HTTP-TPC failing with Certificates do not conform to algorithm constraints #7927
Description
Why dCache HTTP-TPC transfers fails with "Certificates do not conform to algorithm constraints"? How can I get more details what exactly went wrong?
export SRC=https://tech-gftp.hep.technion.ac.il:8443/atlas/atlasscratchdisk/SAM/1M
export DST=https://dcache.farm.particle.cz/atlas/atlasscratchdisk/x
export TSRC=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:DOWNLOAD"], "validity": "PT30M"}' "$SRC" | jq -r '.macaroon')
export TDST=$(curl --silent --cert /tmp/x509up_u$(id -u) --key /tmp/x509up_u$(id -u) --cacert /tmp/x509up_u$(id -u) --capath /etc/grid-security/certificates -X POST -H 'Content-Type: application/macaroon-request' -d '{"caveats": ["activity:UPLOAD,DELETE,LIST,MANAGE"], "validity": "PT30M"}' "$DST" | jq -r '.macaroon')
curl -v --capath /etc/grid-security/certificates -X COPY -H 'Credential: none' -H "Authorization: Bearer $TDST" -H "TransferHeaderAuthorization: Bearer $TSRC" -H "Source: $SRC" "$DST"
* Trying 2001:718:401:6025:1:0:1:80:443...
* Connected to dcache.farm.particle.cz (2001:718:401:6025:1:0:1:80) port 443 (#0)
...
> COPY /atlas/atlasscratchdisk/x HTTP/1.1
> Host: dcache.farm.particle.cz
> User-Agent: curl/7.76.1
> Accept: */*
> Credential: none
> Authorization: Bearer ...
> TransferHeaderAuthorization: Bearer ...
> Source: https://tech-gftp.hep.technion.ac.il:8443/atlas/atlasscratchdisk/SAM/1M
>
...
< HTTP/1.1 202 Accepted
< Date: Wed, 29 Oct 2025 06:33:41 GMT
< Server: dCache/11.0.7
< Content-Type: text/perf-marker-stream
< Transfer-Encoding: chunked
<
...
failure: Certificates do not conform to algorithm constraintsThis error comes from dCache 11.0.7 running on AlmaLinux 9 with DEFAULT crypto policy. If I change crypto policy to DEFAULT:SHA1 than transfer succeeds. Certificate chain provided by tech-gftp.hep.technion.ac.il:8443 comes with one "unnecessary" non-IGTF Root CA from AAA Certificate Services, but considering included CaNL-java version 2.8.3 this one should be ignored
echo | openssl s_client -CApath /home/vokac/storage/canl-java-test/certificates -connect tech-gftp.hep.technion.ac.il:8443 -showcerts
Connecting to 2001:bf8:900:d:2::71
CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 C=NL, O=GEANT Vereniging, CN=GEANT eScience SSL CA 4
verify return:1
depth=0 DC=org, DC=terena, DC=tcs, C=IL, ST=Haifa, O=Technion Israel Institute of Technology, CN=tech-gftp.hep.technion.ac.il
verify return:1
---
Certificate chain
0 s:DC=org, DC=terena, DC=tcs, C=IL, ST=Haifa, O=Technion Israel Institute of Technology, CN=tech-gftp.hep.technion.ac.il
i:C=NL, O=GEANT Vereniging, CN=GEANT eScience SSL CA 4
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Dec 17 00:00:00 2024 GMT; NotAfter: Dec 17 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIH+DCCBeCgAwIBAgIRAI73rznT/ORcSgkvQhS1804wDQYJKoZIhvcNAQEMBQAw
