Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Namespace checking applied to host certificates under HTTP-TPC #65

Open
paulmillar opened this issue Nov 26, 2024 · 0 comments · May be fixed by #68
Open

Namespace checking applied to host certificates under HTTP-TPC #65

paulmillar opened this issue Nov 26, 2024 · 0 comments · May be fixed by #68

Comments

@paulmillar
Copy link
Contributor

The CaNL library supports different namespace checking modes; for example, using the Globus .signing_policy files or EuGPMA .namespaces files and whether to fail the certificate validation test if the required file(s) are missing.

When working with non-IGTF trust anchors (e.g., CA/B trust anchors), these files typically do not exist.

Moreover, with HTTP-TPC, the identity being asserted in the certificate is the DNS name, which is recorded in the X.509 v3 Subject Alternative Name field. The host certificate's DN is irrelevant in this case, so enforcing namespace makes no sense as this protects the EEC Subject DN (and nothing else).

paulmillar added a commit to paulmillar/storm-webdav that referenced this issue Nov 26, 2024
Motivation:

For HTTP-TPC, the checking of Subject DN makes no sense, as the identity
being asserted by the EEC is the DNS name of the host.

Modification:

Add configation option to allow different checking modes, as supported
by the CaNL library.  The default option, if none specified, is the
existing mode `EUGRIDPMA_AND_GLOBUS_REQUIRE`, providing backwards
compatibility.

Result:

No user or admin visible changes by default.  StoRM-WebDAV now supports
an admin configuring the namespace checking mode via:

    storm:
	tls:
            namespace-checking-mode: IGNORE

Closes: italiangrid#65
@paulmillar paulmillar changed the title Namespace checking mode is not configurable for HTTP-TPC Namespace checking applied to host certificates under HTTP-TPC Nov 27, 2024
paulmillar added a commit to paulmillar/storm-webdav that referenced this issue Nov 27, 2024
Motivation:

Namespace checking rejects certificates if the subject DN is not one of
the allowed values for that certificate's CA.  A list of allowed subject
DNs is maintained by IGTF for their trust store.

There are two problems with this approach.

  1. it is IGTF specific.  There is no equivalent for CA/B, making
     interoperability with CA/B-approved CAs non-trivial.

  2. for HTTP-TPC, the check is pointless.  It protects the
     certificate's Subject DN, which plays no role in the identity of
     the remote site.  Instead, the X.509 v3 Subject Alternative Name is
     used, instead.

Modification:

Update the SSLContext (which includes the certificate chain validation)
for the Apache HTTP client.  There is (no longer) any namespace checking
for such certificates.

Note that the namespace checking for client X.509 certificates (which is
the intended target of namespace checking) is unaffected by this change.

Result:

HTTP-TPC now works with remote sites that have a CA/B certificate and
using the system standard trust store.

Closes: italiangrid#65
paulmillar added a commit to paulmillar/storm-webdav that referenced this issue Nov 27, 2024
Motivation:

Namespace checking rejects certificates if the subject DN is not one of
the allowed values for that certificate's CA.  A list of allowed subject
DNs is maintained by IGTF for their trust store.

There are two problems with this approach.

  1. it is IGTF specific.  There is no equivalent for CA/B, making
     interoperability with CA/B-approved CAs non-trivial.

  2. for HTTP-TPC, the check is pointless.  It protects the
     certificate's Subject DN, which plays no role in the identity of
     the remote site.  Instead, the X.509 v3 Subject Alternative Name is
     used, instead.

Modification:

Update the SSLContext (which includes the certificate chain validation)
for the Apache HTTP client.  There is (no longer) any namespace checking
for such certificates.

Note that the namespace checking for client X.509 certificates (which is
the intended target of namespace checking) is unaffected by this change.

Result:

HTTP-TPC now works with remote sites that have a CA/B certificate and
using the system standard trust store.

Closes: italiangrid#65
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants