Changeset 2136 for TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca

Timestamp:

09/02/07 14:55:08 (13 years ago)

Author:

pjkersha

Message:

python/ndg.security.server/setup.py:

• comment out Twisted from install - won't do egg install
• updated long description

python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

• added verifyingCertFilePath keyword to SignatureHandler? initialisation
• added SSL capability

python/conf/attAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml,
python/ndg.security.server/ndg/security/server/AttAuthority/init.py:
added element names for reading SSL settings from properties file.

python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:
added verifyingCertFilePath keyword to SignatureHandler? initialisation

python/conf/sessionMgrProperties.xml,
python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml,
python/ndg.security.server/ndg/security/server/SessionMgr/init.py:
added clntCertFile properties file element name for setting certificate for
verifying incoming SOAP messages.

python/ndg.security.server/ndg/security/server/SessionMgr/Makefile:
corrected typo.

python/ndg.security.server/ndg/security/server/MyProxy.py:
Put OpenSSLConfig and OpenSSLConfigError classes into their own package
'openssl' so that they can also be used by the Certificate Authority client.

python/www/html/certificateAuthority.wsdl,
python/ndg.security.server/ndg/security/server/ca/CertificateAuthority_services_server.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services_types.py,
python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services.py: updated operations to issueCert, revokeCert and getCRL.

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: changed address of service to connect to.

python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:
alternative username connection settings

python/ndg.security.common/ndg/security/common/AttAuthority/init.py:
fixed typos in error message and comments.

ython/ndg.security.common/ndg/security/common/XMLSec.py: changed call to
getAttributeNodeNS to getAttributeNode for retrieving reference element URI
attribute.

python/ndg.security.common/ndg/security/common/ca/init.py: code for
Certificate Authority client

python/ndg.security.common/ndg/security/common/wsSecurity.py:

• tidied up imports
• added properties for setting keywords to reference and SignedInfo? C14N
• changed sign method so that it is truely configurable allow use of inclusive or exclusive C14N based on the keywords set for reference and SignedInfo? C14N calls.
• swapped calls to getAttributeNodeNS with getAttributeNode where appropriate.

java/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/AttAuthority/build/classes/META-INF/ibm-webservicesclient-bnd.xmi:
updated to that request generator correctly places X.509 cert in
BinarySecurityToken? element.

java/DEWS/AttAuthority/appClientModule/Main.java,
java/DEWS/AttAuthority/appClientjava/DEWS/AttAuthority/appClientModule/META-INF/ibm-webservicesclient-bnd.xmiModule/Main.java:
include calls to getX509Cert and getAttCert methods.

java/DEWS/SessionMgr/build/classes/META-INF/ibm-webservicesclient-bnd.xmi,
java/DEWS/SessionMgr/appClientModule/META-INF/ibm-webservicesclient-bnd.xmi:
updates for testing Session MAnager client

java/DEWS/SessionMgr/appClientModule/Main.java: switched username setting.

Location:

TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca

Files:

• CertificateAuthority_services.py (modified) (1 diff)
• CertificateAuthority_services_types.py (added)
• __init__.py (modified) (1 diff)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca/CertificateAuthority_services.py

@@ -1 +1 @@
 ################################################## 
-# simpleCA_services.py 
-# generated by ZSI.wsdl2python 
-# 
-# 
+# CertificateAuthority_services.py 
+# generated by ZSI.generate.wsdl2python
 ##################################################
 
 
+from CertificateAuthority_services_types import *
 import urlparse, types
-from ZSI.TCcompound import Struct
+from ZSI.TCcompound import ComplexType, Struct
 from ZSI import client
 import ZSI
+from ZSI.generate.pyclass import pyclass_type
 
-class simpleCAServiceInterface:
-    def getsimpleCA(self, portAddress=None, **kw):
-        raise NonImplementationError, "method not implemented"
+# Locator
+class CertificateAuthorityServiceLocator:
+    CertificateAuthority_address = "http://localhost:5001"
+    def getCertificateAuthorityAddress(self):
+        return CertificateAuthorityServiceLocator.CertificateAuthority_address
+    def getCertificateAuthority(self, url=None, **kw):
+        return CertificateAuthorityBindingSOAP(url or CertificateAuthorityServiceLocator.CertificateAuthority_address, **kw)
 