SjELMAkGA1UEBhMCTkwxGTAXBgNVBAoTEEdFQU5UIFZlcmVuaWdpbmcxIDAeBgNV
BAMTF0dFQU5UIGVTY2llbmNlIFNTTCBDQSA0MB4XDTI0MTIxNzAwMDAwMFoXDTI1
MTIxNzIzNTk1OVowgbgxEzARBgoJkiaJk/IsZAEZFgNvcmcxFjAUBgoJkiaJk/Is
ZAEZFgZ0ZXJlbmExEzARBgoJkiaJk/IsZAEZFgN0Y3MxCzAJBgNVBAYTAklMMQ4w
DAYDVQQIEwVIYWlmYTEwMC4GA1UEChMnVGVjaG5pb24gSXNyYWVsIEluc3RpdHV0
ZSBvZiBUZWNobm9sb2d5MSUwIwYDVQQDExx0ZWNoLWdmdHAuaGVwLnRlY2huaW9u
LmFjLmlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5OPsfcBcGQfy
r5fXWPJdeeDhs7z3x/bcSA2uKG7e8H991ShMZ3dYXEEI/sgvDX2egduREpfE1eRL
NkVBD5nIXjirGEKkvVEaAOBLUeIpb1lJcXM02hZbuwXFfwVCbqlo7qkYvpMmFgMY
q3ys2/Y6/tKqL9JSpnBQeNy4n95aY7CQgY4LQbdI32HBJYDTSD0tV+Fv5dkexjpq
16fQFxl+dUcxPEIugaH2XCZH56S06/XFBz8vxrPOhsXus+eFNYNqEiCxLWiwUAwM
2ukhCwEq9j39N/4I3By/1dk73tRWMcXu+z9kjyoXiUmZVdtltCqaycV6n9tae2Ba
hxEDsD+s5QIDAQABo4IDaDCCA2QwHwYDVR0jBBgwFoAUmiuKItaNDMAqpW9kMz+W
YGcVHbIwHQYDVR0OBBYEFP3WP3EdLrcEBlLQ2amhLNb/3Ri7MA4GA1UdDwEB/wQE
AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjB1BgNVHSAEbjBsMAwGCiqGSIb3TAUCAgEwDQYLKoZIhvdMBQIDAwIwDQYLKoZI
hvdMBQIDAQIwNAYLKwYBBAGyMQECAk8wJTAjBggrBgEFBQcCARYXaHR0cHM6Ly9z
ZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQICMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6
Ly9HRUFOVC5jcmwuc2VjdGlnby5jb20vR0VBTlRlU2NpZW5jZVNTTENBNC5jcmww
ewYIKwYBBQUHAQEEbzBtMEAGCCsGAQUFBzAChjRodHRwOi8vR0VBTlQuY3J0LnNl
Y3RpZ28uY29tL0dFQU5UZVNjaWVuY2VTU0xDQTQuY3J0MCkGCCsGAQUFBzABhh1o
dHRwOi8vR0VBTlQub2NzcC5zZWN0aWdvLmNvbTCCAX8GCisGAQQB1nkCBAIEggFv
BIIBawFpAHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7yCoAAAGT09wV
hwAABAMARjBEAiBHVbHO4AXOLqB+lVCCiO/uBwnxKntRHOPSF7EDhp4bwgIgecC2
9W6bZO+kMf4+bQ4gQBvRJPmQJjjeVRPjE3Sar6QAdwDM+w9qhXEJZf6Vm1PO6bJ8
IumFXA2XjbapflTA/kwNsAAAAZPT3BYsAAAEAwBIMEYCIQCGDQ6ilLVGeTOYGy/O
xRGnloVWDpYoFuHN4kAkGqf3aAIhAPEmsE+eE2xrDJqm+ikwuotfBmVebbS73PWo
J5hMR7gzAHcAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGT09wV
IAAABAMASDBGAiEAxsOQpABoe7WtC3OxISBwEUOpuPrQsThlQkTTuVtn3goCIQCx
TKMa/Epz+cKnCSW1c/yQyoV/QKBRyrnwtaXNnUnOqjAnBgNVHREEIDAeghx0ZWNo
LWdmdHAuaGVwLnRlY2huaW9uLmFjLmlsMA0GCSqGSIb3DQEBDAUAA4ICAQCMe9fd
wtzE6ftuYTEwHgZkAaYCw+EGA2BEacLtqR1OfQ2q5cE42Kdx4qu/2Hs2qHrZhy4T
2guAiQWD5C61UPz8PbfGIe1U7RLuK7VBIn5hdASLPzc037C3ByCf70RKqraAdcMC
TMorgzG5mJowXvz02wMmWPmupEKRygUQucPMsY7lzmp9kFkPDINmXcukmGuLYfeY
Pj2nYJYsqOXOJ+efkNBcfzD/EePE1jDVsiP8yjtoGqQnxH+Z9mAIZA23uSV+0Bia
LdRV1u34HfSuXWfvr2lHl6ukjOsCPhO9lLoryF2Al5dqvygaJapjW1Id57uFa+jS
IeskfHOMyz2f4HOQ9LdVFP/W3jTpBcsbdPZ2g7DIWC+h14UfXOl6E/jcaqlz6jal
B3w57r1NhNPA644l9raonCiIEgDLGaVO7Bpi+3ISO5IlnX+L/SMVATSc9nQ58qIS
7xNJphOvtuzB9nq9PlUCdBUMbPVGGtXfrotEbig9aiL1CM/uiF2krgo3Pwug99X9
gactw8dlE6cuQDT79ZXmJtEWsJZLjr65CAW6Gy1nA0cXpFvXXh8lh5dawcuf8VKK
iO/V2zRoThTNzB+ZgJlBr80GNuwnLpR4ZSm0OSemV0oP38WYVaqKMqfpaFRAj50Z
VU13jDyT+zxiDy01jLOJkKe03NhGg+xtH/q/iQ==
