Bug 5715 – inconsistent proxy certificate chain

Bug 5715 - inconsistent proxy certificate chain

Summary:

inconsistent proxy certificate chain

Status:	RESOLVED FIXED

Product:	GridShib
Component:	SAML/Binding Tools
Version:	0.3
Platform:	All All

Importance:	P3 normal
Target Milestone:	beta
Assigned To:	Tom Scavo

URL:
Keywords:

Depends on:
Blocks:	5748 5764
	Show dependency tree / graph

Reported:	2007-12-10 14:46 by Tom Scavo
Modified:	2008-04-25 21:12 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2007-12-10 14:46:49

Mats Rynge (RENCI) has discovered that the SAML Tools *always* issue an RFC
proxy, even if the signing credential is a non-RFC proxy credential.  In the
following example, the signing credential is a legacy proxy:

Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number: 582570 (0x8e3aa)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: O=RENCI, OU=Globus, OU=renci.org, CN=Mats Rynge, CN=proxy
       Validity
           Not Before: Dec  6 18:58:09 2007 GMT
           Not After : Dec  6 20:03:11 2007 GMT
       Subject: O=RENCI, OU=Globus, OU=renci.org, CN=Mats Rynge, CN=proxy,
CN=1301098243
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
           RSA Public Key: (512 bit)
               Modulus (512 bit):
                   00:91:57:25:60:5f:18:93:68:6a:28:92:a0:5a:97:
                   c9:ee:27:4a:e6:8a:d9:3f:3e:a3:f6:bf:e2:c0:c1:
                   cb:1c:8b:6e:71:ab:9a:fe:93:2a:75:74:5c:c5:56:
                   bb:cd:4f:4c:29:73:c8:96:10:bb:7d:83:03:37:51:
                   df:03:90:6f:2d
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           Proxy Certificate Info Extension: critical
               Proxy Policy:
                   Policy Language: GSI impersonation proxy
                   Policy: EMPTY

           1.3.6.1.4.1.3536.1.1.1.10:
               <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AssertionID="_4afe1309a616c6bb48607de20296f697"
IssueInstant="2007-12-06T19:03:09.186Z"
Issuer="https://gridshib.example.org/idp" MajorVersion="1"
MinorVersion="1"><AuthenticationStatement
AuthenticationInstant="2007-12-06T19:03:09.186Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><Subject><NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mrynge</NameIdentifier></Subject><SubjectLocality
IPAddress="127.0.0.1"></SubjectLocality></AuthenticationStatement><AttributeStatement><Subject><NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">mrynge</NameIdentifier></Subject><Attribute
AttributeName="urn:mace:dir:attribute-def:mail"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><AttributeValue
xsi:type="xsd:normalizedString">rynge@renci.org</AttributeValue></Attribute></AttributeStatement></Assertion>
   Signature Algorithm: md5WithRSAEncryption
       89:a0:7c:1f:b0:36:09:a2:af:f0:75:88:bc:cc:18:be:10:3c:
       4e:7d:1c:65:90:a5:ca:69:23:e0:b7:a0:f3:7c:39:88:80:e9:
       8b:3c:8b:17:31:d1:30:e8:0e:b7:32:17:cc:70:a5:81:8a:68:
       c5:e5:d5:4f:78:b4:f8:cc:18:6e

------- Comment #1 From Jim Basney 2007-12-10 16:55:05 -------

We had a similar problem with MyProxy a while ago.  It may be helpful to see
how we solved it:

  http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=1446

------- Comment #2 From Tom Scavo 2007-12-26 11:46:23 -------

Implemented a test app for this bug:

http://dev.globus.org/images/9/92/Bug5715Test.java

Note that setting the proxyType to GSIConstants.DELEGATION_FULL works in all
cases except the case where the issuing credential is an EEC.  In that case,
the proxy type must be set to GSIConstants.GSI_4_IMPERSONATION_PROXY
explicitly.  I've reported this as Bug 5750.

------- Comment #3 From Tom Scavo 2007-12-26 11:52:01 -------

Switched to GSIConstants.DELEGATION_FULL in the GSIUtil.createCredential
method.

Implemented this workaround for Bug 5750:

/* The following block of code works around a Globus bug:
 *
 * http://bugzilla.globus.org/bugzilla/show_bug.cgi?id=5750
 *
 * If the issuing credential is an EEC, force the proxy to
 * be an RFC proxy.
 */
X509Certificate issuerCert = credential.getCertificateChain()[0];
try {
    int type = BouncyCastleUtil.getCertificateType(issuerCert);
    if (!CertUtil.isGsi4Proxy(type) &&
        !CertUtil.isGsi3Proxy(type) &&
        !CertUtil.isGsi2Proxy(type)) {
        proxyType = GSIConstants.GSI_4_IMPERSONATION_PROXY;
    }
} catch (CertificateException e) {
    int errorCode = GlobusCredentialException.SEC_ERROR;
    throw new GlobusCredentialException(errorCode, "secError00", e);
}

This patch will appear in GS-ST 0.3.0.

------- Comment #4 From Tom Scavo 2008-01-03 18:49:05 -------

This bug will remain open until more testing is done.

------- Comment #5 From Tom Scavo 2008-02-03 10:48:31 -------

Possible test scenarios:

1. Issue a level 1 proxy
2. Issue a level 2 proxy
2a. Level 1 proxy is a legacy proxy
2b. Level 1 proxy is a pre-RFC proxy
2c. Level 1 proxy is a RFC proxy

------- Comment #6 From Tom Scavo 2008-03-01 10:58:44 -------

(In reply to comment #4)
> This bug will remain open until more testing is done.

Unit test org.globus.gridshib.security.x509.ProxyTypeTest committed to CVS
HEAD.  This issue is totally resolved.