|
ARC SDK
|
Stores definitions for making decision if VOMS server is trusted. More...
#include <VOMSUtil.h>
Public Member Functions | |
| VOMSTrustList (const std::vector< std::string > &encoded_list) | |
| VOMSTrustList (const std::vector< VOMSTrustChain > &chains, const std::vector< VOMSTrustRegex > ®exs) | |
| VOMSTrustChain & | AddChain (const VOMSTrustChain &chain) |
| VOMSTrustChain & | AddChain (void) |
| void | AddElement (const std::vector< std::string > &encoded_list) |
| RegularExpression & | AddRegex (const VOMSTrustRegex ®) |
| int | SizeChains (void) const |
| int | SizeRegexs (void) const |
| const VOMSTrustChain & | GetChain (int num) const |
| const RegularExpression & | GetRegex (int num) const |
Stores definitions for making decision if VOMS server is trusted.
| Arc::VOMSTrustList::VOMSTrustList | ( | const std::vector< std::string > & | encoded_list | ) |
Creates chain lists and regexps from plain list. List is made of chunks delimited by elements containing pattern "NEXT CHAIN". Each chunk with more than one element is converted into one instance of VOMSTrustChain. Chunks with single element are converted to VOMSTrustChain if element does not have special symbols. Otherwise it is treated as regular expression. Those symbols are '^','$' and '*'. Trusted chains can be congicured in two ways: one way is: <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>-—NEXT CHAIN—</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> the other way is: <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=host/arthur.hep.lu.se</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/O=Grid/O=NorduGrid/CN=NorduGrid Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDNChain> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/OU=computers/CN=voms.cern.ch</tls:VOMSCertTrustDN> <tls:VOMSCertTrustDN>/DC=ch/DC=cern/CN=CERN Trusted Certification Authority</tls:VOMSCertTrustDN> </tls:VOMSCertTrustDNChain> each chunk is supposed to contain a suit of DN of trusted certificate chain, in which the first DN is the DN of the certificate (cert0) which is used to sign the Attribute Certificate (AC), the second DN is the DN of the issuer certificate(cert1) which is used to sign cert0. So if there are one or more intermediate issuers, then there should be 3 or more than 3 DNs in this chunk (considering cert0 and the root certificate, plus the intermediate certificate) .
| Arc::VOMSTrustList::VOMSTrustList | ( | const std::vector< VOMSTrustChain > & | chains, |
| const std::vector< VOMSTrustRegex > & | regexs | ||
| ) |
Creates chain lists and regexps from those specified in arguments. See AddChain() and AddRegex() for more information.
| VOMSTrustChain& Arc::VOMSTrustList::AddChain | ( | const VOMSTrustChain & | chain | ) |
Adds chain of trusted DNs to list. During verification each signature of AC is checked against all stored chains. DNs of chain of certificate used for signing AC are compared against DNs stored in these chains one by one. If needed DN of issuer of last certificate is checked too. Comparison succeeds if DNs in at least one stored chain are same as those in certificate chain. Comparison stops when all DNs in stored chain are compared. If there are more DNs in stored chain than in certificate chain then comparison fails. Empty stored list matches any certificate chain. Taking into account that certificate chains are verified down to trusted CA anyway, having more than one DN in stored chain seems to be useless. But such feature may be found useful by some very strict sysadmins. ??? IMO,DN list here is not only for authentication, it is also kind of ACL, which means the AC consumer only trusts those DNs which issues AC.
| VOMSTrustChain& Arc::VOMSTrustList::AddChain | ( | void | ) |
Adds empty chain of trusted DNs to list.
| RegularExpression& Arc::VOMSTrustList::AddRegex | ( | const VOMSTrustRegex & | reg | ) |
Adds regular expression to list. During verification each signature of AC is checked against all stored regular expressions. DN of signing certificate must match at least one of stored regular expressions.
1.8.14