source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml @ 2510

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml@2510
Revision 2510, 1.4 KB checked in by pjkersha, 13 years ago (diff)

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.

ndg.security.server/ndg/security/server/AttAuthority/init.py:
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
added additional config params for the above.

ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml and
ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg:
switched cert ID of test machine.

ndg.security.common/ndg/security/common/X509.py:

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps

M2Crypto.X509.new_stack_from_der

  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised.

ndg.security.common/ndg/security/common/wsSecurity.py: changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.

types.

BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

Line 
1<?xml version="1.0" encoding="utf-8"?>
2<myProxyProp>
3        <!--
4        Delete this element and take setting from MYPROXY_SERVER environment
5        variable if required
6        <hostname>localhost</hostname>
7        -->
8        <!--
9        Delete this element to take default setting 7512 or read
10        MYPROXY_SERVER_PORT setting
11        -->
12        <port>7512</port>
13        <!--
14        Useful if hostname and certificate CN don't match correctly.  Globus host
15        CN is usually set to "host/<fqdn>".  Delete this element and set from
16        MYPROXY_SERVER_DN environment variable if prefered
17        <serverDN>/O=NDG/OU=Raphael/CN=raphael</serverDN>
18        -->
19        <!--
20        Set "host/" prefix to host cert CN as is default with globus
21        -->
22        <serverCNprefix></serverCNprefix>       
23        <!--
24        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting
25       
26        This directory path is used to locate the OpenSSL configuration file
27        -->
28        <gridSecurityDir>$GLOBUS_LOCATION/etc</gridSecurityDir>
29        <!-- Open SSL Configuration settings -->
30        <openSSLConfFileName>globus-user-ssl.conf</openSSLConfFileName>
31        <tmpDir>/tmp</tmpDir>
32        <!--
33                Limit on maximum lifetime any proxy certificate can have - specified
34            when a certificate is first created by store() method
35        -->
36        <!--
37        <proxyCertMaxLifetime></proxyCertMaxLifetime>
38        -->
39        <!--
40                Life time of a proxy certificate when issued from the Proxy Server with
41                getDelegation() method
42                -->
43        <!--
44        <proxyCertLifetime></proxyCertLifetime>
45        -->
46        <caCertFile>cacert.pem</caCertFile>
47</myProxyProp>
Note: See TracBrowser for help on using the repository browser.