Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1465

Timestamp:

30/08/06 16:36:23 (13 years ago)

Author:

pjkersha

Message:

Added sign and verify to wsServer but problems with canonicalization causing verify error. This seems to be
due to attribute order differences. These shouldn't happen given the same canonicalization method for
signature and verification but the could be a problem with the way that the DOM code creates the nodes in
sign() ?

sing was added to server side code by overriding SOAPRequestHandler.do_POST and making a custom _Dispatch
function.

Location:

TI12-security/trunk/python/Tests/xmlsec/WS-Security

Files:

: 3 edited

wsClient.py (modified) (2 diffs)
wsSecurity.py (modified) (14 diffs)
wsServer.py (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

TI12-security/trunk/python/Tests/xmlsec/WS-Security/wsClient.py

-                      r1454
+                      r1465
 #!/usr/bin/env python
+import sys, socket
 from ZSI import Binding, TCcompound, TC
 from wsInterface import *
 …
     import pdb;pdb.set_trace()
     print ' Sending: %s' % MESSAGE
+    txResp = binding.Send(None,
+    try:
+        txResp = binding.Send(None,
                  'echo',
                  echoRequest,
                  encodingStyle="http://schemas.xmlsoap.org/soap/encoding/")
+    rxResp = binding.Receive(echoResponseWrapper(),
+                    encodingStyle="http://schemas.xmlsoap.org/soap/encoding/")
+        rxResp = binding.Receive(echoResponseWrapper(),
+                 encodingStyle="http://schemas.xmlsoap.org/soap/encoding/")
+    except socket.error, (errNum, errMsg):
+        print >>sys.stderr, "Socket error: %s" % errMsg
+        sys.exit(1)
     if not isinstance(rxResp, echoResponse) and \
        not issubclass(echoResponse, rxResp.__class__):
+        raise TypeError, "%s incorrect response type" % rxResp.__class__
+        print >>sys.stderr, "%s incorrect response type" % rxResp.__class__
+        sys.exit(1)
     print 'Response: %s' % rxResp._message

