Hi, Using the latest version of the globus toolkit (Version 4.2.1, built from source; ubuntu 7.10) I am unable to verify the UK eScience CA certs chain using the globus 'grid-cert-diagnostics script' unless I modify the signing policy for the UK eScience root CA cert.
Using signing policy provided by UK CA which specifies 'cond_subjects' as cond_subjects globus '"/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA"' I get the following exception: Getting trusted certificate list... Checking CA file /etc/grid-security/certificates/98ef0ee5.0... ok Checking that certificate hash matches filename... ok Checking CA certificate name for 98ef0ee5.0...ok (/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root) Checking if signing policy exists for 98ef0ee5.0... ok Verifying certificate chain for 98ef0ee5.0... failed globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Error with signing policy globus_gsi_callback_module: Error in OLD GAA code: The subject of the certificate "/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root" does not match the signing policies defined in /etc/grid-security/certificates/98ef0ee5.signing_policy Checking CA file /etc/grid-security/certificates/367b75c3.0... ok Checking that certificate hash matches filename... ok Checking CA certificate name for 367b75c3.0...ok (/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA) Checking if signing policy exists for 367b75c3.0... ok Verifying certificate chain for 367b75c3.0... failed globus_credential: Error verifying credential: Failed to verify credential globus_gsi_callback_module: Could not verify credential globus_gsi_callback_module: Error with signing policy globus_gsi_callback_module: Error in OLD GAA code: The subject of the certificate "/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root" does not match the signing policies defined in /etc/grid-security/certificates/98ef0ee5.signing_policy However, if I edit the signing policy for the 'cond_subjects' for the Root CA to look like : cond_subjects globus '"/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA" "/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root"' then the chain verifies correctly. Getting trusted certificate list... Checking CA file /etc/grid-security/certificates/98ef0ee5.0... ok Checking that certificate hash matches filename... ok Checking CA certificate name for 98ef0ee5.0...ok (/C=UK/O=eScienceRoot/OU=Authority/CN=UK e-Science Root) Checking if signing policy exists for 98ef0ee5.0... ok Verifying certificate chain for 98ef0ee5.0... ok Checking CA file /etc/grid-security/certificates/367b75c3.0... ok Checking that certificate hash matches filename... ok Checking CA certificate name for 367b75c3.0...ok (/C=UK/O=eScienceCA/OU=Authority/CN=UK e-Science CA) Checking if signing policy exists for 367b75c3.0... ok Verifying certificate chain for 367b75c3.0... ok It looks like the root will not validate itself unless it has its own name as a permitted subject. Using previous versions of globus including 4.2.0 verify the cert chain fine - is this a bug in globus 4.2.1? Regards, Christina -- Christina Cunningham Software Engineer Belfast eScience Centre (BeSC) Queen's University, Belfast e: c.cunningham [at] besc.ac.uk w: www.besc.ac.uk
