Open fscheiner opened 1 year ago
msalle
commented
1 year ago One note: the manpage for grid-proxy-init looks broken at the -cert / -key option. And which actually can also be used to provide a .p12 file. In that case it seems to be looking only at the -cert option when both are present: when -cert
msalle
commented
1 year ago Concerning the old dev.globus.org page: shouldn't we import that here somewhere? I cannot check it now since the web.archive.org is down
fscheiner
commented
1 year ago One note: the manpage for grid-proxy-init looks broken at the -cert / -key option. And which actually can also be used to provide a .p12 file. In that case it seems to be looking only at the -cert option when both are present: when -cert
is present, -key can point to any bogus file it seems. If only -key is present it is used and must be valid (e.g. a .p12).
Did a few tests:
:x: only -cert [...] with PKCS#12 keystore doesn't work
johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12
Error: Couldn't find valid credentials to generate a proxy.
grid_proxy_init.c:535: globus_sysconfig: Error with key filename: The user key could not be found in:
,1) env. var. X509_USER_KEY
2) $HOME/.globus/userkey.pem
3) $HOME/.globus/usercred.p12:x: => :heavy_check_mark: -cert [...] with PKCS#12 keystore and -key /dev/null for example doesn't work. The file given for -key must be (1) owned by the current user, (2) have 0600 permissions at maximum, (3) have a non-zero file size to make it work
[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key /dev/nullERROR: option -key : globus_sysconfig: File is not owned by current user: /dev/null is not owned by current user
Syntax: grid-proxy-init [-help][-pwstdin][-limited][-valid H:M] ...
Use -help to display full usage.
[johndoe@rockylinux-9 .globus]$ chmod 0600 ~/file [johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key ~/file
ERROR: option -key : globus_sysconfig: File has zero length: File: /home/johndoe/file
Syntax: grid-proxy-init [-help][-pwstdin][-limited][-valid H:M] ...
Use -help to display full usage.
[johndoe@rockylinux-9 .globus]$ dd if=/dev/urandom of=~/file bs=4096K count=1 1+0 records in 1+0 records out 4194304 bytes (4.2 MB, 4.0 MiB) copied, 0.0628325 s, 66.8 MB/s [johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -cert ~/.globus/usercred.p12 -key ~/file
User Cert File: /home/johndoe/.globus/usercred.p12 User Key File: /home/johndoe/file
Trusted CA Cert Dir: (null)
Output File: /tmp/x509up_u1000 Enter GRID pass phrase for this identity: Your identity: /[...] Creating proxy .+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+...+....+...........+.......+.....+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.+.+.........+............+..+............+.+..............+.+..+...+.......+..+.........+......+....+...........+....+............+...+..+...+......+...+......+.......+...+......+.....+.+.......................+....+..+.+..+.+..+...............+..........+............+..+.+..+............+.+..+...+....+.....+.+.........+.....+.............+..+...+...............+...+............+...+...+.........+......+.........+.+.....+....+...........+.+...+......+..+...+....+.................+...+.+.................+....+.....+.+..+.+.................+...+.+...........+.......+...........+.......+.....+....+.....................+...+..+.......+..+...+...............+......+.+.....+...+...+...+.+......+..............+...+.......+.........+......+...+......+......+...+...........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ..+....+...+.........+.....+.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.....+..+............+...+......+.+.........+..+..........+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......+..+....+......+........+...+...+..........+............+........+.+.....+..........+...+......+.....+....+....................+...+...+.+...+.....+.+..+....+.........+.....+.+........+...+.......+...+........+.+..............................+.....+..................+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Done Your proxy is valid until: Fri Dec 2 02:51:55 2022
* :x: only `-key [...]` with PKCS#12 keystore doesn't work[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12 Error: Couldn't find valid credentials to generate a proxy. grid_proxy_init.c:535: globus_sysconfig: Error with certificate filename: The user cert could not be found in: 1) env. var. X509_USER_CERT 2) $HOME/.globus/usercert.pem 3) $HOME/.globus/usercred.p12
* :x: `-key [...]` with PKCS#12 keystore and `-cert [...]` with file with random content doesn't work, too:[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12 -cert ~/file
User Cert File: /home/johndoe/file User Key File: /home/johndoe/.globus/usercred.p12
Trusted CA Cert Dir: (null)
Output File: /tmp/x509up_u1000 Error: Couldn't read user certificate cert file location: /home/johndoe/file. grid_proxy_init.c:750: globus_credential: Error reading user credential: Can't read credential cert from bio stream OpenSSL Error: crypto/pem/pem_lib.c:763: in library: PEM routines, function (null): no start line Expecting: CERTIFICATE
* :heavy_check_mark: `-cert` with PKCS#12 keystore and `-key` with PKCS#12 keystore works[johndoe@rockylinux-9 .globus]$ grid-proxy-init -debug -key ~/.globus/usercred.p12 -cert ~/.globus/usercred.p12
User Cert File: /home/johndoe/.globus/usercred.p12 User Key File: /home/johndoe/.globus/usercred.p12
Trusted CA Cert Dir: (null)
Output File: /tmp/x509up_u1000 Enter GRID pass phrase for this identity: Your identity: /[...] Creating proxy ...................+....+.........+..+...+.+..+...............+...+.+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..........+.+......+............+.....+.+..+....+...+........+............+.+..+..........+..+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...+............+...+.+.................+....+.....+.............+..+...............+....+.....+....+..................+..+.+...........+......+.......+............+...+......+..+.............+....................+.+......+.....+....+...+..+....+.....+...................+...........+.+...+........+.......+...........................+......+...+.....+.+.....+.+..+.............+...+......+......+..+.......+.....+.+...+..............+.......+.....+...+..........+...+...+.....+......+...+.............+..+......+.+...+.....+...+...+.+...+...+...+..+...+.........+...+.........+....+..............+.+...........+.+..+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ...+.......+.....+....+............+.....+...+.......+..+......+.+...+..+......+.........+....+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...+...+.+...+..+.+.....+...+...................+..+.........+.+........+............+...+.+.....................+.....+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Done Your proxy is valid until: Fri Dec 2 03:12:48 2022
So one or the other alone does not work for me on Rocky Linux 9. That's most likely why both options are given like that (`-cert [...] -key [...]` ) - oh, wait, they are not. They are given with a comma in between, as if they were synonyms: `-cert CERTFILE, -key KEYFILE` (see for example https://gridcf.org/gct-docs/latest/appendices/commands/index.html#grid-proxy-init).
