Bug 6329 – Weird error for "DN does not match signing policy"

Bug 6329 - Weird error for "DN does not match signing policy"

Summary:

Weird error for "DN does not match signing policy"

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Authentication
Version:	4.2.0
Platform:	Macintosh All

Importance:	P3 normal
Target Milestone:	4.2.1
Assigned To:	Joe Bester

URL:
Keywords:	4.0.x

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-08-20 13:40 by Charles Bacon
Modified:	2008-08-20 16:10 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Charles Bacon 2008-08-20 13:40:30

From gt-user, subject:  globusrun-ws error

globusrun-ws -submit -f gramtest -dbg
Submitting job...Failed.
globusrun-ws: Error submitting job
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Error with signing policy
globus_gsi_callback_module: Error in OLD GAA code: CA policy
violation:
<no reason given>

It turns out the containercert was signed by SimpleCA, but the DN they gave the
certificate did not match the regexp in the cond_subjects line of the signing
policy.  This error should look something more like: The DN of the service
("/The/Bad/DN") does not match the cond_subjects in
/path/to/hash.signing_policy.

------- Comment #1 From Joe Bester 2008-08-20 14:07:59 -------

I don't see that behavior with 4.0.8 or 4.2.0. Instead I see:

grid_proxy_init.c:1079:globus_credential: Error verifying credential: Failed to
verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Error with signing policy
globus_gsi_callback_module: Error in OLD GAA code: Error checking certificate
with subject /DC=org/DC=doegrids/OU=People/CN=Joseph Bester 912390against
signing policy file /etc/grid-security/certificates/1c3f2ca8.signing_policy

I don't like the missing whitespace between the end of the subject and the word
against, but otherwise the error looks reasonable. Could this have been an
unparseable policy file?

------- Comment #2 From Charles Bacon 2008-08-20 14:18:06 -------

The user sent this as the signing policy:

# EACL entry #1|

access_id_CA      X509
'/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/CN=Globus
Simple CA'

pos_rights        globus        CA:sign

cond_subjects     globus
'"/O=Grid/OU=GlobusTest/OU=simpleCA-cammcc.proteowizrd.org/*"'

# end of EACL

Also, do you see any difference between using grid-proxy-init and globusrun-ws?

------- Comment #3 From Joe Bester 2008-08-20 15:27:37 -------

OK. I see that there are two different error conditions that can occur. When
the signing policy contains no entries relevant to the CA cert, it will fail
with the message I printed. If it contained an entry relevant to the CA cert
but it didn't match the user cert, it failed with the obscure error you
reported. I've updated the callback code in 4.0 branch, 4.2 branch, and trunk
to distinguish the problems and report them:

globus_gsi_callback_module: Error in OLD GAA code: The subject of the
certificate "/DC=org/DC=doegrids/OU=People/CN=Joseph Bester 912390" does not
match the signing policies defined in
/etc/grid-security/certificates/1c3f2ca8.signing_policy

globus_gsi_callback_module: Error in OLD GAA code: No policy definitions for CA
"/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1" in signing
policy file /etc/grid-security/certificates/1c3f2ca8.signing_policy