source: TI12-security/trunk/python/ @ 2510

Subversion URL:
Revision 2510, 2.9 KB checked in by pjkersha, 13 years ago (diff)
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.
added additional config params for the above. and
switched cert ID of test machine.

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps


  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised. changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.


BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

1# NERC Data Grid Project
3# P J Kershaw 16/01/07
5# Copyright (C) 2007 CCLRC & NERC
7# This software may be distributed under the terms of the Q Public License,
8# version 1.0 or later.
10# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this
11# setting for test6GetMappedAttCert
12#uri = http://localhost:5000/AttributeAuthority
13#uri = https://localhost:5000/AttributeAuthority
14#uri =
15uri =
16#uri =
18# X.509 certificate for Attribute Authority - to verify the signature of
19# returned responses
20#aacertfilepath =
22# Password protecting client private key - if omitted it will be prompted for
23# from tty
24userprikeypwd = 
26# All commented out to test service without WS-Security
27#usercertfilepath = ./proxy-cert.pem
28#userprikeyfilepath = ./proxy-key.pem
29# Test with CA cert validation - proxy certs currently work with this as
30# the user cert as well as proxy is needed to complete the chain of trust
31# with the CA
32#usercertfilepath = ./aa-cert.pem
33#userprikeyfilepath = ./aa-key.pem
35# Space separated list of CA certificate files used to verify certificate used
36# in message signature
37#cacertfilepathlist = ./cacert.pem
40role = postgrad
41# Test no matching role exception
42#role = blah
45# If usercertfilepath is a proxy set this cert as the one that issued the
46# proxy.  Comment out if usercertfilepath is a standard X.509 cert.
47#issuingusercertfilepath = ./user-cert.pem
49# Test with no digital signature applied
50#issuingusercertfilepath = ./proxy-cert.pem
51# Setup for use by testGetMappedAttCert test
52attCertFilePath = ./ac.xml
55userId = system
56issuingusercertfilepath = ./aa-cert.pem
59# Comment out to set for no signature handling
60userprikeypwd = 
61#usercertfilepath = ./proxy-cert.pem
62#userprikeyfilepath = ./proxy-key.pem
63usercertfilepath = ./aa-cert.pem
64userprikeyfilepath = ./aa-key.pem
66# Space separated list of CA certificate files used to verify certificate used
67# in message signature
68cacertfilepathlist = ./cacert.pem
70#uri = http://localhost:5100/AttributeAuthority
71# Heath Data Server
72#uri =
73# Marine Data Server
74uri =
75userAttCertFilePath = ./ac.xml
76mappedAttCertFilePath = ./mapped-ac.xml
79# Comment out to set for no signature handling
80userprikeypwd = 
81usercertfilepath = ./aa-cert.pem
82userprikeyfilepath = ./aa-key.pem
84# Space separated list of CA certificate files used to verify certificate used
85# in message signature
86cacertfilepathlist = ./cacert.pem
88uri = http://localhost:5000/AttributeAuthority
89userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml
Note: See TracBrowser for help on using the repository browser.