------------------------------------------------------------------------
r16706 | okoeroo | 2012-10-31 01:02:10 +0100 (Wed, 31 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Additions to the man page
------------------------------------------------------------------------
r16705 | okoeroo | 2012-10-31 00:57:43 +0100 (Wed, 31 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Updated the man page
------------------------------------------------------------------------
r16704 | okoeroo | 2012-10-30 16:22:55 +0100 (Tue, 30 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixed a bug in the proxy sanity checking and enabled USE_STRICT_PATH_VALIDATION.
------------------------------------------------------------------------
r16657 | okoeroo | 2012-10-26 17:18:20 +0200 (Fri, 26 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

Cleaned up code segments, removed debug code, added function prototypes, debugged and fixed the Limited proxy restriction and added GT3 Limited proxy to the test list. Removed a lot of duplicate code where the certificate chain expectations are tested and error reported. This is now a lot more readable and the error output doesnt mix the chain validation code.
------------------------------------------------------------------------
r16646 | okoeroo | 2012-10-26 15:42:32 +0200 (Fri, 26 Oct 2012) | 10 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Version 1.5.4
-------------
-   Added the option --disallow-limited-proxy on request by Igor Sfiligoi to be
    able to disallow limited proxies.
-   Added full support for RFC and GT3 proxies. Properly detecting the proxy
    types, including limited proxies is now fully supported. RESTRICTED and
    INDEPENDENT in (pre-)RFC proxies WILL be treated as an IMPERSONATION proxy
    type, which is the default.


------------------------------------------------------------------------
r16545 | okoeroo | 2012-10-15 22:33:40 +0200 (Mon, 15 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Replacing false OSPF statements with OCSP statements. Implementing the option --disallow-limited-proxy.
------------------------------------------------------------------------
r16544 | okoeroo | 2012-10-15 22:31:17 +0200 (Mon, 15 Oct 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Replacing false OSPF statements with OCSP statements. Implementing the option --disallow-limited-proxy.
------------------------------------------------------------------------
r16417 | okoeroo | 2012-06-18 12:23:10 +0200 (Mon, 18 Jun 2012) | 12 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

The first delegation can now be a GT2/old-style Limited proxy.

Note:
The proxy certificate semantic checks do support the complete semantics for CA,
EEC, old-style proxy, RFC3820 proxy, old-style limited proxy and RFC3820
Limited proxy certificate types. 

BUT! The RFC3820 proxy types are not yet distinguishable. So all RFC3820 type
certificate are all tagged as type 'normal'



------------------------------------------------------------------------
r16416 | okoeroo | 2012-06-16 01:52:42 +0200 (Sat, 16 Jun 2012) | 25 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.5.3
-------------
-   Brain Bockelman reported a verification failure when a certificate chain
    contains at least two limited proxies. This version exclusively fixes this
    problem.
-   The add-on verification routines to semantically check the certificate
    chain was not launched when the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error
    was set. Only OpenSSL versions older then 0.9.8 would have this #ifdef
    enable.
-   OpenSSL casts an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED where it doesn't
    make sense as the test used a non-RFC3820 proxy. OpenSSL is not capable of
    extracting a path length constraint out of non-RFC proxy.  OpenSSL also
    tagged all  certificates in the chain to be showing the
    X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error. The add-on evaluator performs
    a proper check to compensate.
-   The add-on verification routines did not take limited proxies into account.
    This mistake was gracefully neglected, because proxy chains with only one
    Limited proxy at the end was perfectly tolerated. A double limited proxy or
    proxy certificate chain with at least two (or more) Limited proxy
    delegations of the RFC3820 and old-style proxy type would fail the
    verification with the previously mentioned anomalies.




------------------------------------------------------------------------
r16156 | msalle | 2012-03-15 16:46:09 +0100 (Thu, 15 Mar 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c

Remove \t from log strings..

------------------------------------------------------------------------
r16087 | okoeroo | 2012-03-04 19:07:28 +0100 (Sun, 04 Mar 2012) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Updated the ChangeLog file on SVN and updated the NEWS file.



------------------------------------------------------------------------
r15906 | okoeroo | 2012-01-30 14:12:50 +0100 (Mon, 30 Jan 2012) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Updated the ChangeLog from svn log -v
------------------------------------------------------------------------
r15890 | okoeroo | 2012-01-27 17:15:26 +0100 (Fri, 27 Jan 2012) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Removed debugging messages.



------------------------------------------------------------------------
r15855 | okoeroo | 2012-01-18 19:28:33 +0100 (Wed, 18 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Bumped version.


------------------------------------------------------------------------
r15853 | okoeroo | 2012-01-17 20:04:36 +0100 (Tue, 17 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Renewed LCMAPS verify-proxy plug-in. Now with better internal memory handling.


------------------------------------------------------------------------
r15834 | msalle | 2012-01-09 16:00:06 +0100 (Mon, 09 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Add further clarifications about why the X509_STORE_* functions should not be
called.

------------------------------------------------------------------------
r15833 | msalle | 2012-01-09 15:06:31 +0100 (Mon, 09 Jan 2012) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixing invalid read. It seems we initialized the CA dirs twice. Once with
X509_STORE_load_locations and once with X509_LOOKUP_add_dir.

------------------------------------------------------------------------
r15832 | msalle | 2012-01-09 14:14:44 +0100 (Mon, 09 Jan 2012) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Cleanup evp_pkey and initialize entire struct tm to zero.

------------------------------------------------------------------------
r15680 | okoeroo | 2011-12-10 21:14:46 +0100 (Sat, 10 Dec 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Tiny tweaks.



------------------------------------------------------------------------
r15679 | okoeroo | 2011-12-09 23:10:24 +0100 (Fri, 09 Dec 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Typo
------------------------------------------------------------------------
r15678 | okoeroo | 2011-12-09 23:07:47 +0100 (Fri, 09 Dec 2011) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/doc/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8

Fixing make/build and install stuff. Also fixed some formating in the man page
file lcmaps_verify_proxy.mod.8



------------------------------------------------------------------------
r15677 | okoeroo | 2011-12-09 22:16:18 +0100 (Fri, 09 Dec 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/doc
   A /trunk/lcmaps-plugins-verify-proxy/doc/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/doc/lcmaps_verify_proxy.mod.8
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c

Added man page for lcmaps_verify_proxy.mod.8



------------------------------------------------------------------------
r15676 | okoeroo | 2011-12-09 15:20:14 +0100 (Fri, 09 Dec 2011) | 33 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

New feature to be able to REQUIRE the final certificate in a chain to be a
LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce this.

This version DOES NOT WORK with RFC3820 limited proxy. This will be added in an
update.




Updated NEWS file:

Version 1.5.0
-------------
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.
-   The plugin will fail to initialize when the configured -cadir or -certdir
    directory does not exist. This was a run-time error.
-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".
-   New feature to be able to REQUIRE the final certificate in a chain to be a
    LIMITED proxy.  Enable the option "--require-limited-proxy" to enforce
    this.
    This version DOES NOT WORK with RFC3820 limited proxy. This will be added
    in an update.




------------------------------------------------------------------------
r15653 | okoeroo | 2011-11-30 21:16:57 +0100 (Wed, 30 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Removed datetime creation and destruction, without use.



