First Last Prev Next    No search results available
Bug 4696 - grid-cert-info cannot extract info from .p12 files
: grid-cert-info cannot extract info from .p12 files
Status: RESOLVED FIXED
: GSI C
Credentials and Proxies
: unspecified
: All Linux
: P3 enhancement
: 4.2.2
Assigned To:
:
: 4.0.x, usability
:
:
  Show dependency treegraph
 
Reported: 2006-09-13 10:10 by
Modified: 2008-10-30 04:46 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)


Note

You need to log in before you can comment on or make changes to this bug.

Description From 2006-09-13 10:10:20 
grid-cert-info returns useful information (in particular the cert's DN and
validity) for all bar one of the scenarios listed for user credentials on

http://www-unix.globus.org/toolkit/docs/4.0/admin/docbook/ch05.html#prewsaa-env-credentials

# If X509_USER_CERT and X509_USER_KEY exist and contain a valid certificate ...
# If the files usercert.pem and userkey.pem exist in .globus ...
# If a PKCS-12 file called usercred.p12 exists in .globus directory

Note that the 3rd case is the only one where the user's certificate is
protected by a passphrase.

My suggestion is to allow grid-cert-info to be able to print the
same information for when the .p12 file is used rather than the pair
of .pem files. Of course, the user would have to be prompted for his passphrase
in this situation.

Additionally, can we have a X509_USER_CRED as well for consistency?

JK
------- Comment #1 From 2007-12-03 11:14:35 ------- 
Fix committed to 4.0 branch and trunk.
------- Comment #2 From 2008-09-30 19:30:59 ------- 
This broke backwards compat for someone who was used to running "grid-cert-info
-file cacertbb.0 -subject".  Perhaps the default should be to assume x509
unless you see a p12 in the filename?

4.0.5:
$ grid-cert-info -file /TRUSTED_CA/e1fce4e9.0 -subject
/DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Kerberized CA

4.0.7:
$ grid-cert-info -file /TRUSTED_CA/e1fce4e9.0 -subject
Error: certificate file "/TRUSTED_CA/e1fce4e9.0" is not .pem or .p12
------- Comment #3 From 2008-10-01 08:21:02 ------- 
I created a new patch that adds a check for PEM headers in the file if the
extension is neither pem nor p12:
http://www.mcs.anl.gov/~bester/patches/bug4696-2.diff

Let me know if there are any issues with that.
------- Comment #4 From 2008-10-30 04:46:14 ------- 
Fix committed to 4.2 branch, 4.0 branch, and trunk.
First Last Prev Next    No search results available