search

jglobus / JGlobus

jGlobus is a collection of Java client libraries for Globus® Toolkit security, GRAM, and GridFTP.
http://www.globus.org/toolkit/jglobus/
Apache License 2.0
24 stars 44 forks source link

XSEDE IGTF certificate format mismatch #148

Closed earslan10 closed 7 years ago

earslan10 commented 9 years ago

XSEDE data transfer nodes' host certificates contains extra fields such as "Postal Code" and JGlobus authentication throws an error and end the program as Caused by: java.io.IOException: Invalid keyword "POSTALCODE" I have version 2.0 and not sure if this was addressed in newer version. I'd appreciate id you can share jar format of newer versions. Thanks

jbasney commented 9 years ago

It appears Java's X500Principal class does not accept the DN of the host certificate at TACC. I guess JGlobus would need to stop using X500Principal to work-around this issue if TACC can not update the certificate. Here's a demonstration.

$ cat DNTest.java 
import javax.security.auth.x500.X500Principal;

public class DNTest {
    public static void main(String[] args) throws Exception {
        X500Principal princ = new X500Principal(args[0]);
        System.out.println("success: " + princ.toString());
    }    
}
$ javac DNTest.java 
$ java DNTest "CN=data1.stampede.tacc.utexas.edu,OU=TACC - Texas Advanced Computing Center,O=The University of Texas at Austin,STREET=1 University Station,L=Austin,ST=TX,PostalCode=78711,C=US,DC=incommon,DC=org"
Exception in thread "main" java.lang.IllegalArgumentException: improperly specified input name: CN=data1.stampede.tacc.utexas.edu,OU=TACC - Texas Advanced Computing Center,O=The University of Texas at Austin,STREET=1 University Station,L=Austin,ST=TX,PostalCode=78711,C=US,DC=incommon,DC=org
    at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:183)
    at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:128)
    at DNTest.main(DNTest.java:5)
Caused by: java.io.IOException: Invalid keyword "POSTALCODE"
    at sun.security.x509.AVAKeyword.getOID(AVA.java:1254)
    at sun.security.x509.AVA.<init>(AVA.java:188)
    at sun.security.x509.AVA.<init>(AVA.java:147)
    at sun.security.x509.RDN.<init>(RDN.java:145)
    at sun.security.x509.X500Name.parseDN(X500Name.java:917)
    at sun.security.x509.X500Name.<init>(X500Name.java:163)
    at javax.security.auth.x500.X500Principal.<init>(X500Principal.java:181)
    ... 2 more
$ java DNTest "CN=data1.stampede.tacc.utexas.edu,OU=TACC - Texas Advanced Computing Center,O=The University of Texas at Austin,STREET=1 University Station,L=Austin,ST=TX,C=US,DC=incommon,DC=org"
success: CN=data1.stampede.tacc.utexas.edu, OU=TACC - Texas Advanced Computing Center, O=The University of Texas at Austin, STREET=1 University Station, L=Austin, ST=TX, C=US, DC=incommon, DC=org
bbockelm commented 9 years ago

Nah, we'd just need to register the missing OIDs. See an example from when Gerd dumped a whole list in:

https://github.com/jglobus/JGlobus/commit/dcc7e2574f676553870da785a89bfc90bfad2df2

But you might want to ask yourself whether you really want to use these OIDs - are they standard?

earslan10 commented 9 years ago

Though I dont need and care about it, when it appears on the host certificate (which i have no privilege to update) it becomes a problem. Anyways, I just realized "PostalCode" is already added as an OID previously and updating JGlobus from version 2 to 2.1 worked for me (at least for this specific case). Thanks