------------------------------------------------------------------------
r15629 | okoeroo | 2011-11-24 13:07:42 +0100 (Thu, 24 Nov 2011) | 10 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

-   Fixed the ability to use the plugin for life-time checking from a GT4 or
    GT5 service. The requirement for a private key MUST be explicitly disabled
    with either the configuration of "--only-enforce-lifetime-checks" or
    "--discard_private_key_absence". The internally used environment variable
    $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE is equivalent to the setting of
    "--discard_private_key_absence". The environment variable can be
    countered/muted by "--never_discard_private_key_absence".



------------------------------------------------------------------------
r15628 | msalle | 2011-11-24 13:03:32 +0100 (Thu, 24 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-c-pep/doc/man/lcmaps-plugins-c-pep.8.src
   M /trunk/lcmaps-plugins-c-pep/doc/man/sed.template.in
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-scas-client/doc/man/lcmaps_plugins_scas_client.8.src
   M /trunk/lcmaps-plugins-scas-client/doc/man/sed.template.in
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Determine dynamic library extension in configure and use that for creating
.mod symlinks.


------------------------------------------------------------------------
r15535 | okoeroo | 2011-11-08 10:57:27 +0100 (Tue, 08 Nov 2011) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The plugin will fail to initialize when the configured -cadir or -certdir
directory does not exist. This was a run-time error.


------------------------------------------------------------------------
r15532 | okoeroo | 2011-11-07 22:36:21 +0100 (Mon, 07 Nov 2011) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c

Version 1.5.0:
-   Changing the log messages to match the logging method used in LCMAPS
    version 1.5.0, which will be using the Syslog native log priority/levels.



------------------------------------------------------------------------
r15437 | msalle | 2011-08-15 17:32:33 +0200 (Mon, 15 Aug 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Use AC_LCMAPS_INTERFACE([basic])
Rename lcmaps_config.h into lcmaps_verify_proxy_config.h

------------------------------------------------------------------------
r15385 | okoeroo | 2011-08-02 14:17:16 +0200 (Tue, 02 Aug 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Adding.


------------------------------------------------------------------------
r15384 | okoeroo | 2011-08-02 13:38:33 +0200 (Tue, 02 Aug 2011) | 25 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.12 - Try number two
-------------------------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

The certificate rejection is only triggered when the following #define is
enabled: USE_STRICT_PATH_VALIDATION. Without it, the condition will be treated
as a warning only seen on a verbose loglevel.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.

A bunch of useless debugging messages are no longer visable in the log file.
They can be revived when you upgrade the loglevel for more verbosity.






------------------------------------------------------------------------
r15383 | okoeroo | 2011-08-02 10:51:10 +0200 (Tue, 02 Aug 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Minor logging output tweak.
------------------------------------------------------------------------
r15382 | okoeroo | 2011-08-01 20:19:49 +0200 (Mon, 01 Aug 2011) | 16 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.12
--------------
The new certificate type detection function makes it possible to detect the
proxy certificate type more cleanly and now properly distinghuishes RFC 3820
and old-style certificates reliable. A wrongly constructed chain is a rare
occurance, but is now properly detected and will result in an
X509_V_ERR_CERT_REJECTED or "certificate rejected" error code.

Also, the grid_verifyPathLenConstraints() function is now called when the
X509_verify() reaches the final certificate in the chain in its verification
cycle. This will dysect the certificate chain properly and trigger on the right
errors.




------------------------------------------------------------------------
r15370 | okoeroo | 2011-07-21 14:20:00 +0200 (Thu, 21 Jul 2011) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS
   M /trunk/lcmaps-plugins-verify-proxy/ChangeLog
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   A /trunk/lcmaps-plugins-verify-proxy/README

Preparing release for 1.4.11


------------------------------------------------------------------------
r15369 | okoeroo | 2011-07-21 12:37:11 +0200 (Thu, 21 Jul 2011) | 59 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

In short (inspired by the game Cluedo):
CREAM did it, using bugs in path length constraints, in OpenSSL/Globus


And now the slightly more elaborate explanation about the problem, how we analyzed it, interpreted the information and implemented a reliable workaround. It also shows that the CREAM CE itself is not directly the cause, but a trigger of the bug. This problem can occur in a lot of other places too and is a pain to analyse. One added motivation on why its such a pain to analyse is that I'm seeing known effects and problems occur along the analyses steering me in mildly the right direction, while I'm already mind-programming a workaround.

Reproducing the problem was hard:
The effects observed by users is a failure in job submission to any gLite 3.2 CREAM CE, when its submitted through a WMS. Probably also on all EMI-1 CREAM CE too. The error message returned from the CREAM CE indicates a failure in gLExec's LCMAPS plugin that verifies a proxy certificate chain.

Prerequisites (all of this must be true aka logical AND) to trigger the faulty situation:
- Use the Terena eScience Personal TCS, which has a pathlen = 0 set on the final CA.
- Use old style proxies (GT2), note: they don't feature a path length constraint field.
- Use a CREAM CE on gLite 3.2 (uses Globus GT4 from VDT)
- Access the CREAM CE through a WMS to use sufficient delegations or MyProxy

Change any of the above parameters and it will work. Meaning, the problem did NOT occure when the following was used:
- Direct job submission (only ONE proxy delegation may be used)
- Direct gLExec test on the shell, which just works.

Unverified situations:
- The effects when using RFC 3820 proxies
- Using EMI-1's CREAM CE

Hypothesis:
Tests have shown that the certificate chain is constructed properly. The hypothesis is that the GT4 from the VDT is interfering with OpenSSL sequences that we rely on in LCMAPS.

Cause(s) of the problem and analyses so far:
The gLExec in the CREAM CE uses LCMAPS to perform the account mapping in gLite 3.2. LCMAPS is dynamically linked to Globus to support its direct Globus based interfaces. The LCMAPS framelaunched several plugins, of which the verify-proxy is the first, from the lcmaps-plugins-verify-proxy package.

The verify-proxy fails with an error in the log file, originating from OpenSSL, that the path length of the certificate chain exceeded the constraint bound from the certificate chain itself. Analyses of the chain has shown that both the RFC5280 path length constraint and the RFC3820 path length constraint did not apply here. The Terena eScence TERENA eScience Personal CA has a critical basic constraint set to indicate a path length is 0 (=zero). This means that no other CA certificate can follow this CA certificate in a chain. The RFC 3820 path length constraint doesn't apply on old-style (i.e. GT2) proxy certificates.

Despite the installation and the certificate chain involved; OpenSSL triggers an X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error code, indicating the path length exceeded in the proxy certificates. Given the research on the certificate chain we will assume that this is a false-positive (or true-negative).

See wiki for details: http://www.nikhef.nl/pub/projects/grid/gridwiki/index.php/How_to_handle_OpenSSL_and_not_get_hurt_and_what_does_that_library_call_really_do%3F#Path_length_constraints

The interesting details here is that the Terena eScience Personal CA, Terena eScience SSL CA and the FNAL SLCS are the only CAs using a Path Length Constraint of 0 (=zero) in the IGTF. This gives a motivation to search in this direction as similar certificate chains are not affected at all.

On both our EMI and gLite 3.2 test nodes running gLExec we couldn't reproduce the problem. We tried a gLite 3.2 CREAM CE and could reproduce the failure when we introduced a few extra delegations to the certificate chain before we submitted a test job.