+# Methods
+class CertificateAuthorityBindingSOAP:
+    def __init__(self, url, **kw):
+        kw.setdefault("readerclass", None)
+        kw.setdefault("writerclass", None)
+        # no resource properties
+        self.binding = client.Binding(url=url, **kw)
+        # no ws-addressing
 
-class simpleCAServiceLocator(simpleCAServiceInterface):
-    simpleCA_address = "http://127.0.0.1:5000/simpleCA.wsdl"
-    def getsimpleCAAddress(self):
-        return simpleCAServiceLocator.simpleCA_address
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406a3f8c>
+    def issueCert(self, x509CertReq):
 
-    def getsimpleCA(self, portAddress=None, **kw):
-        return simpleCABindingSOAP(portAddress or simpleCAServiceLocator.simpleCA_address, **kw)
+        request = issueCertInputMsg()
+        request._x509CertReq = x509CertReq
 
+        kw = {}
+        # no input wsaction
+        self.binding.Send(None, None, request, soapaction="issueCert", **kw)
+        # no output wsaction
+        response = self.binding.Receive(issueCertOutputMsg.typecode)
+        x509Cert = response._x509Cert
+        return x509Cert
 
-class simpleCABindingSOAP:
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406ab2cc>
+    def revokeCert(self, x509Cert):
 
-    def __init__(self, addr, **kw):
-        netloc = (urlparse.urlparse(addr)[1]).split(":") + [80,]
-        if not kw.has_key("host"):
-            kw["host"] = netloc[0]
-        if not kw.has_key("port"):
-            kw["port"] = int(netloc[1])
-        if not kw.has_key("url"):
-            kw["url"] =  urlparse.urlparse(addr)[2]
-        self.binding = client.Binding(**kw)
+        request = revokeCertInputMsg()
+        request._x509Cert = x509Cert
 
+        kw = {}
+        # no input wsaction
+        self.binding.Send(None, None, request, soapaction="revokeCert", **kw)
+        # no output wsaction
+        response = self.binding.Receive(revokeCertOutputMsg.typecode)
+        return 
 
-    def reqCert(self, request):
-        """
-        @param: request to reqCertRequest::
-          _usrCertReq: str
+    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406ab7ec>
+    def getCRL(self):
 
-        @return: response from reqCertResponse::
-          _errMsg: str
-          _usrCert: str
-        """
+        request = getCRLInputMsg()
 
-        if not isinstance(request, reqCertRequest) and\
-            not issubclass(reqCertRequest, request.__class__):
-            raise TypeError, "%s incorrect request type" %(request.__class__)
         kw = {}
-        response = self.binding.Send(None, None, request, soapaction="urn:simpleCA#reqCert", **kw)
-        response = self.binding.Receive(reqCertResponseWrapper())
-        if not isinstance(response, reqCertResponse) and\
-            not issubclass(reqCertResponse, response.__class__):
-            raise TypeError, "%s incorrect response type" %(response.__class__)
-        return response
+        # no input wsaction
+        self.binding.Send(None, None, request, soapaction="getCRL", **kw)
+        # no output wsaction
+        response = self.binding.Receive(getCRLOutputMsg.typecode)
+        crl = response._crl
+        return crl
 
+issueCertInputMsg = ns0.issueCert_Dec().pyclass
 
+issueCertOutputMsg = ns0.issueCertResponse_Dec().pyclass
 
-class reqCertRequest (ZSI.TCcompound.Struct): 
-    def __init__(self, name=None, ns=None):
-        self._usrCertReq = None
+revokeCertInputMsg = ns0.revokeCert_Dec().pyclass
 
-        oname = None
-        if name:
-            oname = name
-            if ns:
-                oname += ' xmlns="%s"' % ns
-            ZSI.TC.Struct.__init__(self, reqCertRequest, [ZSI.TC.String(pname="usrCertReq",aname="_usrCertReq",optional=1),], pname=name, aname="_%s" % name, oname=oname )
+revokeCertOutputMsg = ns0.revokeCertResponse_Dec().pyclass
 
-class reqCertRequestWrapper(reqCertRequest):
-    """wrapper for rpc:encoded message"""
+getCRLInputMsg = ns0.getCRL_Dec().pyclass
 
