add handling of hex escapes to signing_policy subject names (!1760) · Merge requests · nordugrid / arc

Ievgen Sliusar requested to merge slu/arc:signing_policy_fix into next Aug 07, 2024

Certificate of https://cern.ch has non-ASCII characters in its DN. www-cern-ch.pem

In order to allow accessing CERN web-sites when using ARC in 'grid' mode, a signing_policy file should be created accordingly. CERN sites all use one wildcard certificate, DN of which should be included in the policy.

Using Globus guidelines, the following signing_policy should work:

# Format:
#------------------------------------------------------------------------
#  token type  | def.authority |                value
#--------------|---------------|-----------------------------------------
# EACL entry #1|

access_id_CA      X509      '/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Organization Validation Secure Server CA'
pos_rights        globus    CA:sign
cond_subjects     globus   '"/C=CH/ST=Gen\xC3\xA8ve/O=CERN Organisation Europ\xC3\xA9enne pour la Recherche Nucl\xC3\xA9aire/CN=www.cern.ch"'

# end of EACL

But it does not because ARC does not handle escaped hex characters properly. The fix is provided in this merge request as well as an update to unit tests.

add handling of hex escapes to signing_policy subject names

Merge request reports