NAME

       lcmaps_verify_proxy.mod - LCMAPS plugin to verify a certificate chain including proxies

SYNOPSIS

       lcmaps_verify_proxy.mod

       [--allow-limited-proxy] [-certdir|-cadir <certificate_directory>] [--disallow-limited-proxy]
       [--discard_private_key_absence] [--max-proxy-level-ttl=<level>|--max-proxy-level-ttl@<level>
       <timeperiod>] [--max-voms-ttl <timeperiod>] [--never_discard_private_key_absence] [--only-enforce-
       lifetime-checks] [--require-limited-proxy]

DESCRIPTION

       This plugin will test if the presented proxy certificate is authentic. This is done using OpenSSL methods
       to  verify  the certificate chain, check if the End-Entity Certificate is not revoked by checking CRLs or
       OCSP(*). In an lcmaps.db (5) file it is advised to run this plug-in as the first  plug-in  and  fail  the
       policy if there is no other way of verifying the input credentials.

       Additional  this plug-in can impose other policies, like proxy and VOMS life-time restrictions or require
       that the certificate chain is offered in a certain way, e.g. by offering a Limited proxy or  (optionally)
       without a private key.

       The  plug-in  takes  its input from the LCMAPS framework. The certificate chain is coming from the regis‐
       tered (derived) STACK_OF(X509) * and the private key (when available) is taken from  the  registered  PEM
       string credentials.

       A  certificate chain will be checked and verified by OpenSSL, but additionally to these checks this plug-
       in also performs semantic checks on the certificate chain based on how GT2, GT3 and RFC 3820  proxy  cer‐
       tificates are to be constructed and used.

OPTIONS

       --allow-limited-proxy
              When enabled allow the certificate chain to contain a limited proxy certificate.  GT2, GT3 and RFC
              Limited proxies are treated as equal.

       -certdir | -cadir <certificate_directory>
              This  option sets the directory used to find the CA certificates, CRLs and other files used in the
              verification process of the presented certificate chain.  Setting this option is muted by the  op‐
              tion --only-enforce-lifetime-checks.

       --disallow-limited-proxy
              When  enabled  all  uses of limited proxies will be prohibited and treated as a failure condition.
              GT2, GT3 and RFC Limited proxies are treated as equal.

       --discard_private_key_absence
              When enabled the plug-in verification process will not fail on the absence  of  the  private  key.
              Having  a  private  key to present is part of the proof of possession of the certificate chain its
              delegations, therefore a fundamental part of the user  credentials.  Discarding  the  private  key
              check is useful in cases where another process has already establish trust in the user credentials
              by  performing the private key proof of possession steps.  Example: This feature can be enabled in
              deployments where gLExec is part of the CREAM CE. The CREAM CE's SSL handshake is taking  ensuring
              that  fully verified credentials get passed down.  Counter example: This feature is not-enabled on
              a gLExec-on-the-WN deployment, as gLExec will need to ensure that the  pilot-job  payload  creden‐
              tials are fully verified before account mapping should occur.

       --max-proxy-level-ttl=<level> | --max-proxy-level-ttl@<level> <timeperiod>
              Set  a  maximum  to the allowed validity period of the proxy certificate for a specific delegation
              <level>. The first delegation after an EEC certificate is <level> 0. This delegation  level  could
              be used in a MyProxy. A typical setting would be 14d-00:00 to allow for a MyProxy certificate with
              a validity period of two weeks.

              A  special  <level>  is  indicated by an l or L. This is the leaf proxy or also known as the final
              delegation. A safe setting for this would be 1d-00:00 to allow a proxy certificate validity period
              of 1 day/24 hours.

              Set the <timeperiod> in the following format: [0-99]d-[0-23][00-59]. For example 2d-13:37.

       --max-voms-ttl <timeperiod>
              Set a maximum to the allowed validity period of the VOMS credentials (when  present).  Using  VOMS
              credentials with a validity period longer then the set timeperiod> will result in a failure.

       --never_discard_private_key_absence
              This setting will override the option --discard_private_key_absence and option to set the environ‐
              ment variable $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE which performs the same behavior.

       --only-enforce-lifetime-checks
              When  enable  this  option  will  bypass all verification steps and will only perform the lifetime
              checks configured by --max-proxy-level-ttl and/or --max-voms-ttl. This option is ideal to be  used
              in a Globus Gatekeeper, GridFTPd and/or GSI-OpenSSHd deployment.

       --require-limited-proxy
              Explicitly  require the certificate chain to have a limited proxy as a final delegation. The plug-
              in will fail if the certificate chain does not have a limited proxy.

RETURN VALUES

       LCMAPS_MOD_SUCCESS
              Success.

       LCMAPS_MOD_FAIL
              Failure.

BUGS

       OCSP is not functional and will be added when either CAB/Forum or the IGTF publish a clear profile.

       Please  report  any  errors  to  the  Nikhef  Grid  Middleware   Security   Team   <grid-mw-security-sup‐
       port@nikhef.nl>.

SEE ALSO

       lcmaps.db(5), lcmaps(3).

AUTHORS

       LCMAPS  and  the  LCMAPS  plug-ins  were  written  by  the Grid Middleware Security Team <grid-mw-securi‐
       ty@nikhef.nl>.

                                                October 31, 2012                      LCMAPS_VERIFY_PROXY.MOD(8)