The myproxy-server rejects revoked certificates. It checks CRLs by
default and can be optionally configured to query OCSP. It's not
necessary to use OCSP if you have CRLs in place. The myproxy-server
reads the CRL files in /etc/grid-security/certificates for every
request, so it immediately discovers any updates to the CRL files.
I ran my own tests to confirm. With no CRL in place I get:
$ myproxy-init -s localhost -c 0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
Creating proxy ................................... Done
Proxy Verify OK
Your proxy is valid until: Fri Jan 18 03:35:17 2013
Enter MyProxy pass phrase:
Verifying - Enter MyProxy pass phrase:
A proxy valid for 11 hours (0.5 days) for user jbasney now exists on
localhost.
When I create a CRL revoking my certificate and install it in
/etc/grid-security/certificates on my myproxy-server, I get:
$ myproxy-init -s localhost -c 0
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
Creating proxy .................. Done
Proxy Verify OK
Your proxy is valid until: Fri Jan 18 03:35:17 2013
Error authenticating: GSS Major Status: Authentication Failed
GSS Minor Status Error Chain:
globus_gss_assist: Error during context initialization
globus_gsi_gssapi: Unable to verify remote side's credentials
globus_gsi_gssapi: SSLv3 handshake problems: Couldn't do ssl handshake
OpenSSL Error:
/SourceCache/OpenSSL098/OpenSSL098-47/src/ssl/s3_pkt.c:1102: in library:
SSL routines, function SSL3_READ_BYTES: sslv3 alert certificate revoked
SSL alert number 44
When I install the CRL on the client side, I get an earlier error,
because myproxy-init verifies the credential before trying to use it:
$ myproxy-init -s localhost -c 0 -v
Your identity: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
Creating proxy ................ Done
Error: Couldn't verify the authenticity of the user's credential to
generate a proxy from.
grid_proxy_init.c:971: globus_credential: Error verifying
credential: Failed to verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: Could not verify credential
globus_gsi_callback_module: The certificate has been revoked: Serial
number = 57 (0x39) Subject=/O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
grid-proxy-init failed
So my guess is your certificate's serial number isn't listed in the CRL
you generated, or you didn't install the CRL in
/etc/grid-security/certificates/<hash>.r0 on the myproxy-server.
You can use openssl to check if your certificate is revoked:
$ openssl verify \
-CApath /etc/grid-security/certificates -crl_check usercert.pem
usercert.pem: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Jim Basney
error 23 at 0 depth lookup:certificate revoked
$ openssl crl -text -noout -in 86863cfb.r0
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /O=Grid/OU=GlobusTest/OU=simpleCA/CN=Globus Simple CA
Last Update: Jan 17 21:41:27 2013 GMT
Next Update: Jan 31 21:41:27 2013 GMT
Revoked Certificates:
Serial Number: 39
Revocation Date: Jan 17 21:40:23 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
28:9b:1f:f0:15:50:a5:43:d5:57:d1:e2:2c:f4:ac:91:56:04:
6a:f1:bc:52:b7:e0:56:83:58:16:82:30:fc:ed:23:e2:1a:8d:
b0:db:89:ee:3c:1a:12:20:b1:46:d0:ef:e6:c0:d8:26:76:2d:
8a:19:6f:11:bd:bd:4e:de:3a:e4:99:d2:76:b8:fb:bb:32:6d:
cf:ca:71:70:f3:5e:dd:7c:ee:e3:98:1b:cc:59:c3:69:f4:03:
9f:f2:0b:3e:66:14:dc:1b:ab:93:57:30:48:56:25:d9:05:b8:
c2:6b:04:7f:ce:40:c1:7c:51:0d:c3:b5:30:f2:37:2b:b5:e4:
43:cb
$ openssl x509 -noout -serial -in usercert.pem
serial=39
On 1/17/13 3:15 PM, leo_cu...@lavabit.com wrote:
> Is it posible to avoid the storage of a credential for revoked certificates?
>
> I found something interesting in myproxy-server.config comments, like the
> ocsp protocol used to check the validity of credentials stored in the
> myproxy-server repository before they may be delegated to an user. But in
> this case do I have to enable an OCSP server with a crl distribution site
> in order to achieve my task? I haven't found how to make myproxy
> automatically "discover" the revoked certificates from the crl certificate
> in /etc/grid-security/certificates, so that stop making proxy certificates
> to revoked certificates.
>
> I created a certificate and key pair with a CA of my own. I test the
> myproxy-init and myproxy-logon: all ok. I follow revoking this
> certificate, download the ca new crl and rewrite the
> /etc/grid-security/certificates/<hash>.r0 file, but I was yet able to
> store the credentials of the revoke certificate.