**Proposal**
* That comma should go, to make it clear that both options need to be used together.
* Maybe we could enforce that both arguments to `-cert` and `-key` must be the same file when using a PKCS#12 keystore.
****
> Concerning the old dev.globus.org page: shouldn't we import that here somewhere? I cannot check it now since the web.archive.org is down
We can't, because the original site is gone and the URL forwards to the documentation site of _globus_.@msalle: Ok, the description is corrected with https://github.com/gridcf/gct-docs/pull/32/commits/653bc22f3fea096a233222a446a2d1035d144d18 - thanks for the pointer :-). I also added information about the correct use with a PKCS#12 keystore with https://github.com/gridcf/gct-docs/pull/32/commits/ae5705574cb4e32845293c80de22d89905bdd94f.
fscheiner
commented
1 year ago We still need to decide what to do with the outdated info from (now) archive.org. Perhaps just include the description of the 3 different proxy versions.
Now I understand you, you want to include that info in the documentation rather than relying on a web page that sometimes is not accessible.
Hm, the relevant information there is about outdated versions of the Globus Toolkit:
[...]
Proxy Certificate Compatibility
* GT 4.2.x accepts all three types of proxy certificates listed above and generates RFC 3820 compliant proxy by default.
* GT 4.0.x accepts all three types of proxy certificates listed above and generates Proxy Draft Proxy Certificates by default.
* GT 3.x accepts Proxy Draft and Legacy proxy certificates.
* GT 2.x accepts Legacy proxy certificates.
[...]According to the description the GT 4.2.x case - i.e. RFC 3820 compliant proxies are created by default and all proxy types are accepted - is still in effect. So maybe we just drop that "Compatibility" paragraph, like the corresponding manpage in the GCT source does, as GCT is compatible with all existing proxy types.
fscheiner
commented
1 year ago Correction: The "Compatibility" paragraph is not only refering to compatibility but also to background information. So maybe we create a new page in our documentation that includes that background information and link to that page?
msalle
commented
1 year ago Correction: The "Compatibility" paragraph is not only refering to compatibility but also to background information. So maybe we create a new page in our documentation that includes that background information and link to that page?
that was indeed my thinking. Mentioning the different GT versions is probably not very useful any more unless for perhaps historic reasons. But note that it's only a few years since the legacy proxies (so basically GT2) are no longer the default (-:
fscheiner
commented
1 year ago But note that it's only a few years since the legacy proxies (so basically GT2) are no longer the default (-:
More like a decade - GT 4.2.1 is already from 2008. Or do you mean in the community?
I'll come up with a page and add another commit for that.
fscheiner
commented
1 year ago Ok, I have a first draft ready (attached), I also included https://web.archive.org/web/20131007221858/http://dev.globus.org/wiki/Security/ProxyFileFormat and omitted unrelated information about Java and Python code.
But where should we put it? The appendices maybe, or GSI C where grid-proxy-init is located?
msalle
commented
1 year ago Ok, I have a first draft ready (attached), I also included https://web.archive.org/web/20131007221858/http://dev.globus.org/wiki/Security/ProxyFileFormat and omitted unrelated information about Java and Python code.
But where should we put it? The appendices maybe, or GSI C where
grid-proxy-initis located?
I think the appendix makes sense. It's kind of generic background information.
A few comments:
identity:, strength: and timeleft:, probably better to replace with normal spaces.
This includes fixes for:
in the first commit and the addition of information about the use of PKCS#12 keystores with
grid-proxy-initin the second commit.What do you think about the second commit? If you agree this information should also be added to the manpage in the GCT sources.
Could this (the documentation site and the manpage) be also a good place to reference https://github.com/gridcf/gct/issues/202?