TI12-security/trunk/python/Tests/xmlsec/WS-Security/wsSecurity.py

-                      r1461
+                      r1465
 from ZSI.generate.pyclass import pyclass_type
+from ZSI.wstools.Utility import DOMException, SplitQName
+from ZSI.wstools.Utility import NamespaceError, MessageInterface, ElementProxy
 # XML Parsing
 from cStringIO import StringIO
 …
 from ZSI.wstools.c14n import Canonicalize
 from xml.dom import Node
+from xml.xpath.Context import Context
+from xml import xpath
 # Type codes for signature elements
 …
     def sign(self, soapWriter):
+        # Use wsse:TransformationParameters with ds:Transforms??
+        msgTmpl = """<?xml version="1.0" encoding="UTF-8"?>
+<!--
+SOAP Message with WSSE Signature
+-->
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+        xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
+        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <soapenv:Header>
+        <wsse:Security
+                xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
+                xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
+                soapenv:mustUnderstand="1">
+            <wsse:BinarySecurityToken
+                wsu:Id="binaryToken"
+                ValueType="wsse:X509v3"
+                EncodingType="wsse:Base64Binary">
+%s
+            </wsse:BinarySecurityToken>
+            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                <ds:SignedInfo>
+                    <ds:CanonicalizationMethod
+                    Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+                    <ds:SignatureMethod
+                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+                </ds:SignedInfo>
+                <ds:SignatureValue>%s</ds:SignatureValue>
+                <ds:KeyInfo>
+                    <wsse:SecurityTokenReference>
+                        <wsse:Reference URI="#binaryToken"/>
+                    </wsse:SecurityTokenReference>
+                </ds:KeyInfo>
+            </ds:Signature>
+        </wsse:Security>
+    </soapenv:Header>
+    <soapenv:Body xmlns:wsu="http://schemas.xmlsoap.org/ws/2002/07/utility"
+            wsu:Id="body">
+    Hello, World!
+    </soapenv:Body>
+</soapenv:Envelope>"""
+        '''Sign the message body and binary security token of a SOAP message
+        '''
         # Add X.509 cert as binary security token
         x509Cert = X509.load_cert(self.__certFilePath)
 …
         x509CertStr = x509CertPat.findall(x509Cert.as_pem())[0]
-#        attrTypeCodeDict = \
-#        {
-#            (OASIS.UTILITY, 'Id'):  ZSI.TC.String(),
-#            'ValueType':            ZSI.TC.String(),
-#            'EncodingType':         ZSI.TC.String()
-#        }
-#        binSecurityTokTC = \
-#                getGlobalElemDecl(OASIS.WSSE, "BinarySecurityToken")
+#
-#        binSecurityTokTC.attribute_typecode_dict.update(attrTypeCodeDict)
+#
-#        securityTC = getGlobalElemDecl(OASIS.WSSE, "Security")
-#        securityPyObj = securityTC.pyclass()
-#        securityPyObj._any = []
-#        securityPyObj._any.append(binSecurityTokTC.pyclass())
+#
-        #soapWriter.serialize_header(securityPyObj, securityTC)
         # Namespaces for XPath searches
 …
         binSecTokElem.node.setAttribute('ValueType', "wsse:X509v3")
         binSecTokElem.node.setAttribute('EncodingType', "wsse:Base64Binary")
-        binSecTokElem.createAppendTextNode(x509CertStr)
         # Add ID
         binSecTokElem.node.setAttribute('wsu:Id', "binaryToken")
+        binSecTokElem.createAppendTextNode(x509CertStr)
         signatureElem = wsseElem.createAppendElement(DSIG.BASE, 'Signature')
 …
         soapWriter.body.node.setAttribute('xmlns:wsu', WSU.UTILITY)
         # 1) Reference Generation
+        #
         # Find references
         #idNodes = XPath.Compile('//*[@wsu:Id]').evaluate(docCtxt)
         idElems = [binSecTokElem, soapWriter.body]
+        idElems = [soapWriter.body]#[binSecTokElem, soapWriter.body]
         for idElem in idElems:
 …
             # Canonicalize reference
+            c14nRef = idElem.canonicalize()
+#            c14nRef1 = idElem.canonicalize()
+            c14nRef = Canonicalize(idElem.node)
+            import pdb;pdb.set_trace()
+#            print "Equal? %s" % (c14nRef == c14nRef1)
+            print 'idElem'
+            print idElem
+            print 'c14nRef'
+            print c14nRef
             # Calculate digest for reference and base 64 encode
 …
             digestValue = base64.encodestring(sha(c14nRef).digest()).strip()
             # Add a new reference element to SignedInfo
             refElem = signedInfoElem.createAppendElement(DSIG.BASE,
                                                          'Reference')
             refElem.node.setAttribute('URI', uri)
+            refElem.createAppendTextNode(digestValue)
