'grid-proxy-verify' utility
On this page you will find the 'grid-proxy-verify' utility, a command that I sometimes
sorely miss in the Globus grid middleware toolkit.
This utility
- is written in C.
- checks the permissions of the proxy file (something which the Globus
tools are a bit picky about...)
- verifies the entire certificate chain, and matches the public and private
keys of the first (proxy) certificate in the chain.
- Uses only
openssl calls to verify the validity of a proxy.
When compiled against openssl 0.9.8 then the openssl proxy
validation routines are used (X509_V_FLAG_ALLOW_PROXY_CERTS).
This tool was compiled and tested against openssl 0.9.7 and 0.9.8.
- Uses none of the Globus toolkit itself.
The source can be found here and can be compiled using
gcc -o grid-proxy-verify grid-proxy-verify.c -lssl -lcrypto
or more generally
gcc -o grid-proxy-verify grid-proxy-verify.c \
-I<OPENSSL-INCLUDE> -L<OPENSSL-LIB> -lssl -lcrypto
Usage
Usage is as follows:
# ./grid-proxy-verify --help
grid-proxy-verify
Usage:
grid-proxy-verify [-h|--help] [-d|--debug] [-q||--quiet] [-v|--version] [proxy]
Repeat -d/--debug multiple times to get more debugging output.
If no proxy is specified then /tmp/x509up_u`id -u` is used.
To verify the validity of the proxy a trusted CA directory is necessary.
The 'grid-proxy-verify' tool tries these (in order):
- $X509_CERT_DIR
/etc/grid-security/certificates/
$HOME/.globus/certificates/
Changelog
1.0 Original version
1.3 Fix bug: limited proxies from limited proxies are allowed.
Regular proxies from limited proxies are not.
1.4 Check serial numbers for old style proxies.
1.5 Fix warning on expired proxies.
1.7 Fix for limited-proxies derived from old proxies on RHEL5.
1.11 valgrind+pedantic clean version; added --version option.
This tool was tested on CentOS 3/4/5 32bit and 64bit, Fedora Core 5 and
Windows XP using Cygwin. YMMV. Use at your own risk.
How to generate proxy certificates
The genproxy script can be used to generate a globus-style
proxy. This script
- is written as a bash shell script
- Uses only
openssl commands to generate a proxy.
- requires openssl 0.9.8 to be installed in order to generate the new
RFC3820 style proxy certificates.
- Uses none of the Globus toolkit itself.
Usage is as follows:
./genproxy --help
genproxy version 1.0
This script will generate a X509 grid proxy pretty much like globus' grid-proxy-init
Options
[--help] Displays usage.
[--version] Displays version.
[--debug] Enables extra debug output.
[--quiet] Quiet mode, minimal output.
[--limited] Creates a limited globus proxy.
[--old] Creates a legacy globus proxy (default).
[--gt3] Creates a pre-RFC3820 compliant proxy.
[--rfc] Creates a RFC3820 compliant proxy.
[--days=N] Number of days the proxy is valid (default=1).
[--path-length=N] Allow a chain of at most N proxies to be generated
from this one (default=2).
[--bits=N] Number of bits in key (512, 1024, 2048, default=512).
[--cert=certfile] Non-standard location of user certificate.
[--key=keyfile] Non-standard location of user key.
[--out=proxyfile] Non-standard location of new proxy cert.
This script was tested on CentOS 3 and 4, Fedora Core 5 and Windows XP using Cygwin.
YMMV. Use at your own risk.
Share and enjoy....
Comments to Jan Just Keijser
| visitors = 5619