-----END CERTIFICATE-----
1 s:C=NL, O=GEANT Vereniging, CN=GEANT eScience SSL CA 4
i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Feb 18 00:00:00 2020 GMT; NotAfter: May 1 23:59:59 2033 GMT
-----BEGIN CERTIFICATE-----
MIIG6jCCBNKgAwIBAgIQN9uaOAbXCsc+ONHf725RKjANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMjAw
MjE4MDAwMDAwWhcNMzMwNTAxMjM1OTU5WjBKMQswCQYDVQQGEwJOTDEZMBcGA1UE
ChMQR0VBTlQgVmVyZW5pZ2luZzEgMB4GA1UEAxMXR0VBTlQgZVNjaWVuY2UgU1NM
IENBIDQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCUtBhby5HZ4dxN
stR0OaxF/QrC0FENJm59Na5LZzPwXqwTdaq1NJUZwMIrHTXavExQpGqzdqwIKNS0
liyLkTT54vTs5VPh5SYRFtVAX9NLkY+fUIu2icOEGfwlPR6VlYp+kiR2Vj4OwYhy
aM0tj66uaTCaAj3Rz99dN1s64Z1jw/wjckCLat/MGHL4crKuQErYyPfoK1s39BR/
gXis0E2anvfmuyAZ3YDOsAyGKpPhEj3Dxuiz5+qpqJIePs3Vgylyx/ZIoJEH/jAq
v7GbdVTsSfqyMlnyceF0pyGQ6Yzp1DkLw4Dg26zoOSckLYeICtRziSwzrMu3YLYW
VB6h1r0Nw/hnuXMYt6WgLYekfxuwapwbntbw5gAJpK63geBp3Hj7bWnrPb8aLjBz
eutA2St+Y6YodQ8PjbhUpaWVMGzz+c2YJK/xbxTAjWUPOdd8cNrM7ilaOrvbSaLz
e7aPBFWZMpg1kOva5J91qSdOmS45DHyyfT4Xk2X/3HhFRLkKA/cdJaEYE1I/p0P5
A2qFlMdr+QDx7Uar5Zvsbvrm0gn+MER1uq3xugoweC3iegHwQQh4YupAEamo1vPy
n04r3WPn86rLjpe0OLFvlM8CQtvTWV6wOXy3HTnIh8gFGxe/0Wu3XYBtPcJXlBMO
aV7NDi69LE9ZiYNF+wBZ6iUgVw3ZRQIDAQABo4IBizCCAYcwHwYDVR0jBBgwFoAU
U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFJoriiLWjQzAKqVvZDM/lmBn
FR2yMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjA4BgNVHSAEMTAvMC0GBFUdIAAwJTAjBggr
BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwUAYDVR0fBEkwRzBFoEOg
QYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmlj
YXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/BggrBgEFBQcwAoYz
aHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJTQUFkZFRydXN0Q0Eu
Y3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0GCSqG
SIb3DQEBDAUAA4ICAQAmpZcT3x9evRVo7pAAsdyTx3mmtbOGWIAQFQRiW4po1Jx9
9szSmymPrzDq0s1Lh7EL+sworQnNKEApLYpcFZ/ZeyjWPt+7D/SKGdjhFE9owf71
hNiwWBWzMHZWE/1lYpISw2gbclDk6Mp1GkDQhRVXQL5O6uXeouxNiKpAXZj8QFx7
Sk1kkuXewca4dFRTs9Oadec8ARnR+YzxhTE0p3m2rBkWL3zpNCtl+7zpPJm58eCc
8Oxt7ib/XwoZKE/tKKZ6rcA+kBL6X6xeim+DwVqToJW24yiqVAI2JYQw1741fqm8
lklFlkAoOTJTprMd3jIK2DKYvAXkZiAeY8eD85AVCJgC+DpD/0Oc3OpsP5kljGzF
2rUYGLutL1a9Uxd2YCGkqnAym2f2LsBo5u2+Znk5YzfD5xPSWBrs9K5UtE2G+5B0
iygvf+yl/+hcv4aN3zetNXbfsSArAR0ecdNkNtehXeVaFE7rIZUXFahzHn2cSOLO
n4vjBWKRHJc4lvlqhfz1jaPrcxS0BxaJq0VNrX3skPeajbVSsPAjXXVDh9I5qjdG
yMvAe5TUyUf752JKBN56Zi5mvz5ufbvULGcV4Frnwl2c2ySICF7KGIB+KGhGbgbf
tN6PKXHwC3gvRw9yzFSq6Rdwh7U+3AkmDel0rhdZnMTx2JryjQF/AeBKwkfrUQ==
-----END CERTIFICATE-----
2 s:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
3 s:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jan 1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----I don't understand where this dCache error Certificates do not conform to algorithm constraints comes from, it is probably raised by following Bouncy Castle code
