Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Change CertDN to print Subject DN strings similarly to Globus

The CertDN class is used in the new user operation to obtain the Subject
DN when only the CN has been provided, or when an existing certificate
is used.  This Subject DN is printed as the result of the
nimbus-new-user call, and is also added to the gridmap and the
group-authz files.

A problem appeared when a CN was containing an equal sign, such as
Bob Oblaw_97/Email=boblaw@univ.ca.  The existing CertDN code would
escape this equal sign and produce Bob Oblaw_97/Email\=boblaw@univ.ca.
The escaped string would be used for the gridmap and group-authz files.
However, Globus does not use escaped strings internally, and would fail
to match the DN of a service request against these files.

Another bug appears for certificates with emailAddress fields, such as
CN=Bob Oblaw_97/emailAddress=boblaw@univ.ca.  In this case, Globus will
recognize it as CN=Bob Oblaw_97/E=boblaw@univ.ca, and fail to find the
DN in gridmap and group-authz.

Changing the CertDN code to be closer to existing Globus code, namely
org.globus.tools.CertInfo, creates Subject DN strings that Globus can
recognize.

Closes #75.
  • Loading branch information...
commit d1e3c5a62cfabec1cec4a75dd4c10ea0ba334ef4 1 parent 0ed6ce2
@priteau priteau authored
View
44 autocommon/src/org/nimbustools/auto_common/ezpz_ca/CertDN.java
@@ -15,53 +15,25 @@
*/
package org.nimbustools.auto_common.ezpz_ca;
-import java.io.File;
-import java.io.IOException;
-import java.io.FileReader;
import java.security.cert.X509Certificate;
-import java.security.Security;
-import org.bouncycastle.openssl.PEMReader;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.globus.gsi.CertUtil;
-import javax.security.auth.x500.X500Principal;
-
public class CertDN {
+ public static String dnFromPath(String path) {
+ X509Certificate cert = null;
- static {
- Security.addProvider(new BouncyCastleProvider());
- }
-
- public static String dnFromPath(String path) throws IOException {
-
- final File certFile = new File(path);
- if (!certFile.canRead()) {
- final String msg = "File '" + path + "' can not be read.";
- throw new IOException(msg);
+ try {
+ cert = CertUtil.loadCertificate(path);
+ } catch(Exception e) {
+ System.err.println("Unable to load the certificate : " + e.getMessage());
+ System.exit(1);
}
- final FileReader fr = new FileReader(certFile);
- try {
- final PEMReader reader =
- new PEMReader(fr, null, BouncyCastleProvider.PROVIDER_NAME);
- try {
- final X509Certificate cert = (X509Certificate) reader.readObject();
- final X500Principal principal = cert.getSubjectX500Principal();
- final String DN = principal.getName(X500Principal.RFC2253);
-
- return CertUtil.toGlobusID(DN, false);
-
- } finally {
- reader.close();
- }
- } finally {
- fr.close();
- }
+ return CertUtil.toGlobusID(cert.getSubjectDN());
}
-
public static void main(String[] args) {
if (args == null || args.length != 1) {
View
16 tests/user_tests.py
@@ -117,6 +117,22 @@ def test_new_user_s3ids(self):
rc = nimbus_remove_user.main([friendly_name])
self.assertEqual(rc, 0, "should be 0 %d" % (rc))
+ def test_complex_dn(self):
+ friendly_name = self.get_user_name()
+ rc = nimbus_new_user.main(["-n", "%s/Email=%s@example.com" % (friendly_name, friendly_name), friendly_name])
+ self.assertEqual(rc, 0, "should be 0 %d" % (rc))
+ users = self._get_users()
+
+ found = False
+ for u in users:
+ if users[u]['display_name'] == friendly_name:
+ found = True
+ self.assertEqual(users[u]['dn'], '/O=Auto/OU=CA/CN=%s/Email=%s@example.com' % (friendly_name, friendly_name))
+
+ self.assertTrue(found)
+ rc = nimbus_remove_user.main([friendly_name])
+ self.assertEqual(rc, 0, "should be 0 %d" % (rc))
+
def test_no_cert(self):
friendly_name = self.get_user_name()
View
BIN  web/lib/nimbus-autocommon.tar.gz
Binary file not shown
Please sign in to comment.
Something went wrong with that request. Please try again.