LISTSERV 16.5 - XROOTD-DEV Archives

Using multi-delegated proxy certificates and a gridmap-file with XrdHttp does not yield the proper mapping. This happens due to the fact that the following code: https://github.com/xrootd/xrootd/blob/master/src/XrdHttp/XrdHttpProtocol.cc#L314-L343 only checks the `subject` and `issuer` of the certificate against the gridmap-file while it should also check the End Entity Certificate. This same behavior works as expected when accessed through the xrootd protocol since this mapping is handled properly in `XrdSecgsi` namley `XrdCryptoX509Chain`.

For a gridmap-file that contains this entry:
`"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru" dteam001`

and coming with the following proxy certificate:
```
[esindril@esdss000 http-tpc-utils]$ voms-proxy-info
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/x509up_u58602
timeleft  : 11:59:49
key usage : Digital Signature, Key Encipherment
```

yields the expected `dteam001` while using the following proxy certificate (delegated multiple time):

```
[esindril@esdss000 http-tpc-utils]$ voms-proxy-info --file /tmp/proxy_2
subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555/CN=1153688675
issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
type      : RFC3820 compliant impersonation proxy
strength  : 2048
path      : /tmp/proxy_2
timeleft  : 11:59:18
key usage : Digital Signature, Key Encipherment
```

yields `esindril`, since it falls back to extracting the first CN from the DN (this only makes sense for CERN certs).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1221

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1