After looking at the libraries used on the CREAM CE, being GT4 from the VDT, and knowing that the OpenSSL interaction is significantly different made us put the blame on the GT4 libraries. They are known to have changed parts of OpenSSL itself and their own callbacks. This might cause the weird effect in the verification stage. We've experienced race condition in library loading where the order of dynamic library resolvement and loading was significant for the observed failures. This problem has characteristics of it as the problem seemed to be specifc to the machine. We would need to investigate the GT4 OpenSSL interacting code to be certain about it. This is not an easy task and might be too expensive, while a work around is possible.

We looked at the CREAM CE interaction some more, installed a new CREAM CE from scratch and were interested to reproduce the problem in gLExec. Somehow we couldn't reproduce it when we ran gLExec standalone on the CREAM CE. This should not happen. It should have failed. We tried another proxy chain (mine this time) created from my OSX build of voms-proxy-init version 1.8.8. Again, the problem didn't occure. I hacked the gLExec script that was executing on the failing CREAM CE, which I tested using the glite-ce-job-submit tool, to copy the proxy certificate before deleting itself. We used this chain in the bare gLExec run and then it failed. This certificate chain was examined, turned out to be OK, but is different as it had CA certificates in it.

This seemed to be the root cause of the problem. The CREAM CE (or perhaps its delegation service) is writing the proxy certificate chain from the SSL contect in the Tomcat instance from the user's interaction. This certificate chain was writing including all the CA certificates up to the root CA.

We tested the gLExec with the output of voms-proxy-init/grid-proxy-init which do *not* include the CA certificates in the certificate chain. As this is not added, the CA certificates will be added to the verification sequences in a different way by the OpenSSL routines. This is required to verify the full chain. There is a use case for adding your own (intermediate) CA to the client/host certificate chain, but this doesn't count in the Grid world with the IGTF. As the CA certificates are added in a different way later and treated differently, OpenSSL will verify the certificate chain differently. Either the Globus OpenSSL or the OpenSSL 0.9.8a is to blame that certificate chains with old-style proxies have the path length constraint field, used exlusively for RFC 3820 proxies, set to 0 (=zero) instead of -1 (=minus one) aka uninitialized. This nullification is most probably triggered by the path length constraint value in the Terena sub-CA certificate added to the normal certificate chain evaluation sequences, instead of kept aside in the list of used CA certificates for a certificate chain in an SSL context.

Workaround:
Build a DIY (=Do It Yourself) Path Length Constraint a la RFC 5280 and RFC 3820 in the verify proxy LCMAPS plugin. This will work around any potential library loading issue that could possibly happen. It also works around odd implementations of the verification sequences and it can work around the bug of wrong initialization values for path length constraint. Another possible workaround would be to alter the certificate chain before it hits the verification stage. This could work, but needs research in the right code-wise location in OpenSSL to let this work reliably. We're also going to introduce a duplication of the certificate chain to not tamper with the original input and pragmatically we need to work with two different certificate chains. The first option is significantly less work and straight forward.

To consider for other tools:
OpenSSL and possibly GT5 needs double checking if the support for RFC proxies is capable of handling edge-case input, demonstrated by the CREAM CE (or a component thereof). The CREAM CE should not add the CA certificates to the gLExec input. We should be tolerant on the gLExec side, but regardless the CREAM CE should not have done this and should have followed the same approach with gLExec as to setting up an SSL context. This means that you do not send CA certificates over the wire unless you are absolutely sure that this is really needed.

Output:
lcmaps-plugins-verify version 1.4.11 is to be certified featuring a function to catch the X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED error and check the certificate chain for its RFC 5280 and RFC 3820 compliance regarding path length constraints.




------------------------------------------------------------------------
r15310 | dennisvd | 2011-07-11 12:11:39 +0200 (Mon, 11 Jul 2011) | 2 lines
Changed paths:
   M /trunk/lcas/examples/Makefile.am
   M /trunk/lcas-plugins-check-executable/src/check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-tracking-groupid/src/tracking_groupid/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Make all plugins without versioned names (using -avoid-version)

------------------------------------------------------------------------
r15309 | dennisvd | 2011-07-11 12:05:16 +0200 (Mon, 11 Jul 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-tracking-groupid/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Update the default moduledir to be 'lcas' resp. 'lcmaps' instead of 'modules'.

------------------------------------------------------------------------
r15298 | okoeroo | 2011-07-07 02:02:24 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/BUGS

Updated BUGS
------------------------------------------------------------------------
r15297 | okoeroo | 2011-07-07 02:01:30 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/NEWS

Updated NEWS
------------------------------------------------------------------------
r15296 | okoeroo | 2011-07-07 01:59:36 +0200 (Thu, 07 Jul 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Version 1.4.10 : Fixing path length constraint problem. It seems to be different then the normal path len constraint, as this triggers X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED and not X509_V_ERR_PATH_LENGTH_EXCEEDED
------------------------------------------------------------------------
r15271 | okoeroo | 2011-04-19 16:32:02 +0200 (Tue, 19 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/BUGS

Adding BUGS file
------------------------------------------------------------------------
r15268 | okoeroo | 2011-04-19 16:20:08 +0200 (Tue, 19 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/NEWS

Adding NEWS file
------------------------------------------------------------------------
r15257 | okoeroo | 2011-04-15 14:02:36 +0200 (Fri, 15 Apr 2011) | 1 line
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/ChangeLog

Adding ChangeLog from svn log
------------------------------------------------------------------------
r15241 | msalle | 2011-04-14 12:29:43 +0200 (Thu, 14 Apr 2011) | 2 lines
Changed paths:
   M /trunk/glexec/bootstrap
   M /trunk/jobrepository/bootstrap
   M /trunk/lcas/bootstrap
   M /trunk/lcas-plugins-basic/bootstrap
   M /trunk/lcas-plugins-check-executable/bootstrap
   M /trunk/lcas-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-jobrep/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-tracking-groupid/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/scas/bootstrap

Adding --copy flag to libtoolize, which eases packaging.

------------------------------------------------------------------------
r15213 | dennisvd | 2011-04-07 15:29:01 +0200 (Thu, 07 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am

removed trailing whitespace

------------------------------------------------------------------------
r15212 | dennisvd | 2011-04-07 15:28:43 +0200 (Thu, 07 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

fixed include path references with $(srcdir) prefix

------------------------------------------------------------------------
r15182 | dennisvd | 2011-04-05 09:57:47 +0200 (Tue, 05 Apr 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-basic/configure.ac
   M /trunk/lcas-plugins-basic/src/timeslots/Makefile.am
   M /trunk/lcas-plugins-basic/src/userallow/Makefile.am
   M /trunk/lcas-plugins-basic/src/userban/Makefile.am
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-check-executable/src/check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   M /trunk/lcmaps-plugins-c-pep/src/c-pep/Makefile.am
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-gums/src/gums/Makefile.am
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/src/jobrep/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-scas-client/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Added --with-moduledir to set the install location for plug-ins.

------------------------------------------------------------------------
r14914 | msalle | 2011-03-06 11:17:47 +0100 (Sun, 06 Mar 2011) | 2 lines
Changed paths:
   M /trunk/jobrepository/configure.ac
   M /trunk/lcas/configure.ac
   M /trunk/lcas-lcmaps-gt4-interface/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/scas/configure.ac

Bumping versions for components with fixed globus / crypto deps.

