Bug 3553 – Error in OLD GAA code with valid signing policy

Bug 3553 - Error in OLD GAA code with valid signing policy

Summary:

Error in OLD GAA code with valid signing policy

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authorization
Version:	4.0.0
Platform:	All All

Importance:	P3 blocker
Target Milestone:	---
Assigned To:	Raj Kettimuthu

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-07-10 11:19 by Chris Baumbauer
Modified:	2008-08-11 14:46 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Chris Baumbauer 2005-07-10 11:19:56

Anyone who attempts to authenticate to any of our sites are rejected  due to a
violation of our CA 
policy.  The catch is that we haven't changed our signing policy, and the
policy was good enough for gt 
2.4, 3.9.x, but not gt4.  While I was isolating the problem, I noticed that
unlike other sites, we were the 
only ones to have our /CN entry at the beginning of the DN instead of the end,
but from what I've 
heard, this is still valid syntax for the DN.  Below is the last 5 lines from
attempting to performing 
gsissh -vvv, and our policy file that is having problems.  Thank you for your
time.

GSS Minor Status Error Chain:
globus_gsi_gssapi: SSLv3 handshake problems
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Error with signing policy
globus_gsi_callback_module: Error in OLD GAA code: CA policy violation: <no
reason given>

deathscythe:~ cab$ cat /etc/grid-security/certificates/67e8acfa.signing_policy
access_id_CA    X509    '/CN=Purdue TeraGrid RA/OU=Purdue TeraGrid/O=Purdue
University/
ST=Indiana/C=US'
pos_rights      globus  CA:sign
cond_subjects   globus  '"/CN=*/OU=Purdue TeraGrid/O=Purdue
University/ST=Indiana/C=US"'

------- Comment #1 From Sam Meder 2005-07-10 12:04:01 -------

I'm really a bit surprised that this policy worked for 2.4 and 3.9. If
anything, that was a bug and it should 
not have worked. To give a little background, currently we only allow a single
wildcard at the end of each 
of the cond_subject strings, so your setup would not work. Also at some point
in the past (GT 2.2 or even 
earlier) we used the GNU regex library for doing wildcards (which was a lot
more powerfull) but had to 
drop it due to licensing concerns.

/Sam

------- Comment #2 From Chris Baumbauer 2005-07-10 15:47:07 -------

Okay, so that is what I had a feeling was the problem, but now my next question
is what would have changed in the gsi_callback layer between 3.9.5 (latest
version where it worked), and 4.0 to have "fixed" the bug?  Thanks.

------- Comment #3 From Rachana Ananthakrishnan 2005-07-19 16:40:31 -------

Java code does not use signing policy and the sampel certificates Chris sent 
worked fine. Raj has applied the patch Von sent and is working on confirming 
the C code.

------- Comment #4 From Raj Kettimuthu 2005-07-20 16:42:29 -------

This bug has been fixed in trunk and 4.0 branch