Re: Including custom X.509 extension upon proxy renewal

[Jim Basney <jbasney@ncsa.uiuc.edu>]

Christopher Kunz <kunz@rvs.uni-hannover.de> wrote:
> However, back to the topic at hand: My current problems are twofold:
> 1) is that I cannot find the routines that take the client's CSR and sign it. I
> am assuming that
> int
> ssl_proxy_delegation_init(SSL_CREDENTIALS **new_creds,
>             unsigned char     **buffer,
>             int           *buffer_length,
>             int           requested_bits,
>             void          (*callback)(int,int,void *))
> in ssl_utils.c is what I'm looking for, is that correct?

Yes: ssl_proxy_delegation_init(), ssl_proxy_delegation_sign(), and
ssl_proxy_delegation_finalize().

> 2) I need some way to retrieve the current proxy chain into a STACK or
> something, so I can iterate through it and extract the policy for inclusion in
> the new credentials. I am assuming that the chain must be present in the context
> of the MyProxy server since it is used for Globus GSSAPI authentication and to
> prove that the renewing party is actually authorized for renewal. But how can I
> retrieve it?

VOMS (https://twiki.cnaf.infn.it/cgi-bin/twiki/view/VOMS/WebSoftware)
has a decouple_ctx() function that finds the certificate chain in the
gss_ctx_id_t object.

-Jim