------------------------------------------------------------------------
r14880 | dennisvd | 2011-03-04 22:08:09 +0100 (Fri, 04 Mar 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am

removed executable bit
------------------------------------------------------------------------
r14879 | dennisvd | 2011-03-04 22:07:46 +0100 (Fri, 04 Mar 2011) | 1 line
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/AUTHORS
   M /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   M /trunk/lcmaps-plugins-verify-proxy/LICENSE
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/lcmaps.m4
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

add keyword propery
------------------------------------------------------------------------
r14846 | msalle | 2011-03-04 16:22:33 +0100 (Fri, 04 Mar 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Add check for libcrypto in essential components.

------------------------------------------------------------------------
r14690 | msalle | 2011-02-25 15:38:01 +0100 (Fri, 25 Feb 2011) | 2 lines
Changed paths:
   M /trunk/jobrepository/Makefile.am
   M /trunk/jobrepository/configure.ac
   M /trunk/lcas-lcmaps-gt4-interface/configure.ac
   M /trunk/lcas-plugins-basic/configure.ac
   M /trunk/lcas-plugins-check-executable/configure.ac
   M /trunk/lcas-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-gums/configure.ac
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/scas/configure.ac

Re-syncing all the versions with branch EMI-1

------------------------------------------------------------------------
r14618 | msalle | 2011-02-23 12:58:46 +0100 (Wed, 23 Feb 2011) | 3 lines
Changed paths:
   M /trunk
   M /trunk/ees
   M /trunk/ees-plugins-one
   M /trunk/glexec
   M /trunk/lcas
   M /trunk/lcas-lcmaps-gt4-interface
   M /trunk/lcas-plugins-basic
   M /trunk/lcas-plugins-check-executable
   M /trunk/lcas-plugins-voms
   M /trunk/lcmaps-plugins-afs
   M /trunk/lcmaps-plugins-basic
   M /trunk/lcmaps-plugins-c-pep
   M /trunk/lcmaps-plugins-gums
   M /trunk/lcmaps-plugins-jobrep
   M /trunk/lcmaps-plugins-scas-client
   M /trunk/lcmaps-plugins-verify-proxy
   M /trunk/lcmaps-plugins-voms
   M /trunk/scas

Updating externals to use http://ndpfsvn.nikhef.nl/ro instead of
https://ndpfsvn.nikhef.nl/repos

------------------------------------------------------------------------
r11958 | msalle | 2011-01-07 14:18:38 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   M /trunk/lcas-plugins-basic/Makefile.am
   M /trunk/lcas-plugins-check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/src/afs/Makefile.am
   M /trunk/lcmaps-plugins-basic/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/ldap_enf/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/localaccount/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/poolaccount/Makefile.am
   M /trunk/lcmaps-plugins-basic/src/posix_enf/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

Updating EXTRA_DIST etc. to include missing files in dist's

------------------------------------------------------------------------
r11953 | msalle | 2011-01-07 13:18:30 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   D /trunk/lcas-plugins-basic/src/lcas_config.h.in
   D /trunk/lcas-plugins-check-executable/src/lcas_config.h.in
   D /trunk/lcas-plugins-voms/src/lcas_config.h.in
   D /trunk/lcmaps-plugins-afs/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-gums/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-verify-proxy/src/lcmaps_config.h.in
   D /trunk/lcmaps-plugins-voms/src/lcmaps_config.h.in

Removing automatically created _config.h.in files.

------------------------------------------------------------------------
r11951 | msalle | 2011-01-07 13:02:43 +0100 (Fri, 07 Jan 2011) | 2 lines
Changed paths:
   A /trunk/glexec/AUTHORS (from /trunk/glexec/MAINTAINERS:11944)
   D /trunk/glexec/MAINTAINERS
   M /trunk/glexec/Makefile.am
   A /trunk/lcas/AUTHORS (from /trunk/lcas/MAINTAINERS:11950)
   D /trunk/lcas/MAINTAINERS
   M /trunk/lcas/doc/Makefile.am
   M /trunk/lcas-lcmaps-gt4-interface/Makefile.am
   A /trunk/lcas-plugins-basic/AUTHORS (from /trunk/lcas-plugins-basic/MAINTAINERS:11946)
   D /trunk/lcas-plugins-basic/MAINTAINERS
   M /trunk/lcas-plugins-basic/Makefile.am
   A /trunk/lcas-plugins-check-executable/AUTHORS (from /trunk/lcas-plugins-check-executable/MAINTAINERS:11947)
   D /trunk/lcas-plugins-check-executable/MAINTAINERS
   M /trunk/lcas-plugins-check-executable/Makefile.am
   A /trunk/lcas-plugins-voms/AUTHORS (from /trunk/lcas-plugins-voms/MAINTAINERS:11947)
   D /trunk/lcas-plugins-voms/MAINTAINERS
   M /trunk/lcas-plugins-voms/Makefile.am
   A /trunk/lcmaps/AUTHORS (from /trunk/lcmaps/MAINTAINERS:11927)
   D /trunk/lcmaps/MAINTAINERS
   M /trunk/lcmaps/doc/Makefile.am
   A /trunk/lcmaps-plugins-afs/AUTHORS (from /trunk/lcmaps-plugins-afs/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-afs/MAINTAINERS
   M /trunk/lcmaps-plugins-afs/Makefile.am
   A /trunk/lcmaps-plugins-basic/AUTHORS (from /trunk/lcmaps-plugins-basic/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-basic/MAINTAINERS
   M /trunk/lcmaps-plugins-basic/Makefile.am
   A /trunk/lcmaps-plugins-c-pep/AUTHORS (from /trunk/lcmaps-plugins-c-pep/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-c-pep/MAINTAINERS
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   A /trunk/lcmaps-plugins-gums/AUTHORS (from /trunk/lcmaps-plugins-gums/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-gums/MAINTAINERS
   M /trunk/lcmaps-plugins-gums/Makefile.am
   A /trunk/lcmaps-plugins-scas-client/AUTHORS (from /trunk/lcmaps-plugins-scas-client/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-scas-client/MAINTAINERS
   M /trunk/lcmaps-plugins-scas-client/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/AUTHORS (from /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-voms/AUTHORS (from /trunk/lcmaps-plugins-voms/MAINTAINERS:11948)
   D /trunk/lcmaps-plugins-voms/MAINTAINERS
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/scas/Makefile.am

Renaming MAINTAINERS in AUTHORS and let them be installed.

