GT 5.0.0 GSI C Release Notes


1. Component Overview

The Globus Toolkit Pre-Web Services Authentication and Authorization component provides APIs and tools for authentication, authorization and certificate management. The authentication API is built using Public Key Infrastructure (PKI) technologies, e.g. X.509 Certificates and TLS. In addition to authentication it features a delegation mechanism based upon X.509 Proxy Certificates. Authorization support takes the form of a couple of APIs. The first provides a generic authorization API that allows callouts to perform access control based on the client's credentials (i.e. the X.509 certificate chain). The second provides a simple access control list that maps authorized remote entities to local (system) user names. The second mechanism also provides callouts that allow third parties to override the default behavior and is currently used in the Gatekeeper and GridFTP servers. In addition to the above there are various lower level APIs and tools for managing, discovering and querying certificates .

2. Feature summary

Features new in GT 5.0.0

  • Support for processing host certificates containing X.509 subjectAltName extensions with dNSName or iPAddress values.

Other Supported Features

  • Authentication of user using standard X.509 End Entity and Proxy Certificates.
  • Delegation using X.509 Proxy Certificates.
  • Pluggable authorization based on the client's certificate chain for GridFTP and GRAM2.
  • Pluggable authorization for GRAM2 based on the RSL of the job.

Deprecated Features

  • None

3. Summary of Changes in GSI

4. Bug Fixes

  • Bug 6177: grid-proxy-init with bad passphrase is extra verbose
  • Bug 6242: Vendor OpenSSL build workaround needs workaround
  • Bug 6248: grid-cert-diagnostics ignores most CA policy files
  • Bug 6252: Error parsing signing policy files
  • Bug 6299: gss_assist_tests aren't running.
  • Bug 6300: proxy_ssl tests aren't automated.
  • Bug 6310: globus_openssl_setup can create bad symlink
  • Bug 6313: gss_export_sec_context / gss_import_sec_context lose compression state
  • Bug 6321: grid-cert-diagnostics should output GLOBUS_LOCATION
  • Bug 6328: grid-cert-diagnostics should display gridmap-related info
  • Bug 6329: Weird error for "DN does not match signing policy"
  • Bug 6331: CAMPAIGN: Improve server identity processing in GSI C
  • Bug 6362: Fix handling of NULL minor_status in GSSAPI
  • Bug 6363: grid-proxy-init misreports identity in console output
  • Bug 6366: Fix handling of NULL values in gss_inquire_context
  • Bug 6367: globus_i_gsi_gssapi_openssl_error_result doesn't check array bounds
  • Bug 6368: gss_add_oid_set_member can free wild data
  • Bug 6369: unintialized variables in GSI
  • Bug 6374: globus-hostname-lookup double-frees when error occurs
  • Bug 6375: Fix memory leaks in credential handling code
  • Bug 6377: Fix memory leaks / error handling in oldgaa
  • Bug 6381: fix memory leaks / pointer errors in proxy_core
  • Bug 6382: gss_assist unintialized variables and dead code
  • Bug 6383: potential null dereference in gsi_sysconfig

5. Known Problems

The following problems and limitations are known to exist for GSI C at the time of the 5.0.0 release:

5.1. Limitations

  • No known limitations exist.

5.2. Outstanding bugs

  • Bug 1239: grid grants access even though local account is locked
  • Bug 1528: Getting CA information during handshake
  • Bug 1753: bug 318 resolution opens door to spoofing ?
  • Bug 3019: Key appearing first in proxy certificate file causes GSI to die
  • Bug 3521: Conditionally disallow grid-mapfile-{add,delete}-entry
  • Bug 3555: Implement HSPD-12/PIV-II
  • Bug 3781: GSI caching of CRLs causes problems when process lifetime exceeds CRL lifetime
  • Bug 4180: Exact syntax of grid-mapfile?
  • Bug 4788: [patch] add OCSP check to globus_i_gsi_callback_check_revoked()
  • Bug 5304: better commandline option for people who have multiple certs
  • Bug 5768: Reconfiguration of Cipher Suite
  • Bug 6384: fix leaks and unintiailzed memory read in GAA
  • Bug 6385: grid-change-passphrase gives obscure error for incorrect passphrase
  • Bug 1476: grid-cert-request directions should be generalized
  • Bug 2983: Missing TESTS.pl script for globus_authz_test
  • Bug 3062: Missing TESTS.pl script for gaa_simple_test
  • Bug 3173: /etc/grid-security/gsi-authz.conf and gsi-gaa.conf are build dependent
  • Bug 5634: Give file location of gridmap in authz failures
  • Bug 6388: CAS assertions don't work with GSI C
  • Bug 4110: Need to add an option to grid-cert-request to control key length
  • Bug 5707: Campaign: Improve C XACML/SAML Engine
  • Bug 2589: Behavior of C and java grid-proxy-init differ, should be unified
  • Bug 2969: Too relaxed rules on DN comparisons (all versions of GT)
  • Bug 3658: grid-cert-info should have option for RFC 2253 format DN

6. Technology dependencies

The GSI C component depends on the following GT components:

  • C Common Libraries

The GSI C component depends on the following 3rd party software:

  • OpenSSL

7. Tested platforms

Tested platforms for GSI C:

  • i386 Linux

8. Backward compatibility summary

Protocol changes in GSI C since GT 4.2.x

  • None

API changes since GT 4.2.x

  • None

Exception changes since GT 4.2.x

  • Not applicable

Schema changes since GT 4.2.x

  • Not applicable

9. Associated Standards

Associated standards for GSI C:

10. For More Information

See GSI C for more information about this component.

Glossary

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.

public key

The public part of a key pair used for cryptographic operations (e.g. signing, encrypting).