Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Task list fixes No.3 #32

Open
wants to merge 4 commits into
base: adoc
Choose a base branch
from
Open

Conversation

fscheiner
Copy link
Member

This includes fixes for:

in the first commit and the addition of information about the use of PKCS#12 keystores with grid-proxy-init in the second commit.


What do you think about the second commit? If you agree this information should also be added to the manpage in the GCT sources.

Could this (the documentation site and the manpage) be also a good place to reference gridcf/gct#202?

@fscheiner fscheiner requested review from ellert and msalle November 25, 2022 17:03
@msalle
Copy link
Member

msalle commented Nov 27, 2022

One note: the manpage for grid-proxy-init looks broken at the -cert / -key option. And which actually can also be used to provide a .p12 file. In that case it seems to be looking only at the -cert option when both are present: when -cert <file.p12> is present, -key can point to any bogus file it seems. If only -key is present it is used and must be valid (e.g. a .p12).

@msalle
Copy link
Member

msalle commented Nov 27, 2022

Concerning the old dev.globus.org page: shouldn't we import that here somewhere? I cannot check it now since the web.archive.org is down

@fscheiner
Copy link
Member Author

One note: the manpage for grid-proxy-init looks broken at the -cert / -key option. And which actually can also be used to provide a .p12 file. In that case it seems to be looking only at the -cert option when both are present: when -cert <file.p12> is present, -key can point to any bogus file it seems. If only -key is present it is used and must be valid (e.g. a .p12).

Did a few tests:

  • ❌ only -cert [...] with PKCS#12 keystore doesn't work
johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12
Error: Couldn't find valid credentials to generate a proxy.
       grid_proxy_init.c:535: globus_sysconfig: Error with key filename: The user key could not be found in:
,1) env. var. X509_USER_KEY
2) $HOME/.globus/userkey.pem
3) $HOME/.globus/usercred.p12
  • ❌ => ✔️ -cert [...] with PKCS#12 keystore and -key /dev/null for example doesn't work. The file given for -key must be (1) owned by the current user, (2) have 0600 permissions at maximum, (3) have a non-zero file size to make it work
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key /dev/null

ERROR: option -key : globus_sysconfig: File is not owned by current user: /dev/null is not owned by current user


Syntax: grid-proxy-init [-help][-pwstdin][-limited][-valid H:M] ...

Use -help to display full usage.

[johndoe@rockylinux-9 .globus]$ chmod 0600 ~/file
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key ~/file

ERROR: option -key : globus_sysconfig: File has zero length: File: /home/johndoe/file


Syntax: grid-proxy-init [-help][-pwstdin][-limited][-valid H:M] ...

Use -help to display full usage.

[johndoe@rockylinux-9 .globus]$ dd if=/dev/urandom of=~/file bs=4096K count=1
1+0 records in
1+0 records out
4194304 bytes (4.2 MB, 4.0 MiB) copied, 0.0628325 s, 66.8 MB/s
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key ~/file

User Cert File: /home/johndoe/.globus/usercred.p12
User Key File: /home/johndoe/file

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u1000
Enter GRID pass phrase for this identity:
Your identity: /[...]
Creating proxy .+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...+....+...........+.......+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.+.........+............+..+............+.+..............+.+..+...+.......+..+.........+......+....+...........+....+............+...+..+...+......+...+......+.......+...+......+.....+.+.......................+....+..+.+..+.+..+...............+..........+............+..+.+..+............+.+..+...+....+.....+.+.........+.....+.............+..+...+...............+...+............+...+...+.........+......+.........+.+.....+....+...........+.+...+......+..+...+....+.................+...+.+.................+....+.....+.+..+.+.................+...+.+...........+.......+...........+.......+.....+....+.....................+...+..+.......+..+...+...............+......+.+.....+...+...+...+.+......+..............+...+.......+.........+......+...+......+......+...+...........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+....+...+.........+.....+.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+..+............+...+......+.+.........+..+..........+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+..+....+......+........+...+...+..........+............+........+.+.....+..........+...+......+.....+....+....................+...+...+.+...+.....+.+..+....+.........+.....+.+........+...+.......+...+........+.+..............................+.....+..................+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 Done
Your proxy is valid until: Fri Dec  2 02:51:55 2022
  • ❌ only -key [...] with PKCS#12 keystore doesn't work
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12
Error: Couldn't find valid credentials to generate a proxy.
       grid_proxy_init.c:535: globus_sysconfig: Error with certificate filename: The user cert could not be found in: 
1) env. var. X509_USER_CERT
2) $HOME/.globus/usercert.pem
3) $HOME/.globus/usercred.p12
  • -key [...] with PKCS#12 keystore and -cert [...] with file with random content doesn't work, too:
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12 -cert ~/file

User Cert File: /home/johndoe/file
User Key File: /home/johndoe/.globus/usercred.p12

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u1000
Error: Couldn't read user certificate
cert file location: /home/johndoe/file.
       grid_proxy_init.c:750: globus_credential: Error reading user credential: Can't read credential cert from bio stream
OpenSSL Error: crypto/pem/pem_lib.c:763: in library: PEM routines, function (null): no start line Expecting: CERTIFICATE
  • ✔️ -cert with PKCS#12 keystore and -key with PKCS#12 keystore works
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12 -cert ~/.globus/usercred.p12

User Cert File: /home/johndoe/.globus/usercred.p12
User Key File: /home/johndoe/.globus/usercred.p12

Trusted CA Cert Dir: (null)