+            # Use ds:Transforms or wsse:TransformationParameters?
+            tranformsElem = refElem.createAppendElement(DSIG.BASE,
+                                                        'Transforms')
+            tranformElem = tranformsElem.createAppendElement(DSIG.BASE,
+                                                             'Transform')
+            tranformElem.node.setAttribute('Algorithm', DSIG.C14N)
+            refElem.createAppendElement(DSIG.BASE, 'DigestMethod')
+            refElem.node.setAttribute('Algorithm', DSIG.DIGEST_SHA1)
+            digestValueElem = refElem.createAppendElement(DSIG.BASE,
+                                                          'DigestValue')
+            digestValueElem.createAppendTextNode(digestValue)
 …
         # Check the signature
         verify = bool(rsaPubKey.verify(signedInfoDigestValue, signatureValue))
         print soapWriter.dom.node.toprettyxml()
         from xml.dom.ext.reader.PyExpat import Reader
         Reader().fromString(str(soapWriter))
         import pdb;pdb.set_trace()
     def verify(self, soapWriter):
+#        verify = bool(rsaPubKey.verify(signedInfoDigestValue, signatureValue))
+#        print soapWriter.dom.node.toprettyxml()
+#
+#        from xml.dom.ext.reader.PyExpat import Reader
+#        Reader().fromString(str(soapWriter))
+#        import pdb;pdb.set_trace()
+    def verify(self, parsedSOAP):
         """Verify signature"""
+        import pdb;pdb.set_trace()
+        return
+        # Parse file
+        doc = NonvalidatingReader.parseStream(StringIO(xmlTxt))
+        # Set namespaces for XPath queries
+        element = ElementProxy(None, message=parsedSOAP.header)
         processorNss = \
+        {
 …
             'wsu':    WSU.UTILITY,
             'wsse':   OASIS.WSSE,
-            'wsa':    WSA200403.ADDRESS,
             'soapenv':"http://schemas.xmlsoap.org/soap/envelope/"
+        }
+        docCtxt = XPath.Context.Context(doc, processorNss=processorNss)
+        # Two stagfe process: reference validation followed by signature
+        ctxt = Context(parsedSOAP.dom, processorNss=processorNss)
+        signatureNodes = xpath.Evaluate('//ds:Signature',
+                                        contextNode=parsedSOAP.dom,
+                                        context=ctxt)
+        if len(signatureNodes) > 1:
+            raise Exception, 'Multiple ds:Signature elements found'
+        try:
+            signatureNodes = signatureNodes[0]
+        except:
+            # Message wasn't signed
+            return
+        # Two stage process: reference validation followed by signature
         # validation
         # 1) Reference Validation
+        refNodes = XPath.Compile('//ds:Reference').evaluate(docCtxt)
+        refNodes = xpath.Evaluate('//ds:Reference',
+                                  contextNode=parsedSOAP.dom,
+                                  context=ctxt)
         # Make a lambda to pick out node child or children with a given
         # name
 …
             # XPath reference
             uriXPath = '//*[@wsu:Id="%s"]' % refURI[1:]
+            uriNode = XPath.Compile(uriXPath).evaluate(docCtxt)[0]
+            uriNode = xpath.Evaluate(uriXPath,
+                                     contextNode=parsedSOAP.dom,
+                                     context=ctxt)[0]
             c14nRef = Canonicalize(uriNode, **kw)
+            import pdb;pdb.set_trace()
             digestValue = base64.encodestring(sha(c14nRef).digest()).strip()
 …
             # Reference validates if the two digest values are the same
             if digestValue != nodeDigestValue:
                 raise Exception, "DigestValues do not match: URI=%s" % uri
+                raise Exception, 'Digest Values do not match for URI: "%s"' %\
+                                                                        refURI
         # 2) Signature Validation
+        signedInfoNode = XPath.Compile('//ds:SignedInfo').evaluate(docCtxt)[0]
+        signedInfoNode = xpath.Evaluate('//ds:SignedInfo',
+                                        contextNode=parsedSOAP.dom,
+                                        context=ctxt)[0]
         # Get the canonicalization method - change later to check this and
 …
         # Get the signature value in order to check against the digest just
         # calculated
+        signatureValueNode = \
+                    XPath.Compile('//ds:SignatureValue').evaluate(docCtxt)[0]
+        signatureValueNode = xpath.Evaluate('//ds:SignatureValue',
+                                            contextNode=parsedSOAP.dom,
+                                            context=ctxt)[0]
         # Remove base 64 encoding
 …
                                            signatureValue))
         except RSA.RSAError:
+            verify = False
+        return verify
+            raise Exception, "Invalid Signature"