------------------------------------------------------------------------
r11948 | msalle | 2011-01-06 17:46:36 +0100 (Thu, 06 Jan 2011) | 4 lines
Changed paths:
   M /trunk/lcas-plugins-basic/Makefile.am
   M /trunk/lcas-plugins-check-executable/Makefile.am
   M /trunk/lcas-plugins-voms/Makefile.am
   A /trunk/lcmaps-plugins-afs/MAINTAINERS
   M /trunk/lcmaps-plugins-afs/Makefile.am
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-afs/configure.ac
   A /trunk/lcmaps-plugins-basic/MAINTAINERS
   M /trunk/lcmaps-plugins-basic/Makefile.am
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-basic/configure.ac
   A /trunk/lcmaps-plugins-c-pep/MAINTAINERS
   M /trunk/lcmaps-plugins-c-pep/Makefile.am
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-c-pep/configure.ac
   A /trunk/lcmaps-plugins-gums/MAINTAINERS
   M /trunk/lcmaps-plugins-gums/Makefile.am
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-gums/configure.ac
   A /trunk/lcmaps-plugins-scas-client/MAINTAINERS
   M /trunk/lcmaps-plugins-scas-client/Makefile.am
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-scas-client/configure.ac
   A /trunk/lcmaps-plugins-verify-proxy/MAINTAINERS
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   A /trunk/lcmaps-plugins-voms/MAINTAINERS
   M /trunk/lcmaps-plugins-voms/Makefile.am
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-voms/configure.ac

Add missing files for dist
Add MAINTAINERS and LICENSE files for doc
resync bootstrap

------------------------------------------------------------------------
r11871 | msalle | 2010-12-31 14:07:47 +0100 (Fri, 31 Dec 2010) | 3 lines
Changed paths:
   M /trunk/glexec/bootstrap
   M /trunk/lcmaps/bootstrap
   M /trunk/lcmaps-plugins-afs/bootstrap
   M /trunk/lcmaps-plugins-basic/bootstrap
   M /trunk/lcmaps-plugins-c-pep/bootstrap
   M /trunk/lcmaps-plugins-gums/bootstrap
   M /trunk/lcmaps-plugins-scas-client/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-voms/bootstrap

Syncing all bootstrap files and removing reference to src/autogen which is no
longer used.

------------------------------------------------------------------------
r11847 | msalle | 2010-12-28 13:21:44 +0100 (Tue, 28 Dec 2010) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-voms/configure.ac

Changing deprecated AM_CONFIG_HEADER to AC_CONFIG_HEADERS and move output to
src/ directory.

------------------------------------------------------------------------
r11810 | msalle | 2010-12-23 11:55:42 +0100 (Thu, 23 Dec 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

- remove FLAVOUR dependency: interface is now general.

------------------------------------------------------------------------
r11795 | msalle | 2010-12-22 16:00:53 +0100 (Wed, 22 Dec 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Bail out when LCMAPS interface cannot be found

------------------------------------------------------------------------
r11780 | msalle | 2010-12-21 13:37:04 +0100 (Tue, 21 Dec 2010) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   D /trunk/lcmaps-plugins-verify-proxy/build.xml
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   D /trunk/lcmaps-plugins-verify-proxy/project/build.number
   D /trunk/lcmaps-plugins-verify-proxy/project/build.properties
   D /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/lcmaps.m4
   D /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   D /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   D /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   D /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h

Fixing for EMI and cleanup:
- lcmaps.m4 macro to check for LCMAPS_CFLAGS.
- lcmaps headers 
- no glite dependency
- removal of unused files (in project/)

------------------------------------------------------------------------
r11590 | msalle | 2010-06-28 14:05:09 +0200 (Mon, 28 Jun 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c

Removing one my_timegm() definition as it is superfluous.

------------------------------------------------------------------------
r11589 | msalle | 2010-06-28 14:00:06 +0200 (Mon, 28 Jun 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

substituting timegm() for portable my_timegm()

------------------------------------------------------------------------
r11502 | okoeroo | 2010-03-31 16:01:39 +0200 (Wed, 31 Mar 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-voms/bootstrap
   M /trunk/lcmaps-plugins-voms/project/version.properties
   M /trunk/lcmaps-plugins-voms/runautotools

Bumped version and updated L & C

------------------------------------------------------------------------
r11449 | okoeroo | 2010-02-18 18:41:56 +0100 (Thu, 18 Feb 2010) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Added licence

------------------------------------------------------------------------
r11435 | okoeroo | 2010-02-17 22:37:03 +0100 (Wed, 17 Feb 2010) | 13 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Fixed the Proxy Life Time Policy enforcement functionality.
Fixed the VOMS Life Time Policy enforcement functionality.

Found by Jan Just Keijser at internal testing with the policies. It was broken due to the change over to the extended internal library that I created to better verify proxy certificates.

Resurrected an option with a different name:
--only-enforce-lifetime-checks

When this option is set the verification routines are skipped to enforce the proxy and/or VOMS lifetime policies only. This is interesting for GT4/5 tools like GridFTPd and the Gatekeeper as they already perform full authentication on the SSL layer. In gLExec this plug-in MUST run in full mode.


Bumped version to 1.4.7.

------------------------------------------------------------------------
r11296 | okoeroo | 2009-10-27 12:18:19 +0100 (Tue, 27 Oct 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Now using X509_STORE_CTX_set_depth() without the hack.

Savannah bug #57642

------------------------------------------------------------------------
r11295 | okoeroo | 2009-10-26 21:05:34 +0100 (Mon, 26 Oct 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h

OpenSSL uses a default depth of 9 (don't ask why, it just is).

To cope with Subordinate CAs we have to extend the verification depth to be able to hold the certificate chain (could contain a lot of delegations) and all the CA certificate, which might not be added to the certificate chain itself but would still be lingering in the X509 CA directory lookup functions.

------------------------------------------------------------------------
r11205 | okoeroo | 2009-06-26 12:33:28 +0200 (Fri, 26 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h

Perfecting the new versions log message cap.

------------------------------------------------------------------------
r11204 | okoeroo | 2009-06-26 12:00:03 +0200 (Fri, 26 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumping version

------------------------------------------------------------------------
r11203 | okoeroo | 2009-06-26 11:59:01 +0200 (Fri, 26 Jun 2009) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c

Fixes made in the log function. This was discovered when the DN string exceeded the buffer length that would be written to the log.
This is now capped properly.

------------------------------------------------------------------------
r11201 | okoeroo | 2009-06-25 14:43:54 +0200 (Thu, 25 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/bootstrap
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version and added Mac OSX autotools support.

------------------------------------------------------------------------
r11200 | okoeroo | 2009-06-25 14:40:18 +0200 (Thu, 25 Jun 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Upgrading certificate chain depth limit to the depth of the certificate chain. This sounds pedantic, but the OpenSSL library seems to have a build in limit of 9 certificates. This means that the verify-proxy will fail when having to check more then 9 certificate (including the CA, personal/service and proxies).

------------------------------------------------------------------------
r10956 | okoeroo | 2009-02-18 21:43:36 +0100 (Wed, 18 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Properly free'ing the certificate chain. (patch provided by Jan Just).

------------------------------------------------------------------------
r10912 | okoeroo | 2009-02-11 12:51:23 +0100 (Wed, 11 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile

Bunped version to reflect the change.

------------------------------------------------------------------------
r10911 | okoeroo | 2009-02-11 12:49:21 +0100 (Wed, 11 Feb 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c

Fixed the verification failure of limited proxies, delegated from a regular proxy on a CentOS-5 32bit or 64bit machine (openssl 0.9.8 and higher).

------------------------------------------------------------------------
r10873 | okoeroo | 2009-01-27 22:11:35 +0100 (Tue, 27 Jan 2009) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Rewritten generic verification library part to use vararg instead of void * juggling.
Although it worked perfectly, this is a more flexible and the Good thing (tm) to do.

------------------------------------------------------------------------
r10872 | okoeroo | 2009-01-27 21:43:44 +0100 (Tue, 27 Jan 2009) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

The default (no explicity setting) will demand the presence of a private key and it must match the certificate chain.
You can set the ommission of the key by declaring the "--discard_private_key_absence". Glexec has the opportunity to provide an equivelent when it's setting of "ommission_private_key" is set to yes in the glexec.conf file.

