source: TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py @ 2685

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py@2685
Revision 2685, 5.0 KB checked in by pjkersha, 13 years ago (diff)

Preparing new DEWS 0.8.0 release -

ndg.security.server/setup.py: remove commented out code

setup.py, ndg.security.client/setup.py, ndg.security.test/setup.py,
ndg.security.server/setup.py, ndg.security.common/setup.py:
update version to 0.8.0

ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml:
reset default transport to http

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
default test settings for DEWS

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • updated for tests with SSL - sslCACertList keyword

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

  • test with SSL

ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • include new SSL settings sslCACertList and sslCACertFilePathList

keywords / properties

  • removed transdict keyword
  • changed tranport attribute to _transport and transdict to _transdict

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • import httplib to enable catch for httplib.BadStatusLine? exception - this

is thrown when trying to connect with http to https service

  • include sslCACertFilePathList property
  • remove clntCertFilePath, clntPriKeyFilePath and clntPriKeyPwd properties -

no longer needed

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py:

  • new property caCertFilePathList enables setting of CA certs from file list
  • fix to HTTPSConnection class - set _postConnectionCheck attribute to

SSL.Checker.Checker default if not equivalent keyword was set

ndg.security.common/ndg/security/common/CredWallet.py:

  • enable calls to Attribute Authorities to set CA list for peer cert

verification with SSL connections

ndg-security-install.py: added new -t option to enable install of unit tests
package

Line 
1import httplib
2import socket
3
4from M2Crypto import SSL, X509
5from M2Crypto.httpslib import HTTPSConnection as _HTTPSConnection
6
7from ndg.security.common.X509 import X509Cert, X509Stack
8
9class InvalidCertSignature(SSL.Checker.SSLVerificationError):
10    """Raise if verification against CA cert public key fails"""
11   
12
13class HostCheck(SSL.Checker.Checker, object):
14    """Override SSL.Checker.Checker to enable alternate Common Name
15    setting match for peer cert"""
16
17    def __init__(self, 
18                 peerCertDN=None, 
19                 peerCertCN=None, 
20                 caCertList=[],
21                 caCertFilePathList=[], 
22                 **kw):
23        """Override parent class __init__ to enable setting of myProxyServerDN
24        setting
25       
26        @type peerCertDN: string
27        @keyword peerCertDN: Set the expected Distinguished Name of the
28        server to avoid errors matching hostnames.  This is useful
29        where the hostname is not fully qualified
30       
31        @type peerCertCN: string
32        @keyword peerCertCN: enable alternate Common Name to peer
33        hostname
34       
35        @type caCertList: list type of M2Crypto.X509.X509 types
36        @keyword caCertList: CA X.509 certificates - if set the peer cert's
37        CA signature is verified against one of these.  At least one must
38        verify
39       
40        @type caCertFilePathList: list string types
41        @keyword caCertFilePathList: same as caCertList except input as list
42        of CA cert file paths"""
43       
44        SSL.Checker.Checker.__init__(self, **kw)
45       
46        self.peerCertDN = peerCertDN
47        self.peerCertCN = peerCertCN
48        if caCertList:
49            self.caCertList = caCertList
50        elif caCertFilePathList:
51            self.caCertFilePathList = caCertFilePathList
52           
53       
54    def __call__(self, peerCert, host=None):
55        """Carry out checks on server ID
56        @param peerCert: MyProxy server host certificate as M2Crypto.X509.X509
57        instance
58        @keyword host: name of host to check
59        """
60       
61        try:
62            SSL.Checker.Checker.__call__(self, peerCert, host=self.peerCertCN)
63           
64        except SSL.Checker.WrongHost, e:
65            # Try match against peerCertDN set
66            # file setting
67            peerCertDN = '/' + \
68                    peerCert.get_subject().as_text().replace(', ', '/')
69            if peerCertDN != self.peerCertDN:
70                raise e
71
72        if len(self.__caCertStack) > 0:
73            try:
74                self.__caCertStack.verifyCertChain(\
75                           x509Cert2Verify=X509Cert(m2CryptoX509=peerCert))
76            except Exception, e:
77                raise InvalidCertSignature, \
78            "Peer certificate verification against CA cert failed: "+str(e) 
79             
80        # They match - drop the exception and return all OK instead         
81        return True
82   
83   
84    def __setCACertList(self, caCertList):
85        """Set list of CA certs - peer cert must validate against at least one
86        of these"""
87        self.__caCertStack = X509Stack()
88        for caCert in caCertList:
89            self.__caCertStack.push(caCert)
90
91    caCertList = property(fset=__setCACertList,
92              doc="list of CA certs - peer cert must validate against one")
93
94
95    #_________________________________________________________________________
96    def __setCACertsFromFileList(self, caCertFilePathList):
97        '''Read CA certificates from file and add them to the X.509
98        stack
99       
100        @type caCertFilePathList: list or tuple
101        @param caCertFilePathList: list of file paths for CA certificates to
102        be used to verify certificate used to sign message'''
103       
104        if not isinstance(caCertFilePathList, list) and \
105           not isinstance(caCertFilePathList, tuple):
106            raise AttributeError, \
107                        'Expecting a list or tuple for "caCertFilePathList"'
108
109        self.__caCertStack = X509Stack()
110
111        for caCertFilePath in caCertFilePathList:
112            self.__caCertStack.push(X509.load_cert(caCertFilePath))
113       
114    caCertFilePathList = property(fset=__setCACertsFromFileList,
115    doc="list of CA cert file paths - peer cert must validate against one")
116
117
118class HTTPSConnection(_HTTPSConnection):
119
120    def __init__(self, *args, **kw):
121        '''Overload to enable setting of post connection check
122        callback to SSL.Connection'''
123        if 'postConnectionCheck' in kw:
124            self._postConnectionCheck = kw['postConnectionCheck']
125            del kw['postConnectionCheck']
126        else:
127            self._postConnectionCheck = SSL.Checker.Checker
128           
129        _HTTPSConnection.__init__(self, *args, **kw)
130       
131       
132    def connect(self):
133        '''Overload M2Crypto.httpslib.HTTPSConnection to enable
134        custom post connection check of peer certificate'''
135        self.sock = SSL.Connection(self.ssl_ctx)
136        self.sock.set_post_connection_check_callback(
137                                         self._postConnectionCheck)
138        self.sock.connect((self.host, self.port))
Note: See TracBrowser for help on using the repository browser.