Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SFA credential parsing fails for some xml:id and `URI values #890

Closed
ahelsing opened this issue Feb 2, 2016 · 4 comments
Closed

SFA credential parsing fails for some xml:id and `URI values #890

ahelsing opened this issue Feb 2, 2016 · 4 comments
Assignees
@ahelsing
Labels
bug gcf omni
Milestone
2.11

Comments

@ahelsing
Copy link
Member

ahelsing commented Feb 2, 2016

The SFA credential class fails to parse some signatures.

This issue was originally reported by @dmargery on issue #854

The symptom is that credentials whose refid looks like _0 / Sig__0 fail to validate.

For example, speaksfor_util gives an error like this:

Got a speaks-for option but not a valid speaks_for with this credential: Credential malformed: missing signature or signer cert. Cred: [ABAC cred: urn:publicid:IDN+ch.geni.net+user+ahelsing (xxx).speaks_for_0176xxx7df69873a2<-urn:publicid:IDN+ch.geni.net+user+mbrinn (f30d887xxxa27559)]
SPEAKS_FOR = False

The problem is that in credential.py Signature.decode uses strip('Sig_'), which removes all instances of those characters, when it really wants to remove that prefix if present. The result is that the signature fails to match the credential it is signing.

As a test:
In speaksfor_util, change the signature template to use a refid of _0 instead of ref0 on line 348.
Use that utility to generate a speaks for credential. Then try to validate that credential.
Then you get the error above.
@ahelsing ahelsing self-assigned this Feb 2, 2016
@ahelsing ahelsing added this to the 2.11 milestone Feb 2, 2016
ahelsing added a commit to ahelsing/geni-tools that referenced this issue Feb 2, 2016
@ahelsing
Issue GENI-NSF#890: Do not use strip to remove a prefix. Fix matching…
07b46c4 
… signature refid to the credential being signed in SFA credentials.
@ahelsing ahelsing mentioned this issue Feb 2, 2016
Open
@ahelsing
Copy link
Member Author

ahelsing commented Feb 2, 2016

See my branch https://github.com/ahelsing/geni-tools/tree/tkt890-refid.
With that fix, my edits in speaksfor_util generate validatable credentials.

As a reminder, you run speaksfor_util something like this:

$ export PYTHONPATH=~/gcf/src

$ python src/gcf/geni/util/speaksfor_util.py --tool_cert_file
~/.gcf/alice-cert.pem --user_cert_file ~/.gcf/bob-cert.pem
--user_key_file ~/.gcf/bob-key.pem --trusted_roots_directory
~/.gcf/trusted_roots/ --create alice-speaksfor-bob-cred.xml --user_urn
urn:publicid:IDN+geni:gpo:gcf+user+bob --ma_cert_file ~/.gcf/ch-cert.pem
Created ABAC credential: 'urn:publicid:IDN+..... speaks_for .....' in file ......

$ python src/gcf/geni/util/speaksfor_util.py --tool_cert_file
~/.gcf/alice-cert.pem --user_cert_file ~/.gcf/bob-cert.pem
--user_key_file ~/.gcf/bob-key.pem --trusted_roots_directory
~/.gcf/trusted_roots/ --create alice-speaksfor-bob-cred.xml --user_urn
urn:publicid:IDN+geni:gpo:gcf+user+bob --ma_cert_file ~/.gcf/ch-cert.pem
SPEAKS_FOR = True
CERT URN = urn:....

If this solves the original issue as reported by @dmargery then I'll create a pull request for my fix.

@dmargery dmargery mentioned this issue Feb 22, 2016
Closed
@dmargery
Copy link
Contributor

Hello,

I created my own set of certificates and speaks_for cred with an xml:id of _0 and Sig__0.

$ export PYTHONPATH=/home/dmargery/Fed4FIRE/geni-tools/src
$ export CERTSDIR=/home/dmargery/BonFIRE/bonfire-api/test_certs/_0 
$ python src/gcf/geni/util/speaksfor_util.py --tool_cert_file $CERTSDIR/tool_cert.pem \
  --user_cert_file $CERTSDIR/valid_cert.pem --user_key_file $CERTSDIR/valid_cert-key.pem \
  --trusted_roots_directory $CERTSDIR/trusted  --ma_cert_file valid_ca.pem 
  --cred_file $CERTSDIR/signed_speaksfor.xml \
  --user_urn urn:publicid:IDN+test.bonfire.grid5000.inria.fr+user+dmargery

will fail when run from the master branch, and succeed from https://github.com/ahelsing/geni-tools/tree/tkt890-refid.

I will now run the complete speaks_for system test on the live system at sfa.dev.bonfire.grid5000.fr with the geni-tools updated to https://github.com/dmargery/geni-tools/tree/tkt890-refid

David

@dmargery
Copy link
Contributor

Test at sfa.dev.bonfire.grid5000.fr succeeds when run from code in https://github.com/dmargery/geni-tools/tree/tkt890-refid an unmodified fork of https://github.com/ahelsing/geni-tools/tree/tkt890-refid.

This at least solves the problems I've reported in issue #854

David

@ahelsing ahelsing mentioned this issue Feb 23, 2016
Merged
ahelsing added a commit that referenced this issue Feb 23, 2016
@ahelsing
Merge pull request #894 from ahelsing/tkt890-refid
0799f71 
Fix SFA credential use of strip on refid in issue #890
@ahelsing
Copy link
Member Author

Merged the fix on to develop. Thanks for the testing!

dmargery added a commit to dmargery/geni-tools that referenced this issue Feb 24, 2016
@dmargery
Revert to the fix for issue GENI-NSF#890 integrated in main geni-tool…
39fc986 
… repository
dmargery added a commit to dmargery/geni-tools that referenced this issue Feb 24, 2016
@dmargery
Revert to the fix for issue GENI-NSF#890 integrated in main geni-tool…
7fcdc44 
… repository
dmargery added a commit to dmargery/geni-tools that referenced this issue Oct 11, 2018
@dmargery
Revert to the fix for issue GENI-NSF#890 integrated in main geni-tool…
be00060 
… repository
dmargery added a commit to dmargery/geni-tools that referenced this issue Oct 11, 2018
@dmargery
Revert to the fix for issue GENI-NSF#890 integrated in main geni-tool…
dc72480 
… repository
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahelsing ahelsing

Labels
bug gcf omni
Projects
None yet
Milestone
2.11
Development

No branches or pull requests
2 participants
@dmargery @ahelsing