Output File: /tmp/x509up_u1000
Enter GRID pass phrase for this identity:
Your identity: /[...]
Creating proxy ...................+....+.........+..+...+.+..+...............+...+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.+......+............+.....+.+..+....+...+........+............+.+..+..........+..+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+............+...+.+.................+....+.....+.............+..+...............+....+.....+....+..................+..+.+...........+......+.......+............+...+......+..+.............+....................+.+......+.....+....+...+..+....+.....+...................+...........+.+...+........+.......+...........................+......+...+.....+.+.....+.+..+.............+...+......+......+..+.......+.....+.+...+..............+.......+.....+...+..........+...+...+.....+......+...+.............+..+......+.+...+.....+...+...+.+...+...+...+..+...+.........+...+.........+....+..............+.+...........+.+..+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
...+.......+.....+....+............+.....+...+.......+..+......+.+...+..+......+.........+....+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+.+...+..+.+.....+...+...................+..+.........+.+........+............+...+.+.....................+.....+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 Done
Your proxy is valid until: Fri Dec  2 03:12:48 2022

So one or the other alone does not work for me on Rocky Linux 9. That's most likely why both options are given like that (-cert [...] -key [...] ) - oh, wait, they are not. They are given with a comma in between, as if they were synonyms: -cert CERTFILE, -key KEYFILE (see for example https://gridcf.org/gct-docs/latest/appendices/commands/index.html#grid-proxy-init).

Proposal

  • That comma should go, to make it clear that both options need to be used together.
  • Maybe we could enforce that both arguments to -cert and -key must be the same file when using a PKCS#12 keystore.

Concerning the old dev.globus.org page: shouldn't we import that here somewhere? I cannot check it now since the web.archive.org is down

We can't, because the original site is gone and the URL forwards to the documentation site of globus.

@fscheiner
Copy link
Member Author

fscheiner commented Dec 1, 2022

@msalle: Ok, the description is corrected with 653bc22 - thanks for the pointer :-). I also added information about the correct use with a PKCS#12 keystore with ae57055.

Copy link
Member

@msalle msalle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. We still need to decide what to do with the outdated info from (now) archive.org. Perhaps just include the description of the 3 different proxy versions.

@fscheiner
Copy link
Member Author

We still need to decide what to do with the outdated info from (now) archive.org. Perhaps just include the description of the 3 different proxy versions.

Now I understand you, you want to include that info in the documentation rather than relying on a web page that sometimes is not accessible.

Hm, the relevant information there is about outdated versions of the Globus Toolkit:

[...]
Proxy Certificate Compatibility

    * GT 4.2.x accepts all three types of proxy certificates listed above and generates RFC 3820 compliant proxy by default.
    * GT 4.0.x accepts all three types of proxy certificates listed above and generates Proxy Draft Proxy Certificates by default.
    * GT 3.x accepts Proxy Draft and Legacy proxy certificates.
    * GT 2.x accepts Legacy proxy certificates.
[...]

According to the description the GT 4.2.x case - i.e. RFC 3820 compliant proxies are created by default and all proxy types are accepted - is still in effect. So maybe we just drop that "Compatibility" paragraph, like the corresponding manpage in the GCT source does, as GCT is compatible with all existing proxy types.

@fscheiner
Copy link
Member Author

Correction: The "Compatibility" paragraph is not only refering to compatibility but also to background information. So maybe we create a new page in our documentation that includes that background information and link to that page?

@msalle
Copy link
Member

msalle commented Dec 1, 2022

Correction: The "Compatibility" paragraph is not only refering to compatibility but also to background information. So maybe we create a new page in our documentation that includes that background information and link to that page?

that was indeed my thinking. Mentioning the different GT versions is probably not very useful any more unless for perhaps historic reasons. But note that it's only a few years since the legacy proxies (so basically GT2) are no longer the default (-:

@fscheiner
Copy link
Member Author

But note that it's only a few years since the legacy proxies (so basically GT2) are no longer the default (-:

More like a decade - GT 4.2.1 is already from 2008. Or do you mean in the community?

I'll come up with a page and add another commit for that.

@fscheiner
Copy link
Member Author

Ok, I have a first draft ready (attached), I also included https://web.archive.org/web/20131007221858/http://dev.globus.org/wiki/Security/ProxyFileFormat and omitted unrelated information about Java and Python code.

But where should we put it? The appendices maybe, or GSI C where grid-proxy-init is located?


proxy-cert-types.adoc.txt

@msalle
Copy link
Member

msalle commented Dec 2, 2022

Ok, I have a first draft ready (attached), I also included https://web.archive.org/web/20131007221858/http://dev.globus.org/wiki/Security/ProxyFileFormat and omitted unrelated information about Java and Python code.

But where should we put it? The appendices maybe, or GSI C where grid-proxy-init is located?

I think the appendix makes sense. It's kind of generic background information.

proxy-cert-types.adoc.txt

A few comments:

  • general: several places contain email address e.g. @jbasney. Before creating new pages containing personal info, we might want to check it's ok, or use a bogus name.
  • line 28, 30, 32, 52, 54, 56, 77, 79, 81 contain non-ascii chars: UTF-8 non-breaking space 0xC2A0 directly after identity:, strength: and timeleft:, probably better to replace with normal spaces.
  • line 35 and further: I know they call it that, but I think it is probably better to skip the first Proxy. Even the long_usage doesn't, see grid_proxy_init.c line 45
  • line 39: it's not the default any longer, see also line 64. The original said it was the default for GT4.0.x, while for 4.2.x and up that became RFC proxies. Not sure when rfc became the default, looks like gridcf/gct@63645d8 from Jan 2008 which could indeed be 4.2
  • line 145: I could not find a tool that broke on a reordered chain. It's the default ordering, but a different order seems to work fine too.
  • line 147: I don't think we want to really support that. It's a recipe for quite some disasters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants