An exception when transferring files between some grid providers. #102
Description
My initial attempt was to transfer files between trestles and stampede. While trying to do this I got exception in [1].
File transfer is successful when I try to transfer files between two locations in trestles. But not between trestles and stampede.
Further debugging the issue we sought out that hash codes generated by Java and openssl is different. Further we figured out this behavior is common to in multiple signing_policy files.
Some of the files are;
e5cc84c2.signing_policy
ef300431.signing_policy
01b5d333.signing_policy
081fefd0.signing_policy
In following I am pasting some code I used for testing;
public void testCertFileRead() throws Exception {
GlobusResource globusResource1 = new GlobusResource("/Users/thejaka/development/apache/airavata/sandbox/grid-tools/gridftp-client/certificates/e5cc84c2.signing_policy");
GlobusResource globusResource2 = new GlobusResource("/Users/thejaka/development/apache/airavata/sandbox/grid-tools/gridftp-client/certificates/ffc3d59b.signing_policy");
GlobusResource globusResource3 = new GlobusResource("/Users/thejaka/development/apache/airavata/sandbox/grid-tools/gridftp-client/certificates/ef300431.signing_policy");
GlobusResource globusResource4 = new GlobusResource("/Users/thejaka/development/apache/airavata/sandbox/grid-tools/gridftp-client/certificates/01b5d333.signing_policy");
GlobusResource globusResource5 = new GlobusResource("/Users/thejaka/development/apache/airavata/sandbox/grid-tools/gridftp-client/certificates/081fefd0.signing_policy");
//ResourceSigningPolicy resourceSigningPolicy = new ResourceSigningPolicy(globusResource);
Assert.assertEquals(getHash(globusResource1), "e5cc84c2");
Assert.assertEquals(getHash(globusResource2), "ffc3d59b");
Assert.assertEquals(getHash(globusResource3), "ef300431");
Assert.assertEquals(getHash(globusResource4), "01b5d333");
Assert.assertEquals(getHash(globusResource5), "081fefd0");
}
private String getHash(GlobusResource globusResource) throws Exception {
SigningPolicyParser parser = new SigningPolicyParser();
Reader reader = new InputStreamReader(globusResource.getInputStream());
Map<X500Principal, SigningPolicy> policies = parser.parse(reader);
X500Principal principal = policies.keySet().iterator().next();
System.out.println(principal.getName());
return CertificateIOUtil.nameHash(principal);
}
Further debugging we figured out the encoding value returned by the certificate and the X500Principal (built using xxxx..signing_policy) is different.
For '/DC=EDU/DC=UTEXAS/DC=TACC/O=UT-AUSTIN/CN=TACC Classic CA' we see following encoding values.
From certificate -
[48,113,49,19,48,17,6,10,9,-110,38,-119,-109,-14,44,100,1,25,<<19>>,3,69,68,85,49,22,48,20,6,10,9,-110,38,-119,-109,-14,44,100,1,25,19,6,85,84,69,88,65,83,49,20,48,18,6,10,9,-110,38,-119,-109,-14,44,100,1,25,19,4,84,65,67,67,49,18,48,16,6,3,85,4,10,19,9,85,84,45,65,85,83,84,73,78,49,24,48,22,6,3,85,4,3,19,15,84,65,67,67,32,67,108,97,115,115,105,99,32,67,65]
From X500Principal -
[48,113,49,19,48,17,6,10,9,-110,38,-119,-109,-14,44,100,1,25,<<22>>,3,69,68,85,49,22,48,20,6,10,9,-110,38,-119,-109,-14,44,100,1,25,22,6,85,84,69,88,65,83,49,20,48,18,6,10,9,-110,38,-119,-109,-14,44,100,1,25,22,4,84,65,67,67,49,18,48,16,6,3,85,4,10,19,9,85,84,45,65,85,83,84,73,78,49,24,48,22,6,3,85,4,3,19,15,84,65,67,67,32,67,108,97,115,115,105,99,32,67,65]
Notice the 19th location. (19 and 22). There are few more differences like that. Therefore hash values generated are different.
Thanks
Amila
[1]
testTransferData(org.apache.airavata.filetransfer.FileTransferTest) Time elapsed: 1.232 sec <<< ERROR!
java.lang.Exception: Cannot transfer file from GridFTP:gsiftp://trestles-dm.sdsc.xsede.org:2811//oasis/projects/nsf/sds128/ogce/file-transfer-tests/source/sample_wrfout.netcdf to gsiftp://gridftp.stampede.tacc.utexas.edu:2811//scratch/01437/ogce/file-transfer-tests/dest/xx
at org.apache.airavata.filetransfer.utils.GridFtp.transfer(GridFtp.java:356)
at org.apache.airavata.filetransfer.FileTransfer.transferData(FileTransfer.java:42)
at org.apache.airavata.filetransfer.FileTransferTest.testTransferData(FileTransferTest.java:95)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at junit.framework.TestCase.runTest(TestCase.java:168)
at junit.framework.TestCase.runBare(TestCase.java:134)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:232)
at junit.framework.TestSuite.run(TestSuite.java:227)
at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:236)
at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:134)
at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189)
at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165)
at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85)
at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:103)
at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:74)
Caused by: org.globus.common.ChainedIOException: Authentication failed [Caused by: Path validation failed. No signing policy for CN=TACC Classic CA, O=UT-AUSTIN, DC=TACC, DC=UTEXAS, DC=EDU]
at org.globus.ftp.extended.GridFTPControlChannel.authenticate(GridFTPControlChannel.java:221)
at org.globus.ftp.GridFTPClient.authenticate(GridFTPClient.java:127)
at org.globus.ftp.GridFTPClient.authenticate(GridFTPClient.java:103)
at org.apache.airavata.filetransfer.utils.GridFtp.transfer(GridFtp.java:322)
... 27 more
Caused by: GSSException: Path validation failed. No signing policy for CN=TACC Classic CA, O=UT-AUSTIN, DC=TACC, DC=UTEXAS, DC=EDU
at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:1148)
at org.globus.ftp.extended.GridFTPControlChannel.authenticate(GridFTPControlChannel.java:209)
... 30 more
Caused by: GSSException: Path validation failed. No signing policy for CN=TACC Classic CA, O=UT-AUSTIN, DC=TACC, DC=UTEXAS, DC=EDU
at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:933)
at org.globus.gsi.gssapi.GlobusGSSContextImpl.initSecContext(GlobusGSSContextImpl.java:1061)
... 31 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:485)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1108)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1080)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:864)
... 32 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1508)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
at org.globus.gsi.gssapi.GlobusGSSContextImpl.runDelegatedTasks(GlobusGSSContextImpl.java:412)
at org.globus.gsi.gssapi.GlobusGSSContextImpl.sslProcessHandshake(GlobusGSSContextImpl.java:902)
... 32 more
Caused by: java.security.cert.CertificateException: Path validation failed. No signing policy for CN=TACC Classic CA, O=UT-AUSTIN, DC=TACC, DC=UTEXAS, DC=EDU
at org.globus.gsi.trustmanager.PKITrustManager.checkServerTrusted(PKITrustManager.java:115)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1201)
... 39 more
Caused by: java.security.cert.CertPathValidatorException: No signing policy for CN=TACC Classic CA, O=UT-AUSTIN, DC=TACC, DC=UTEXAS, DC=EDU
at org.globus.gsi.trustmanager.SigningPolicyChecker.invoke(SigningPolicyChecker.java:61)
at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.checkCertificate(X509ProxyCertPathValidator.java:466)
at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.validate(X509ProxyCertPathValidator.java:172)
at org.globus.gsi.trustmanager.X509ProxyCertPathValidator.engineValidate(X509ProxyCertPathValidator.java:111)
at org.globus.gsi.trustmanager.PKITrustManager.checkServerTrusted(PKITrustManager.java:113)
... 40 more