Project

General

Profile

Bug #3210

Factory uses wrong DN in consideration when calculating proxy hash

Added by Igor Sfiligoi almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Factory
Target version:
Start date:
12/26/2012
Due date:
% Done:

0%

Estimated time:
First Occurred:
Occurs In:
Stakeholders:
Duration:

Description

If the FE passes a VOMS-less proxy to the factory, the hash algorithm uses the wrong DN to calculate the hash used to store the proxy.

The problem is the /CN=XXX extension, see below.

[1719] root@gfactory-1 /home/gfactory/glideinsubmit/glidein_v1_0/client_proxies/user_fecms/entry_CMS_T2_US_UCSD_gw2# voms-proxy-info -all -file 'x509_CMS_T2_US_UCSD_gw2@v1_0@SDSC@UCSD.minus,v5_4.dot,main_umrw_7_489451.proxy'
subject : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu/CN=407554382
issuer : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu
identity : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu
type : RFC compliant proxy
strength : 512 bits
path : x509_CMS_T2_US_UCSD_gw2@v1_0@SDSC@UCSD.minus,v5_4.dot,main_umrw_7_489451.proxy
timeleft : 40:11:33
key usage : Digital Signature, Key Encipherment
[1719] root@gfactory-1 /home/gfactory/glideinsubmit/glidein_v1_0/client_proxies/user_fecms/entry_CMS_T2_US_UCSD_gw2# voms-proxy-info -all -file 'x509_CMS_T2_US_UCSD_gw2@v1_0@SDSC@UCSD.minus,v5_4.dot,main_umrw_7_846561.proxy'
subject : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu/CN=711234596
issuer : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu
identity : /DC=org/DC=doegrids/OU=Services/CN=uscmspilot48/glidein-1.t2.ucsd.edu
type : RFC compliant proxy
strength : 512 bits
path : x509_CMS_T2_US_UCSD_gw2@v1_0@SDSC@UCSD.minus,v5_4.dot,main_umrw_7_846561.proxy
timeleft : 46:11:19
key usage : Digital Signature, Key Encipherment

History

#1 Updated by Burt Holzman almost 8 years ago

  • Status changed from New to Feedback

Just grabbed glidecondor_addDN's implementation using M2Crypto for DN extraction, any problem with that? Doug will review.

#2 Updated by Douglas Strain almost 8 years ago

  • Assignee changed from Douglas Strain to Burt Holzman

Yes, this looks fine to merge. FYI, commit numbers are below:

commit:27a8b7a14b83a5a94b4a72d5708f6c5300416b3d Added missing import
commit:f59a24433e85a53f20538ef906a14b61199d1c45 Use M2Crypto to parse proxy subject

Doug Strain

#3 Updated by Burt Holzman almost 8 years ago

  • Status changed from Feedback to Resolved

Merged. Not cherry-picked to master, since master does not hash the DN (or VOMS) in the filename.

#4 Updated by Parag Mhashilkar almost 8 years ago

  • Target version changed from v2_7_x to 293

#5 Updated by Parag Mhashilkar over 7 years ago

  • Target version changed from 293 to v2_7

#6 Updated by Parag Mhashilkar over 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF