Bug 6730 – support SHA-2 certificates in jglobus

Bug 6730 - support SHA-2 certificates in jglobus

Summary:

support SHA-2 certificates in jglobus

Status:	NEW

Product:	CoG jglobus
Component:	security
Version:	unspecified
Platform:	All All

Importance:	P3 enhancement
Target Milestone:	---
Assigned To:	Rachana Ananthakrishnan

URL:	https://twiki.grid.iu.edu/bin/view/Se...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-05-07 14:26 by Jim Basney
Modified:	2010-11-10 09:35 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Jim Basney 2009-05-07 14:26:05

Weaknesses in SHA-1 motivate a migration to SHA-2. (See Bug 6613.)

However, it looks like the use of PureTLS in jglobus is going to make it
difficult for us to support SHA-2. PureTLS does not appear to support SHA-2.

Here's an example error:

$ grid-proxy-init -debug -cert ~/sha256-usercert.pem -key ~/sha256-userkey.pem 
Files used: 
  proxy     : /tmp/x509up_u501
  user key  : /Users/jbasney/sha256-userkey.pem
  user cert : /Users/jbasney/sha256-usercert.pem
Your identity: O=Grid,OU=SHA-2 Test,OU=ncsa.uiuc.edu,CN=SHA-256 Test User
Using 512 bits for private key
Creating proxy, please wait...
Proxy verify failed: null
java.lang.NullPointerException
    at COM.claymoresystems.cert.X509Cert.checkSignatureKey(X509Cert.java:293)
    at COM.claymoresystems.cert.X509Cert.verify(X509Cert.java:323)
    at COM.claymoresystems.cert.X509Cert.verifyCertChain(X509Cert.java:411)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:261)
    at
org.globus.gsi.proxy.ProxyPathValidator.validate(ProxyPathValidator.java:225)
    at org.globus.tools.ProxyInit.verify(ProxyInit.java:160)
    at org.globus.tools.DefaultProxyInit.verify(ProxyInit.java:610)
    at org.globus.tools.ProxyInit.createProxy(ProxyInit.java:229)
    at org.globus.tools.ProxyInit.main(ProxyInit.java:545)

Perhaps the way forward is for jglobus to migrate away from PureTLS?

We're tracking the SHA-2 issue for Open Science Grid at:
https://twiki.grid.iu.edu/bin/view/Security/HashAlgorithms

At that URL you can find example SHA-2 certificates that can be used for
testing.

------- Comment #1 From Jim Basney 2009-05-07 14:31:51 -------

I committed a related change to CVS today:

  Changed org.globus.gsi.bc.BouncyCastleCertProcessingFactory to use
  org.bouncycastle.x509.X509V3CertificateGenerator which replaces the
  deprecated org.bouncycastle.jce.X509V3CertificateGenerator class. The
  new class supports the SHA-2 family of hash functions. The deprecated
  class doesn't.

BouncyCastle appears to support SHA-2. PureTLS seems to be the larger issue.

------- Comment #2 From Jim Basney 2010-11-10 09:35:56 -------

Venkat confirms that the jGlobus 2.0 (pre-release) test suite succeeds using
SHA-256, SHA-384, and SHA-512 certificates, because jGlobus 2.0 replaces
PureTLS with JCE, so this issue should be resolved once jGlobus 2.0 is
released.