Bug 697 - host authentication for an unusual DN
: host authentication for an unusual DN
Status: RESOLVED FIXED
: CoG jglobus
security
: 0.9.13
: PC Windows 2000
: P2 normal
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2003-02-07 01:22 by
Modified: 2005-12-05 16:50 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2003-02-07 01:22:41
Hi,

        We have access to a host whose certificate has a bit of an
unconventional DN

/C=IT/O=INFN/OU=datagrid-
UI/L=Pisa/CN=grid003.pi.infn.it/EMAIL=livio.salconi@pi.infn.it

When using the CoG ftp module, we get the following error:

> Expected target subject name="/CN=host/grid003.pi.infn.it"
> Target returned subject name=
"/C=IT/O=INFN/OU=datagrid-
UI/L=Pisa/CN=grid003.pi.infn.it/EMAIL=livio.salconi@pi.infn.it"

The C globus client tools accept this DN with an EMAIL postfix just fine.
Looking at the HostAuthorization.java file, it seems to assume that DNs end
with the common name (CN).  I'm not sure if this is a good solution, but I've
modified the HostAuthorization file to search for the CN in the DN (in the case
it's not at the end of the DN).
 
   public void authorize(X509Certificate [] chain, Socket socket)
        throws AuthorizationException {
       ...
 63       String fqdn = null;
 64       String dnname = chain[0].getSubjectDN().getName();
 65
 66       // hack to get around certificates with EMAIL postfixes (like INFN)
 67       int cnindex = dnname.toUpperCase().indexOf( "CN=" );
 68       String cnname = dnname.substring( cnindex );
 69
 70       fqdn = cnname.substring(3, cnname.indexOf(","));


I made this change for our purpose since there doesn't seems to be any way to 
specify a host DN in the ftp api (i.e., like there is for gram).

Thanks,
Shava


------- Additional Comments From Jarek Gawor 2002-11-01 02:34 -------

The code was modified to search for the first CN= RDN as described.