but I'm not able to reproduce this error using simple CaNL client
import eu.emi.security.authn.x509.impl.OpensslCertChainValidator;
import eu.emi.security.authn.x509.impl.ValidatorParams;
import eu.emi.security.authn.x509.helpers.ssl.SSLTrustManager;
import eu.emi.security.authn.x509.NamespaceCheckingMode;
import eu.emi.security.authn.x509.OCSPParametes;
import eu.emi.security.authn.x509.OCSPCheckingMode;
import eu.emi.security.authn.x509.RevocationParameters;
import eu.emi.security.authn.x509.CrlCheckingMode;
import eu.emi.security.authn.x509.ProxySupport;
import eu.emi.security.authn.x509.StoreUpdateListener;
import eu.emi.security.authn.x509.ValidationError;
import eu.emi.security.authn.x509.ValidationResult;
import eu.emi.security.authn.x509.X509CertChainValidator;
import javax.net.ssl.*;
import javax.net.ssl.X509TrustManager;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.nio.file.Path;
import java.nio.file.Paths;
public class CanlSSLClient {
private static class LoggingTrustManager extends SSLTrustManager {
public LoggingTrustManager(X509CertChainValidator validator) {
super(validator);
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
System.out.println("Validating server certificate chain: " + authType);
for (X509Certificate cert : chain) {
System.out.println(" - Subject: " + cert.getSubjectX500Principal());
System.out.println(" - Issuer: " + cert.getIssuerX500Principal());
}
super.checkServerTrusted(chain, authType);
System.out.println("Server certificate validation passed.");
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
System.out.println("Validating client certificate chain: " + authType);
super.checkClientTrusted(chain, authType);
System.out.println("Client certificate validation passed.");
}
}
private static X509TrustManager buildTrustManager(Path path) {
var namespaceMode = NamespaceCheckingMode.EUGRIDPMA_AND_GLOBUS_REQUIRE;
var ocspParameters = new OCSPParametes(OCSPCheckingMode.IGNORE);
var revocationParams = new RevocationParameters(CrlCheckingMode.REQUIRE, ocspParameters);
var validatorParams = new ValidatorParams(revocationParams, ProxySupport.ALLOW);
long updateInterval = 60000;
var validator = new OpensslCertChainValidator(path.toString(), true, namespaceMode, updateInterval, validatorParams, false);
validator.addUpdateListener(new StoreUpdateListener() {
@Override
public void loadingNotification(String location, String type, Severity level, Exception cause) {
System.out.println("loading: " + location + " (type " + type + ", level " + level + ", " + cause + ")");
}
});
validator.addValidationListener((ValidationError error) -> {
System.out.println("validation error: " + error);
return false;
});
//return new SSLTrustManager(validator);
return new LoggingTrustManager(validator);
}
public static void main(String[] args) throws Exception {
