LISTSERV 16.5 - XROOTD-DEV Archives

Perhaps it's time to get the HTTP plugin to use the gsi gridmap plugin to 
get consistent behaviour. We've already done that for the VOMS plugin. Let 
me look at it.

Andy


On Mon, 22 Jun 2020, Elvin Sindrilaru wrote:

> Using multi-delegated proxy certificates and a gridmap-file with XrdHttp does not yield the proper mapping. This happens due to the fact that the following code: https://github.com/xrootd/xrootd/blob/master/src/XrdHttp/XrdHttpProtocol.cc#L314-L343 only checks the `subject` and `issuer` of the certificate against the gridmap-file while it should also check the End Entity Certificate. This same behavior works as expected when accessed through the xrootd protocol since this mapping is handled properly in `XrdSecgsi` namley `XrdCryptoX509Chain`.
>
> For a gridmap-file that contains this entry:
> `"/DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru" dteam001`
>
> and coming with the following proxy certificate:
> ```
> [esindril@esdss000 http-tpc-utils]$ voms-proxy-info
> subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
> issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
> identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
> type      : RFC3820 compliant impersonation proxy
> strength  : 2048
> path      : /tmp/x509up_u58602
> timeleft  : 11:59:49
> key usage : Digital Signature, Key Encipherment
> ```
>
> yields the expected `dteam001` while using the following proxy certificate (delegated multiple time):
>
> ```
> [esindril@esdss000 http-tpc-utils]$ voms-proxy-info --file /tmp/proxy_2
> subject   : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555/CN=1153688675
> issuer    : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru/CN=263329555
> identity  : /DC=ch/DC=cern/OU=Organic Units/OU=Users/CN=esindril/CN=706330/CN=Elvin Alin Sindrilaru
> type      : RFC3820 compliant impersonation proxy
> strength  : 2048
> path      : /tmp/proxy_2
> timeleft  : 11:59:18
> key usage : Digital Signature, Key Encipherment
> ```
>
> yields `esindril`, since it falls back to extracting the first CN from the DN (this only makes sense for CERN certs).
>
> -- 
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly or view it on GitHub:
> https://github.com/xrootd/xrootd/issues/1221


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/xrootd/xrootd/issues/1221#issuecomment-647697749

########################################################################
Use REPLY-ALL to reply to list

To unsubscribe from the XROOTD-DEV list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1