To counter this ommission of the private key explictly in all case (no override possible), the "--never_discard_private_key_absence" option can be set to express this.

------------------------------------------------------------------------
r10871 | okoeroo | 2009-01-27 20:43:40 +0100 (Tue, 27 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c

Enabled the generic verify-lib to enforce the presence of the private key with the presented chain.

------------------------------------------------------------------------
r10870 | okoeroo | 2009-01-27 20:27:27 +0100 (Tue, 27 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h

Reviving ommission of private key and enforcing of the presence of the private key in the presented chain.

------------------------------------------------------------------------
r10855 | okoeroo | 2009-01-21 10:34:42 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Another bump

------------------------------------------------------------------------
r10854 | okoeroo | 2009-01-21 10:33:28 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumping version

------------------------------------------------------------------------
r10853 | okoeroo | 2009-01-21 10:32:57 +0100 (Wed, 21 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Should fix the build issue on RHEL 5 systems (more strict gcc compiler rulings).

------------------------------------------------------------------------
r10845 | okoeroo | 2009-01-19 12:05:49 +0100 (Mon, 19 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac

Removing Globus and Grid site macros

------------------------------------------------------------------------
r10843 | okoeroo | 2009-01-19 11:29:33 +0100 (Mon, 19 Jan 2009) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

New version of lcmaps-plugins-verify-proxy.

Does not require GridSite code anymore. This will allow for its utilization on more platforms that we can currently cope with (OSG/Privilege project request for CentOS5 based systems).

------------------------------------------------------------------------
r10840 | okoeroo | 2009-01-18 22:01:20 +0100 (Sun, 18 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

builds nicely

------------------------------------------------------------------------
r10839 | okoeroo | 2009-01-16 23:00:35 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixerony

------------------------------------------------------------------------
r10838 | okoeroo | 2009-01-16 18:56:19 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Making ready to use the new functions.

------------------------------------------------------------------------
r10836 | okoeroo | 2009-01-16 14:33:31 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/Makefile
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/interface/verify_x509_datatypes.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/main.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src/verify_x509.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/_verify_x509.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/log.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/verify-lib/src_internal/verify_x509_utils.c

Adding new code

------------------------------------------------------------------------
r10835 | okoeroo | 2009-01-16 14:27:44 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/proxylifetime/proxylifetime.h

Splitted the proxy lifetime check routines.

------------------------------------------------------------------------
r10834 | okoeroo | 2009-01-16 14:26:59 +0100 (Fri, 16 Jan 2009) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixing verify proxy

------------------------------------------------------------------------
r10666 | okoeroo | 2008-09-18 10:04:46 +0200 (Thu, 18 Sep 2008) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.c
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/grid-proxy-verify.h
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added new routines from Jan Just Keijser's test program.

------------------------------------------------------------------------
r10606 | okoeroo | 2008-09-03 16:03:23 +0200 (Wed, 03 Sep 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Version bump

------------------------------------------------------------------------
r10605 | okoeroo | 2008-09-03 15:20:22 +0200 (Wed, 03 Sep 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Solution to bug #40822: Changed the behaviour in the proxy certificate semantic checks.
According to the test, a limited proxy couldn't be followed by any proxy certificate. This is a false statement, because it may be followed by another limited proxy.

Also enforced now is the semantic correctness of the chain that a limited proxy may only be followed by limited proxies and not anything else.

------------------------------------------------------------------------
r10493 | okoeroo | 2008-06-12 09:25:13 +0200 (Thu, 12 Jun 2008) | 7 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Check if processes has set the option to allow to discard the private key verification.
The environment variable that provided this choice will be cleared. $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE

The New variable "--never_discard_private_key_absence" will mute the environment variable that can override the private key verification functionality. The environment variable that would allow for the discard of the check for the private key will be useless.

This is to be used in situation where the private key check is mandatory AND non-overrideable.

------------------------------------------------------------------------
r10489 | okoeroo | 2008-06-11 15:47:47 +0200 (Wed, 11 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Bumped version to a new minor version: 1.3.1.1

------------------------------------------------------------------------
r10488 | okoeroo | 2008-06-11 15:08:07 +0200 (Wed, 11 Jun 2008) | 17 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

New tag candidate

Features a new initialization parameter:
--discard_private_key_absence


The NEW default is to check and verify the now obligatory Private key from the PEM string. The PEM string is fetched from the LCMAPS framework (when provided).
If LCMAPS fails to provide that PEM string (maybe legitimate in LCG-CE gatekeeper or gridftpd scenarios), then the check is discarded.

The Private key must match with one of the certificates in the chain. If the Private key is not found in the PEM string, then this is an error condition.
This behavior can be overriden for the absence of the Private key. If the Private key is not provided and when the --discard_private_key_absence option is set, then only a warning message at level 5 ($LCMAPS_LOG_LEVEL=5) will be given.

In the case where the --discard_private_key_absence is set and when a Private key is present in the PEM string, then the check will proceed and the given Private key MUST match one of the certificates in the chain. So in either case when the --discard_private_key_absence is set or not, the Private key will be checked. Only its absense can be discarded when the --discard_private_key_absence option is set.


Other fixes include the prevention of segmentation faults.

------------------------------------------------------------------------
r10484 | okoeroo | 2008-06-10 16:29:29 +0200 (Tue, 10 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Building in the private key check

------------------------------------------------------------------------
r10483 | okoeroo | 2008-06-10 10:26:59 +0200 (Tue, 10 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added lots of CFLAGS for GCC and fixed all issues regarding unused and uninitialized variables.

------------------------------------------------------------------------
r10480 | okoeroo | 2008-06-05 16:12:12 +0200 (Thu, 05 Jun 2008) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Version 1.2.9.1 solves bug #37303

------------------------------------------------------------------------
r10479 | okoeroo | 2008-06-05 16:10:20 +0200 (Thu, 05 Jun 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

This works and seems to solve bug #37303.
Tested with a proxy chain (with and without VOMS) from Dennis which was signed by the PVier testbed CA.

gLExec's execution of LCMAPS failed on the verification of the chain. It succeeded on my proxy chain.

------------------------------------------------------------------------
r10478 | okoeroo | 2008-06-05 10:57:06 +0200 (Thu, 05 Jun 2008) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Included the use of GridSite core to evaluate the certificate chain.
This should solve bug #37303 and the original #37304. The later bug changed name and goal.

Besides testing the verification process the Private Key check is not performed yet.

------------------------------------------------------------------------
r10327 | okoeroo | 2007-08-27 16:03:32 +0200 (Mon, 27 Aug 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped age: No code change but needed to stay in sync for the next jump to LCMAPS 1.4.x

------------------------------------------------------------------------
r10284 | okoeroo | 2007-08-03 00:25:51 +0200 (Fri, 03 Aug 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

bump

------------------------------------------------------------------------
r10196 | venekamp | 2007-05-23 19:20:53 +0200 (Wed, 23 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

o  Update Makefile.am to make 32/64 bit build possible.