if (args.length < 4) {
System.out.println("Usage: java CanlSSLClient <keystore.p12> <keystorePassword> <trustedCaPath> <host> [port]");
return;
}
String keystorePath = args[0];
String keystorePassword = args[1];
String trustedCaPath = args[2];
String host = args[3];
int port = args.length > 4 ? Integer.parseInt(args[4]) : 443;
String path = args.length > 5 ? args[5] : "/";
// Load PKCS#12 keystore
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream(keystorePath), keystorePassword.toCharArray());
// Create KeyManager from keystore
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(keyStore, keystorePassword.toCharArray());
// Create TrustManager
X509TrustManager trustManager = buildTrustManager(Paths.get(trustedCaPath));
// Create SSL context
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), new TrustManager[]{trustManager}, null);
// Create socket and connect
SSLSocketFactory factory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.startHandshake();
// Send request
OutputStream out = socket.getOutputStream();
out.write(("GET " + path + " HTTP/1.1\r\nHost: " + host + "\r\n\r\n").getBytes());
out.flush();
// Read response
InputStream in = socket.getInputStream();
byte[] buffer = new byte[4096];
int bytesRead = in.read(buffer);
System.out.println(new String(buffer, 0, bytesRead));
socket.close();
}
}How to test exactly what dCache is doing during HTTP-TPC? This code works:
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -out client-keystore.p12 -name client -password pass:changeit
javac -cp .:canl-2.8.3.jar CanlSSLClient.java
java -cp .:canl-2.8.3.jar:bcpkix-jdk18on-1.78.jar:bcprov-jdk18on-1.78.jar:bcutil-jdk18on-1.78.jar:commons-io-2.15.1.jar CanlSSLClient client-keystore.p12 changeit /etc/grid-security/certificates tech-gftp.hep.technion.ac.il 8443 /atlas/atlasscratchdisk/SAM/1M
Validating server certificate chain: UNKNOWN
- Subject: CN=tech-gftp.hep.technion.ac.il, O=Technion Israel Institute of Technology, ST=Haifa, C=IL, DC=tcs, DC=terena, DC=org
- Issuer: CN=GEANT eScience SSL CA 4, O=GEANT Vereniging, C=NL
- Subject: CN=GEANT eScience SSL CA 4, O=GEANT Vereniging, C=NL
- Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
- Subject: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
- Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
- Subject: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
- Issuer: CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB
Server certificate validation passed.
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=node01ns2o3p1923pjy7v3y1mo0lxh20754.node0; Path=/; Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Digest: adler32=f00001
Last-Modified: Mon, 13 May 2024 22:14:46 GMT
Accept-Ranges: bytes
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
Transfer-Encoding: chunked
100000