lcmaps_verify_proxy.mod - LCMAPS plugin to verify a certificate chain
       including proxies


       [--allow-limited-proxy] [-certdir|-cadir|-capath|--capath
       <certificate_directory>] [--disallow-limited-proxy]
       [--discard_private_key_absence] [--max-proxy-level-ttl=<level>|--max-
       proxy-level-ttl@<level> <timeperiod>] [--max-voms-ttl <timeperiod>]
       [--never_discard_private_key_absence] [--only-enforce-lifetime-checks]

       This plugin will test if the presented proxy certificate is authentic.
       This is done using OpenSSL methods to verify the certificate chain,
       check if the End-Entity Certificate is not revoked by checking CRLs or
       OCSP(*). In an lcmaps.db (5) file it is advised to run this plug-in as
       the first plug-in and fail the policy if there is no other way of
       verifying the input credentials.

       Additional this plug-in can impose other policies, like proxy and VOMS
       life-time restrictions or require that the certificate chain is offered
       in a certain way, e.g. by offering a Limited proxy or (optionally)
       without a private key.

       The plug-in takes its input from the LCMAPS framework. The certificate
       chain is coming from the registered (derived) STACK_OF(X509) * and the
       private key (when available) is taken from the registered PEM string

       A certificate chain will be checked and verified by OpenSSL, but
       additionally to these checks this plug-in also performs semantic checks
       on the certificate chain based on how GT2, GT3 and RFC 3820 proxy
       certificates are to be constructed and used.

              When enabled allow the certificate chain to contain a limited
              proxy certificate.  GT2, GT3 and RFC Limited proxies are treated
              as equal.

       -certdir | -cadir | -capath | --capath <certificate_directory>
              This option sets the directory used to find the CA certificates,
              CRLs and other files used in the verification process of the
              presented certificate chain.  Setting this option is muted by
              the option --only-enforce-lifetime-checks.  When unset, the
              value of $X509_CERT_DIR will be used, when that is also unset,
              /etc/grid-security/certificates will be used.

              When enabled all uses of limited proxies will be prohibited and
              treated as a failure condition. GT2, GT3 and RFC Limited proxies
              are treated as equal.

              When enabled the plug-in verification process will not fail on
              the absence of the private key. Having a private key to present
              is part of the proof of possession of the certificate chain its
              delegations, therefore a fundamental part of the user
              credentials. Discarding the private key check is useful in cases
              where another process has already establish trust in the user
              credentials by performing the private key proof of possession
              steps.  Example: This feature can be enabled in deployments
              where gLExec is part of the CREAM CE. The CREAM CE's SSL
              handshake is taking ensuring that fully verified credentials get
              passed down.  Counter example: This feature is not-enabled on a
              gLExec-on-the-WN deployment, as gLExec will need to ensure that
              the pilot-job payload credentials are fully verified before
              account mapping should occur.

       --max-proxy-level-ttl=<level> | --max-proxy-level-ttl@<level>
              Set a maximum to the allowed validity period of the proxy
              certificate for a specific delegation <level>. The first
              delegation after an EEC certificate is <level> 0. This
              delegation level could be used in a MyProxy. A typical setting
              would be 14d-00:00 to allow for a MyProxy certificate with a
              validity period of two weeks.

              A special <level> is indicated by an l or L. This is the leaf
              proxy or also known as the final delegation. A safe setting for
              this would be 1d-00:00 to allow a proxy certificate validity
              period of 1 day/24 hours.

              Set the <timeperiod> in the following format:
              [0-99]d-[0-23][00-59]. For example 2d-13:37.

       --max-voms-ttl <timeperiod>
              Set a maximum to the allowed validity period of the VOMS
              credentials (when present). Using VOMS credentials with a
              validity period longer then the set timeperiod> will result in a

              This setting will override the option
              --discard_private_key_absence and option to set the environment
              variable $VERIFY_PROXY_DISCARD_PRIVATE_KEY_ABSENCE which
              performs the same behavior.

              When enable this option will bypass all verification steps and
              will only perform the lifetime checks configured by --max-proxy-
              level-ttl and/or --max-voms-ttl. This option is ideal to be used
              in a Globus Gatekeeper, GridFTPd and/or GSI-OpenSSHd deployment.

              Explicitly require the certificate chain to have a limited proxy
              as a final delegation. The plug-in will fail if the certificate
              chain does not have a limited proxy.



       OCSP is not functional and will be added when either CAB/Forum or the
       IGTF publish a clear profile.

       Please report any errors to the Nikhef Grid Middleware Security Team

       lcmaps.db(5), lcmaps(3).

       LCMAPS and the LCMAPS plug-ins were written by the Grid Middleware
       Security Team <>.

LCMAPS plugins verify proxy 1.5October 31, 2012     LCMAPS_VERIFY_PROXY.MOD(8)