source: TI12-security/trunk/python/ @ 2510

Subversion URL:
Revision 2510, 1.4 KB checked in by pjkersha, 13 years ago (diff)
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.
added additional config params for the above. and
switched cert ID of test machine.

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps


  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised. changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.


BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

1<?xml version="1.0" encoding="utf-8"?>
3        <!--
4        Delete this element and take setting from MYPROXY_SERVER environment
5        variable if required
6        <hostname>localhost</hostname>
7        -->
8        <!--
9        Delete this element to take default setting 7512 or read
10        MYPROXY_SERVER_PORT setting
11        -->
12        <port>7512</port>
13        <!--
14        Useful if hostname and certificate CN don't match correctly.  Globus host
15        CN is usually set to "host/<fqdn>".  Delete this element and set from
16        MYPROXY_SERVER_DN environment variable if prefered
17        <serverDN>/O=NDG/OU=Raphael/CN=raphael</serverDN>
18        -->
19        <!--
20        Set "host/" prefix to host cert CN as is default with globus
21        -->
22        <serverCNprefix></serverCNprefix>       
23        <!--
24        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting
26        This directory path is used to locate the OpenSSL configuration file
27        -->
28        <gridSecurityDir>$GLOBUS_LOCATION/etc</gridSecurityDir>
29        <!-- Open SSL Configuration settings -->
30        <openSSLConfFileName>globus-user-ssl.conf</openSSLConfFileName>
31        <tmpDir>/tmp</tmpDir>
32        <!--
33                Limit on maximum lifetime any proxy certificate can have - specified
34            when a certificate is first created by store() method
35        -->
36        <!--
37        <proxyCertMaxLifetime></proxyCertMaxLifetime>
38        -->
39        <!--
40                Life time of a proxy certificate when issued from the Proxy Server with
41                getDelegation() method
42                -->
43        <!--
44        <proxyCertLifetime></proxyCertLifetime>
45        -->
46        <caCertFile>cacert.pem</caCertFile>
Note: See TracBrowser for help on using the repository browser.