | 2005-12-08 18:47:55 +0100 (Thu, 08 Dec 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Discovered a small flaw in the code prior to implementing Proxy Life Time checking... Stay tuned :-)

------------------------------------------------------------------------
r7752 | msteenba | 2005-12-07 10:07:40 +0100 (Wed, 07 Dec 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

- fixed argument parsing bug
- corrected cpp statement
- corrected log string

------------------------------------------------------------------------
r7736 | okoeroo | 2005-12-06 09:18:56 +0100 (Tue, 06 Dec 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The changes involve a new parameter to be set called "-allow-limited-proxy"
By default limited proxies will be rejected!
This can be overridden by passing this new option to the plugin as init value

------------------------------------------------------------------------
r7525 | msteenba | 2005-11-23 18:53:47 +0100 (Wed, 23 Nov 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

- switch off gsi-mode
- initialized several variables
- Check if CA certificates directory is set

------------------------------------------------------------------------
r7509 | msteenba | 2005-11-23 14:27:18 +0100 (Wed, 23 Nov 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps/configure.ac
   M /trunk/lcmaps/project/version.properties
   M /trunk/lcmaps-interface/configure.ac
   M /trunk/lcmaps-interface/project/version.properties
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/project/version.properties
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-basic/project/version.properties
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/project/version.properties

updated version

------------------------------------------------------------------------
r7420 | okoeroo | 2005-11-18 14:38:28 +0100 (Fri, 18 Nov 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

A pretty very good working version.
It validates my testing proxy very well. I need to test it with GL-Exec.
The validation of the user certificate and the parsing of the proxies is done now.
No VOMS extensions are verified.

------------------------------------------------------------------------
r7360 | okoeroo | 2005-11-14 16:47:28 +0100 (Mon, 14 Nov 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Gathering the certificate in another way ... so that I can cope with sub ordinate CAs (if they have there certificates installed on the host)
Checks within a proxy need to be done yet.... this is a succesfull CRL check (I hope ...)
Needs to be tested though ... with glexec

------------------------------------------------------------------------
r7316 | okoeroo | 2005-11-11 16:17:00 +0100 (Fri, 11 Nov 2005) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

First certificate verify executed correctly. Not the chain yet, just the certificate against the CRLs and CAs.
Need to build:
- all the checks needed to verify a proxy
- need to verify the CA cert itself
- need to verify VOMS extensions

------------------------------------------------------------------------
r7260 | okoeroo | 2005-11-09 00:35:33 +0100 (Wed, 09 Nov 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

This version has the untested but building version of the verify proxy module
which doesn't need any Globus stuff anymore, because we can extract/(re)create
from the LCMAPS framework and each module can get a stackof(x509) or just the x509.
It is cool to be working at a very low level without all these dependancies.

------------------------------------------------------------------------
r7257 | okoeroo | 2005-11-08 16:24:40 +0100 (Tue, 08 Nov 2005) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

changed a lot of stuff, mainly pulling out the jobrep stuff and adding the needed stuff to verify a proxy
ow ... and it builds

------------------------------------------------------------------------
r7200 | okoeroo | 2005-11-04 16:52:16 +0100 (Fri, 04 Nov 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/build.xml
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   D /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template
   M /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   M /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h

Why do I need this?

------------------------------------------------------------------------
r7199 | okoeroo | 2005-11-04 16:38:29 +0100 (Fri, 04 Nov 2005) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy
   A /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   A /trunk/lcmaps-plugins-verify-proxy/LICENSE
   A /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/bootstrap
   A /trunk/lcmaps-plugins-verify-proxy/build.xml
   A /trunk/lcmaps-plugins-verify-proxy/configure.ac
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/LICENSE
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/build.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/build.number
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/build.properties
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/version.properties
   A /trunk/lcmaps-plugins-verify-proxy/project
   A /trunk/lcmaps-plugins-verify-proxy/project/build.number
   A /trunk/lcmaps-plugins-verify-proxy/project/build.properties
   A /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   A /trunk/lcmaps-plugins-verify-proxy/runautotools
   A /trunk/lcmaps-plugins-verify-proxy/src
   A /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/src/lcmaps_config.h.in
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

New plugin to the LCMAPS framework that will verify a certificate chain

------------------------------------------------------------------------