------------------------------------------------------------------------
r10169 | okoeroo | 2007-05-04 15:39:47 +0200 (Fri, 04 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version

------------------------------------------------------------------------
r10168 | okoeroo | 2007-05-04 14:54:26 +0200 (Fri, 04 May 2007) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/runautotools
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Freeing to much stuff and updated the runautotools script for this component

------------------------------------------------------------------------
r10080 | okoeroo | 2006-12-19 16:28:43 +0100 (Tue, 19 Dec 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Mistakenly I messed-up a few tagnumbers, but all is corrected again.

------------------------------------------------------------------------
r10076 | okoeroo | 2006-12-13 14:21:20 +0100 (Wed, 13 Dec 2006) | 14 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Finally just took the time to finish the VOMS LifeTime check in the LCMAPS verify_proxy plugin.


Example for the 'lcmaps.db' file:

verify_proxy = "lcmaps_verify_proxy.mod"
" -certdir /etc/grid-security/certificates"
" --max-proxy-level-ttl=0 12:05"
" --max-proxy-level-ttl=L 12:05"
" --max-proxy-level-ttl=1 12:00"
" --max-voms-ttl 11:00"

The last line is the new feature. Also using the 2d-11:00 format (2 days and 11 hours) to set the maximum lifetime.

------------------------------------------------------------------------
r10056 | okoeroo | 2006-11-30 11:18:17 +0100 (Thu, 30 Nov 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am

Includes the CFLAGS fix for etics, plus bumped version to 1.2.3


note: mind the $(libdir)

------------------------------------------------------------------------
r10012 | okoeroo | 2006-10-24 13:28:20 +0200 (Tue, 24 Oct 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

checked and updated a few messages.

------------------------------------------------------------------------
r9984 | okoeroo | 2006-10-16 14:40:39 +0200 (Mon, 16 Oct 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

getting closer and closer on finally implementing VOMS LifeTime restrictions

------------------------------------------------------------------------
r9922 | okoeroo | 2006-08-31 14:17:32 +0200 (Thu, 31 Aug 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The lcmaps_vomsdata_t is not needed to function succesfully.
When VOMS credentials passthough, then the VOMS credentials need to be evaluated, otherwise it shouldn't be the show stopper

------------------------------------------------------------------------
r9898 | okoeroo | 2006-08-18 15:13:07 +0200 (Fri, 18 Aug 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

VOMS lifetime support initiatiation finished, need to implement the functionas that parse the date strings and figure out what to do next.

------------------------------------------------------------------------
r9895 | okoeroo | 2006-08-17 10:59:31 +0200 (Thu, 17 Aug 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Altered the lcmaps_voms_t to lcmaps_vomsdata_t as the main non-dependant VOMS data structure for internal use.

Basicly a remake of the existing structure, but now in our own code.
Which creates a more detailed structure of all known VOMS values from the proxy.

------------------------------------------------------------------------
r9831 | okoeroo | 2006-05-12 12:01:51 +0200 (Fri, 12 May 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version to 1.2.2 to sync with the tagname

------------------------------------------------------------------------
r9826 | okoeroo | 2006-05-12 11:39:00 +0200 (Fri, 12 May 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Solved the initialization problem of the multiple proxy level max TTLs

------------------------------------------------------------------------
r9821 | okoeroo | 2006-05-08 12:40:22 +0200 (Mon, 08 May 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixed the proxy life time per proxy level (in the cert chain).
It works succesfully and the code is more efficiently then before.

------------------------------------------------------------------------
r9818 | okoeroo | 2006-05-02 16:11:30 +0200 (Tue, 02 May 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Changed the #define LCMAPS_USE_GSI to #define LCMAPS_VERIFY_USE_GSI to indicate a difference between the one in the framework and this define.
It is defaulted to #undef

This will let the plugin be compiled without GSI and only with X.509. This works when using the glexec.
This is tested and succesfull.

Yet to come:
   ...is to run in default X.509 mode but also (when compiled with GSI) being able to hot-switch to grab a gss_cred_t which needs to be translated to X.509. Only done in absence of a X.509 chain AND compiled with GSI libs.

------------------------------------------------------------------------
r9791 | okoeroo | 2006-03-31 15:34:54 +0200 (Fri, 31 Mar 2006) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

Bumped version accordingly to 1.2.0

------------------------------------------------------------------------
r9790 | okoeroo | 2006-03-31 15:32:39 +0200 (Fri, 31 Mar 2006) | 14 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

All parameters are now case insensitive for this plugin:
Like:
-certdir <example: /etc/grid-security/certificates>
   certificates and crls dir

--only-post-verify-checks (synonymous to --only-post-verify)
   perform only the post verification checks, like validation checks throughout the cert-chain proxy DN naming policies, and the proxy-lifetime checks

--allow-limited-proxy
   Will not fail the plugin because the last proxy in the chain is a limited proxy; thou shouldn't use a limited proxy to do user mapping (and sudo actions)

--max-proxy-level-ttl=<level> <time-length; example: 2d-13:37>
   Sets a maximum lifetime for proxy certificate level <level> where <level> can be 0-9 or 'l' or 'L' to indicate a Leaf proxy (last proxy in the chain)

------------------------------------------------------------------------
r9789 | okoeroo | 2006-03-31 14:58:12 +0200 (Fri, 31 Mar 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Performed:
- Code clean up
- change in init parameter '-pttl'; it is now '--max-proxy-level-ttl=' where it expects a value of 0-9 or 'l' or 'L'. The L stand for Leaf proxy (the last one in the change).
- More effient code, less expensive operations

------------------------------------------------------------------------
r9532 | okoeroo | 2006-02-27 14:17:22 +0100 (Mon, 27 Feb 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Changing the default runarg for a certificate stack from GSI to STACK_OF(X509) to work correctly with glexec

Note: This could give problems when used in a GSI frontended setup like the gatekeeper if
the LCMAPS framework is not supplying the STACK_OF(X509)

------------------------------------------------------------------------
r9364 | msteenba | 2006-02-16 14:20:12 +0100 (Thu, 16 Feb 2006) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties

version 1.1.0
- proxy lifetime check per proxy depth
- optional certificate chain cerification

------------------------------------------------------------------------
r9275 | okoeroo | 2006-02-10 16:44:50 +0100 (Fri, 10 Feb 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Implemented the checks which belong to the [-pttl<level>|-pTTL<level>] <time length>

Where <level> can be one of the following characters [0-9lL] and the 'lL' part reverse to the Leaf proxy.
Which is the proxy that is the last one in the chain and will be a interesting to treat with special care.

<time length> is still in the format 2d-13:37 where a minimum is set on five characters like 13:37

It still needs testing!

------------------------------------------------------------------------
r9219 | okoeroo | 2006-02-09 01:13:28 +0100 (Thu, 09 Feb 2006) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

I'm going to fail the procedure when an unspecified proxylevel is evaluated (for the moment).
Atleast until the plugin will understand the noticion of a LEAF Proxy.
A LEAF Proxy (or just leaf) is the last and final proxy in a chain, which is usually the most interesting to evaluate at the moment.

------------------------------------------------------------------------
r9203 | okoeroo | 2006-02-07 16:56:12 +0100 (Tue, 07 Feb 2006) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Added seperate function to test proxy lifetime as wished
Added extra time conversion function

------------------------------------------------------------------------
r9099 | okoeroo | 2006-02-02 03:16:51 +0100 (Thu, 02 Feb 2006) | 9 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Written the ability to do the multi-level proxy checks, which I still
need to write.

