Path validation fix #10
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- In the case that a CA trust root was not already a part of the CertPath given to TrustedCertPathFinder.findTrustedPath(), the signature of last certificate in the chain is now verified against the discovered trust root certificate. - When checking that the next certificate in the chain has a subject DN that matches the last's certificate's DN, normalize the DNs to a common, Globus format.
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please consider pulling this change. It fixes a problem where, during certificate path validation, the signature of a certificate is not verified against a trusted certificate. Note that it's still not checked whether the trusted certificate is a self-signed CA cert. (it breaks the path validation test suite), so I made a note of that in the comments.
Otherwise, this change passes the tests for me (except for SSLConfiguratorTest and TomcatTest/ClientTest, which were breaking for me even before the changes), and it looks like it's working with the GSI-SSHTerm java client when connecting to real TeraGrid SSH servers as well as my own test one.
I have a more isolated test case that I've uploaded here:
https://github.com/jsiwek/JGlobusPathValidationTest
That could probably be turned into a test case in ProxyPathValidatorTest.