TI12-security/trunk/python/Tests/xmlsec/WS-Security/wsServer.py

-                      r1461
+                      r1465
 import sys
+import socket
+# Web service interface
+from ZSI import *
+from ZSI.dispatch import SOAPRequestHandler, _client_binding
+from ZSI.auth import _auth_tc, AUTH, ClientBinding
+from BaseHTTPServer import HTTPServer
+from wsSecurity import *
 from wsInterface import *
+#_________________________________________________________________________
+def echo(ps):
+    """example service simply returns message sent to it"""
+    import pdb;pdb.set_trace()
+    signatureHandler = SignatureHandler(\
+                            certFilePath='../../Junk-cert.pem',
+                            priKeyFilePath='../../Junk-key.pem',
+                            priKeyPwd=open('../../tmp2').read().strip())
+    signatureHandler.verify(ps)
+    request = ps.Parse(echoRequestWrapper)
+    response = echoResponseWrapper()
+    response._message = request._message
+    return response
+def _Dispatch(ps, modules, SendResponse, SendFault, docstyle=0,
+              nsdict={}, typesmodule=None, rpc=None, **kw):
+    '''Find a handler for the SOAP request in ps; search modules.
+    Call SendResponse or SendFault to send the reply back, appropriately.
+    Default Behavior -- Use "handler" method to parse request, and return
+       a self-describing request (w/typecode).
+    Other Behaviors:
+        docstyle -- Parse result into an XML typecode (DOM). Behavior, wrap result
+          in a body_root "Response" appended message.
+        rpc -- Specify RPC wrapper of result. Behavior, ignore body root (RPC Wrapper)
+           of request, parse all "parts" of message via individual typecodes.  Expect
+           response pyobj w/typecode to represent the entire message (w/RPC Wrapper),
+           else pyobj w/o typecode only represents "parts" of message.
+    '''
+    global _client_binding
+    try:
+        what = ps.body_root.localName
+        # See what modules have the element name.
+        if modules is None:
+            modules = ( sys.modules['__main__'], )
+        handlers = [ getattr(m, what) for m in modules if hasattr(m, what) ]
+        if len(handlers) == 0:
+            raise TypeError("Unknown method " + what)
+        # Of those modules, see who's callable.
+        handlers = [ h for h in handlers if callable(h) ]
+        if len(handlers) == 0:
+            raise TypeError("Unimplemented method " + what)
+        if len(handlers) > 1:
+            raise TypeError("Multiple implementations found: " + `handlers`)
+        handler = handlers[0]
+        _client_binding = ClientBinding(ps)
+        if docstyle:
+            result = handler(ps.body_root)
+            tc = TC.XML(aslist=1, pname=what + 'Response')
+        elif rpc is None:
+            # Not using typesmodule, expect
+            # result to carry typecode
+            result = handler(ps)
+            if hasattr(result, 'typecode') is False:
+                raise TypeError("Expecting typecode in result")
+            tc = result.typecode
+        else:
+            data = _child_elements(ps.body_root)
+            if len(data) == 0:
+                arg = []
+            else:
+                try:
+                    try:
+                        type = data[0].localName
+                        tc = getattr(typesmodule, type).typecode
+                    except Exception, e:
+                        tc = TC.Any()
+                    arg = [ tc.parse(e, ps) for e in data ]
+                except EvaluateException, e:
+                    SendFault(FaultFromZSIException(e), **kw)
+                    return
+            result = handler(*arg)
+            if hasattr(result, 'typecode'):
+                tc = result.typecode
+            else:
+                tc = TC.Any(aslist=1, pname=what + 'Response')
+                result = [ result ]
+        sw = SoapWriter(nsdict=nsdict)
+        sw.serialize(result, tc, rpc=rpc)
+        signatureHandler = SignatureHandler(\
+                                certFilePath='../../Junk-cert.pem',
+                                priKeyFilePath='../../Junk-key.pem',
+                                priKeyPwd=open('../../tmp2').read().strip())
+        signatureHandler.sign(sw)
+        return SendResponse(str(sw), **kw)
+    except Exception, e:
+        # Something went wrong, send a fault.
+        return SendFault(FaultFromException(e, 0, sys.exc_info()[2]), **kw)
+#_____________________________________________________________________________
+class EchoSOAPRequestHandler(SOAPRequestHandler):
+    """Implement to allow overloaded do_POST in order to handle WS-Security
+    for outbound messages"""
+    def do_POST(self):
+        """Override default to allow custom dispatch call"""
+        try:
+            ct = self.headers['content-type']
+            if ct.startswith('multipart/'):
+                cid = resolvers.MIMEResolver(ct, self.rfile)
+                xml = cid.GetSOAPPart()
+                ps = ParsedSoap(xml, resolver=cid.Resolve)
+            else:
+                length = int(self.headers['content-length'])
+                ps = ParsedSoap(self.rfile.read(length))
+        except ParseException, e:
+            self.send_fault(FaultFromZSIException(e))
+            return
+        except Exception, e:
+            # Faulted while processing; assume it's in the header.
+            self.send_fault(FaultFromException(e, 1, sys.exc_info()[2]))
+            return
+        _Dispatch(ps, self.server.modules, self.send_xml, self.send_fault,
+                  docstyle=self.server.docstyle, nsdict=self.server.nsdict,
+                  typesmodule=self.server.typesmodule, rpc=self.server.rpc)
+#_____________________________________________________________________________
+def AsServer(port=80,
+             modules=None,
+             docstyle=0,
+             nsdict={},
+             typesmodule=None,
+             rpc=None,
+             **kw):
+    address = ('', port)
+    httpd = HTTPServer(address, EchoSOAPRequestHandler)
+    httpd.modules = modules
+    httpd.docstyle = docstyle
+    httpd.nsdict = nsdict
+    httpd.typesmodule = typesmodule
+    httpd.rpc = rpc
+    httpd.serve_forever()
+'''
 def echo(ps):
     frame = sys._getframe().f_back
 …
     return response
+'''
 if __name__ == '__main__':
     print "Server listening ..."
     try:
         dispatch.AsServer(port=8080)
+        AsServer(port=8080)
     except KeyboardInterrupt:
         sys.exit(0)
+    except socket.error, e:
+        print >>sys.stderr, "Server socket error: %s" % e[1]
+        sys.exit(1)
+#    except Exception, e:
+#        print >>sys.stderr, "Server: %s" % e
+#        sys.exit(1)

Note: See TracChangeset for help on using the changeset viewer.