source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg @ 2510

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg@2510
Revision 2510, 2.9 KB checked in by pjkersha, 13 years ago (diff)

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.

ndg.security.server/ndg/security/server/AttAuthority/init.py:
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
added additional config params for the above.

ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml and
ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg:
switched cert ID of test machine.

ndg.security.common/ndg/security/common/X509.py:

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps

M2Crypto.X509.new_stack_from_der

  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised.

ndg.security.common/ndg/security/common/wsSecurity.py: changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.

types.

BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

Line 
1# NERC Data Grid Project
2#
3# P J Kershaw 16/01/07
4#
5# Copyright (C) 2007 CCLRC & NERC
6#
7# This software may be distributed under the terms of the Q Public License,
8# version 1.0 or later.
9[setUp]
10# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this
11# setting for test6GetMappedAttCert
12#uri = http://localhost:5000/AttributeAuthority
13#uri = https://localhost:5000/AttributeAuthority
14#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority
15uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority
16#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority
17
18# X.509 certificate for Attribute Authority - to verify the signature of
19# returned responses
20#aacertfilepath =
21
22# Password protecting client private key - if omitted it will be prompted for
23# from tty
24userprikeypwd = 
25
26# All commented out to test service without WS-Security
27#usercertfilepath = ./proxy-cert.pem
28#userprikeyfilepath = ./proxy-key.pem
29# Test with CA cert validation - proxy certs currently work with this as
30# the user cert as well as proxy is needed to complete the chain of trust
31# with the CA
32#usercertfilepath = ./aa-cert.pem
33#userprikeyfilepath = ./aa-key.pem
34
35# Space separated list of CA certificate files used to verify certificate used
36# in message signature
37#cacertfilepathlist = ./cacert.pem
38
39[test3GetTrustedHostInfo]
40role = postgrad
41# Test no matching role exception
42#role = blah
43 
44[test5GetAttCert]
45# If usercertfilepath is a proxy set this cert as the one that issued the
46# proxy.  Comment out if usercertfilepath is a standard X.509 cert.
47#issuingusercertfilepath = ./user-cert.pem
48
49# Test with no digital signature applied
50#issuingusercertfilepath = ./proxy-cert.pem
51# Setup for use by testGetMappedAttCert test
52attCertFilePath = ./ac.xml
53
54[test6GetAttCertWithUserIdSet]
55userId = system
56issuingusercertfilepath = ./aa-cert.pem
57
58[test7GetMappedAttCert]
59# Comment out to set for no signature handling
60userprikeypwd = 
61#usercertfilepath = ./proxy-cert.pem
62#userprikeyfilepath = ./proxy-key.pem
63usercertfilepath = ./aa-cert.pem
64userprikeyfilepath = ./aa-key.pem
65
66# Space separated list of CA certificate files used to verify certificate used
67# in message signature
68cacertfilepathlist = ./cacert.pem
69
70#uri = http://localhost:5100/AttributeAuthority
71# Heath Data Server
72#uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority
73# Marine Data Server
74uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority
75userAttCertFilePath = ./ac.xml
76mappedAttCertFilePath = ./mapped-ac.xml
77
78[test8GetMappedAttCertStressTest]
79# Comment out to set for no signature handling
80userprikeypwd = 
81usercertfilepath = ./aa-cert.pem
82userprikeyfilepath = ./aa-key.pem
83
84# Space separated list of CA certificate files used to verify certificate used
85# in message signature
86cacertfilepathlist = ./cacert.pem
87
88uri = http://localhost:5000/AttributeAuthority
89userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml
90
91
Note: See TracBrowser for help on using the repository browser.