opencadc / cdp Goto Github PK

if you do not configure both the init params (one of which may not be desired/useful) it throws

To make this servlet usable by webapps out-of-the-box the configuration needs to be moved from web.xml to an external configuration file. This is currently needed by the vos.git/cavern project.

this is unnecessary as delegations are X509 certificate only operations

Trying to delegate a terena user certificate with this command:
java ca.nrc.cadc.cred.client.Main -d --delegate --daysValid=20 --cert=<terena_key_and_crt.pem>
It is thrown a ResourceNotFoundException
The reason is that the CSR is saved in the database (CertificateDAO.java, put method) with an hash key different to which used to retrieve it (DelegationsImpl.java, hash method).

Details:

CertificateDAO.java, put method, calculates the x509 certificate chain hash :
X509CertificateChain.getHashKey()

DelegationsImpl.java, in initializeIdentity method calls Delegations.hash, which calculates the principal hash:

public String hash(X500Principal principal)
{
return Integer.toString(principal.hashCode());
}

Patch is to change this last method:

public String hash(X500Principal principal)
{
    return X509CertificateChain.getHashKey(principal);
}

CertificateDAO assumes that catalog and schema can be set but that isn't always true.

Implementors have to povide a fair bit of code in DelegationsImpl to use CertificateDAO; this should be just the configuration.

CredClient.getProxyCertificate fails with when the currently delegated certificate is not valid (eg expired). This leaves the calling service unable to diagnose and report a suitable error to it's caller.

impovement:

• need a standard error message from service in this case and suitable http status code
• CredClient needs to handle this and throw a better exception than HttpDownload (IOException)

This version of CDP only works with v1.46 of bcprov-jdk15on.jar library.

In file
cdp/cadc-cdp/src/main/java/ca/nrc/cadc/cred/client/Main.java
SERVICE_ID = "ivo://oats.inaf.it/cred" should be configurable

Proposed patch: to add a constructor to initialize the string and add the string initialiaztion to the main method also:

//public static final String SERVICE_ID = "ivo://oats.inaf.it/cred";
public static String SERVICE_ID;

public Main() {
    LocalAuthority localAuthority = new LocalAuthority();       
    URI serviceURI = localAuthority.getServiceURI(Standards.CRED_DELEGATE_10.toString());
    SERVICE_ID = serviceURI.toString();


}

/**
 * Main class for accessing CDP
 * 
 * @param args
 */
public static void main(String[] args)
{
    LocalAuthority localAuthority = new LocalAuthority();       
    URI serviceURI = localAuthority.getServiceURI(Standards.CRED_DELEGATE_10.toString());
    SERVICE_ID = serviceURI.toString();

In file
cdp/cadc-cert-gen/src/main/java/ca/nrc/cadc/cert/AbstractCertGenAction.java
The string CRED_SERVICE_ID should be configurable.
Proposed patch:
add a constructor where initialize the string. Not clear to me if the initialization should be added in init() method also.

//public static final URI CRED_SERVICE_ID = URI.create("ivo://cadc.nrc.ca/cred");
public static URI CRED_SERVICE_ID;

protected int expiring;
protected String userid;

public AbstractCertGenAction() {

    LocalAuthority localAuthority = new LocalAuthority();       
    CRED_SERVICE_ID = localAuthority.getServiceURI(Standards.CRED_DELEGATE_10.toString());

}


public boolean init(final ArgumentMap argMap) throws IOException
{
    LocalAuthority localAuthority = new LocalAuthority();       
    CRED_SERVICE_ID = localAuthority.getServiceURI(Standards.CRED_DELEGATE_10.toString());

It would be useful if one could specify an alternate location in which CredUtil.java would look for the privileged client certificate. Currently, it either in JNDI or in $HOME/.ssl/cadcproxy.pem.