Validation requires old (MD5) certificates when using .lsc files

[paulmillar]

When adding support for a VOMS server, I needed to add a new CA into the trust store and a corresponding .lsc file. At this time I added only the SHA1-hash symbolic links for the PEM-encoded certificate, the .namespaces and the .signing_policy files in the trust store (/etc/grid-security/certificates). This failed to work.

After some investigation, I discovered that after adding the MD5-hash symbolic links the validation started to work. Removing the SHA1 symbolic links did not stop the validation from succeeding.

It appears that VOMS validation, at least when using .lsc files, requires MD5-hash symbolic links.

The following is an example of the VOMS validation errors produced when the MD5 symbolic links (for the CA that issued the VOMS certificate) were missing:

05 Feb 2016 17:31:17 (gPlazma) [qhc:1:srm2:ls SRM-prometheus Login AUTH voms]
Validation failure QtX9: [[canlError]:CAnL certificate validation error: No trusted CA
certificate was found for the certificate chain, [canlError]:CAnL certificate validation
error: Trusted issuer of this certificate was not established, [invalidAcCert]:LSC
validation failed: AA certificate chain embedded in the VOMS AC failed certificate
validation!, [aaCertNotFound]:AC signature verification failure: no valid VOMS server
credential found.]

[andreaceccanti]

See comments in #18. Closing this.
Related issue:
https://issues.infn.it/jira/browse/VOMS-703