The possible options are:
-certdir <CA cert dir> || -CERTDIR <CA cert dir>
--only-post-verify-checks || --only-post-verify
--allow-limited-proxy || --ALLOW-LIMITED-PROXY || --allow-limited-proxy || -ALLOW-LIMITED-PROXY || -ALLOW-LIMITED-PROXY
-pttl[0-9] 2d-13:37  || -pTTL[0-9] 2d-13:37

------------------------------------------------------------------------
r8711 | okoeroo | 2006-01-04 15:04:29 +0100 (Wed, 04 Jan 2006) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Fixed two memory leaks and changed one procedure in a more light wait fashion.

Like: using sk_X509_pop_free (dupChain, X509_free) on a duplicated stack, using a buffer when wanting to use a string for logging purposes instead of 2 convertion procedures.
and cleaning two used string on the right moment.

------------------------------------------------------------------------
r8109 | okoeroo | 2005-12-22 17:52:38 +0100 (Thu, 22 Dec 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Build in new option: "-check-proxy-max-ttl 10d-12:37"
This will check if a proxy in the chain exceeds the maximum lifetime.
This check needs to be refined to only effect the leaf proxy of the chain.
But... it works :D

------------------------------------------------------------------------
r8037 | msteenba | 2005-12-20 16:05:50 +0100 (Tue, 20 Dec 2005) | 2 lines
Changed paths:
   M /trunk/lcas/src/lcas.c
   M /trunk/lcas-plugins-voms/src/voms/Makefile.am
   M /trunk/lcmaps/src/Makefile.am
   M /trunk/lcmaps/src/pluginmanager/lcmaps_pluginmanager.c
   M /trunk/lcmaps/src/test/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-voms/src/voms/Makefile.am

use libvomsapi instead of libvomsc (for voms > 1.6.0)

------------------------------------------------------------------------
r7769 | okoeroo | 2005-12-08 18:47:55 +0100 (Thu, 08 Dec 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Discovered a small flaw in the code prior to implementing Proxy Life Time checking... Stay tuned :-)

------------------------------------------------------------------------
r7752 | msteenba | 2005-12-07 10:07:40 +0100 (Wed, 07 Dec 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

- fixed argument parsing bug
- corrected cpp statement
- corrected log string

------------------------------------------------------------------------
r7736 | okoeroo | 2005-12-06 09:18:56 +0100 (Tue, 06 Dec 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

The changes involve a new parameter to be set called "-allow-limited-proxy"
By default limited proxies will be rejected!
This can be overridden by passing this new option to the plugin as init value

------------------------------------------------------------------------
r7525 | msteenba | 2005-11-23 18:53:47 +0100 (Wed, 23 Nov 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

- switch off gsi-mode
- initialized several variables
- Check if CA certificates directory is set

------------------------------------------------------------------------
r7509 | msteenba | 2005-11-23 14:27:18 +0100 (Wed, 23 Nov 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps/configure.ac
   M /trunk/lcmaps/project/version.properties
   M /trunk/lcmaps-interface/configure.ac
   M /trunk/lcmaps-interface/project/version.properties
   M /trunk/lcmaps-plugins-afs/configure.ac
   M /trunk/lcmaps-plugins-afs/project/version.properties
   M /trunk/lcmaps-plugins-basic/configure.ac
   M /trunk/lcmaps-plugins-basic/project/version.properties
   M /trunk/lcmaps-plugins-jobrep/configure.ac
   M /trunk/lcmaps-plugins-jobrep/project/version.properties
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   M /trunk/lcmaps-plugins-voms/configure.ac
   M /trunk/lcmaps-plugins-voms/project/version.properties

updated version

------------------------------------------------------------------------
r7420 | okoeroo | 2005-11-18 14:38:28 +0100 (Fri, 18 Nov 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

A pretty very good working version.
It validates my testing proxy very well. I need to test it with GL-Exec.
The validation of the user certificate and the parsing of the proxies is done now.
No VOMS extensions are verified.

------------------------------------------------------------------------
r7360 | okoeroo | 2005-11-14 16:47:28 +0100 (Mon, 14 Nov 2005) | 4 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

Gathering the certificate in another way ... so that I can cope with sub ordinate CAs (if they have there certificates installed on the host)
Checks within a proxy need to be done yet.... this is a succesfull CRL check (I hope ...)
Needs to be tested though ... with glexec

------------------------------------------------------------------------
r7316 | okoeroo | 2005-11-11 16:17:00 +0100 (Fri, 11 Nov 2005) | 6 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

First certificate verify executed correctly. Not the chain yet, just the certificate against the CRLs and CAs.
Need to build:
- all the checks needed to verify a proxy
- need to verify the CA cert itself
- need to verify VOMS extensions

------------------------------------------------------------------------
r7260 | okoeroo | 2005-11-09 00:35:33 +0100 (Wed, 09 Nov 2005) | 5 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

This version has the untested but building version of the verify proxy module
which doesn't need any Globus stuff anymore, because we can extract/(re)create
from the LCMAPS framework and each module can get a stackof(x509) or just the x509.
It is cool to be working at a very low level without all these dependancies.

------------------------------------------------------------------------
r7257 | okoeroo | 2005-11-08 16:24:40 +0100 (Tue, 08 Nov 2005) | 3 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

changed a lot of stuff, mainly pulling out the jobrep stuff and adding the needed stuff to verify a proxy
ow ... and it builds

------------------------------------------------------------------------
r7200 | okoeroo | 2005-11-04 16:52:16 +0100 (Fri, 04 Nov 2005) | 2 lines
Changed paths:
   M /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/build.xml
   M /trunk/lcmaps-plugins-verify-proxy/configure.ac
   D /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template
   M /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   M /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   M /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   M /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h

Why do I need this?

------------------------------------------------------------------------
r7199 | okoeroo | 2005-11-04 16:38:29 +0100 (Fri, 04 Nov 2005) | 2 lines
Changed paths:
   A /trunk/lcmaps-plugins-verify-proxy
   A /trunk/lcmaps-plugins-verify-proxy/Doxyfile
   A /trunk/lcmaps-plugins-verify-proxy/LICENSE
   A /trunk/lcmaps-plugins-verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/bootstrap
   A /trunk/lcmaps-plugins-verify-proxy/build.xml
   A /trunk/lcmaps-plugins-verify-proxy/configure.ac
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/LICENSE
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/build.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/build.number
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/build.properties
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/org.glite.subsystem_template.component_template/project/version.properties
   A /trunk/lcmaps-plugins-verify-proxy/project
   A /trunk/lcmaps-plugins-verify-proxy/project/build.number
   A /trunk/lcmaps-plugins-verify-proxy/project/build.properties
   A /trunk/lcmaps-plugins-verify-proxy/project/configure.properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/properties.xml
   A /trunk/lcmaps-plugins-verify-proxy/project/version.properties
   A /trunk/lcmaps-plugins-verify-proxy/runautotools
   A /trunk/lcmaps-plugins-verify-proxy/src
   A /trunk/lcmaps-plugins-verify-proxy/src/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/src/lcmaps_config.h.in
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/Makefile.am
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/gssapi_openssl.h
   A /trunk/lcmaps-plugins-verify-proxy/src/verify-proxy/lcmaps_verify_proxy.c

New plugin to the LCMAPS framework that will verify a certificate chain

------------------------------------------------------------------------