-    typecode = reqCertRequest(name='reqCert', ns='urn:simpleCA')
-    def __init__( self, name=None, ns=None, **kw ):
-        reqCertRequest.__init__( self, name='reqCert', ns='urn:simpleCA' )
-
-class reqCertResponse (ZSI.TCcompound.Struct): 
-    def __init__(self, name=None, ns=None):
-        self._usrCert = None
-        self._errMsg = None
-
-        oname = None
-        if name:
-            oname = name
-            if ns:
-                oname += ' xmlns="%s"' % ns
-            ZSI.TC.Struct.__init__(self, reqCertResponse, [ZSI.TC.String(pname="usrCert",aname="_usrCert",optional=1),ZSI.TC.String(pname="errMsg",aname="_errMsg",optional=1),], pname=name, aname="_%s" % name, oname=oname )
-
-class reqCertResponseWrapper(reqCertResponse):
-    """wrapper for rpc:encoded message"""
-
-    typecode = reqCertResponse(name='reqCertResponse', ns='urn:simpleCA')
-    def __init__( self, name=None, ns=None, **kw ):
-        reqCertResponse.__init__( self, name='reqCertResponse', ns='urn:simpleCA' )
+getCRLOutputMsg = ns0.getCRLResponse_Dec().pyclass

TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca/__init__.py

@@ -1 @@
-"""NERC Data Grid Project
-
-@author P J Kershaw 27/10/06
-
-@copyright (C) 2007 CCLRC & NERC
-
-@license This software may be distributed under the terms of the Q Public
+#!/usr/bin/env python
+"""NDG Security Certificate Authority client - client interface classes to the
+Certificate Authority.  
+
+NERC Data Grid Project
+
+@author P J Kershaw 17/11/06
+
+@copyright (C) 2006 CCLRC & NERC
+
+@license This software may be distributed under the terms of the Q Public 
 License, version 1.0 or later.
 """
+reposID = '$Id:$'
+
+__all__ = [
+    'CertificateAuthority_services',
+    'CertificateAuthority_services_types',
+    ]
+
+# Handling for public key retrieval
+import tempfile
+from M2Crypto import X509, RSA, EVP
+
+from CertificateAuthority_services import CertificateAuthorityServiceLocator
+from ndg.security.common.wsSecurity import SignatureHandler
+from ndg.security.common.openssl import OpenSSLConfig
+
+
+#_____________________________________________________________________________
+class CertificateAuthorityClientError(Exception):
+    """Exception handling for CertificateAuthorityClient class"""
+
+
+#_____________________________________________________________________________
+class CertificateAuthorityClient(object):
+    """Client interface to Certificate Authority web service
+    
+    @ctype _certReqDNparamName: tuple
+    @cvar _certReqDNparamName: names of parameters needed to generate a 
+    certificate request e.g. CN, OU etc."""
+
+    _certReqDNparamName = ('O', 'OU')
+    
+    #_________________________________________________________________________
+    def __init__(self, uri=None, tracefile=None, **signatureHandlerKw):
+        """
+        @type uri: string
+        @keyword uri: URI for Attribute Authority WS.  Setting it will also
+        initialise the Service Proxy
+                                         
+        @keyword tracefile: set to file object such as sys.stderr to give 
+        extra WS debug information
+        
+        @type **signatureHandlerKw: dict
+        @param **signatureHandlerKw: keywords for SignatureHandler class"""
+
+        self.__srv = None
+        self.__uri = None
+        
+
+        # Set-up parameter names for certificate request
+        self.__certReqDNparam = {}
+
+        
+        if uri:
+            self.__setURI(uri)
+
+        # WS-Security Signature handler
+        self.__signatureHandler = SignatureHandler(**signatureHandlerKw)
+           
+        self.__tracefile = tracefile
+
+         
+        # Instantiate Attribute Authority WS proxy
+        if self.__uri:
+            self.initService()
+        
+
+    #_________________________________________________________________________
+    def __setURI(self, uri):
+        
+        if not isinstance(uri, basestring):
+            raise CertificateAuthorityClientError, \
+                        "Attribute Authority WSDL URI must be a valid string"
+        
+        self.__uri = uri
+        
+    uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI")
+
+
+    #_________________________________________________________________________
+    def __getSignatureHandler(self):
+        "Get SignatureHandler object property method"
+        return self.__signatureHandler
+    
+    signatureHandler = property(fget=__getSignatureHandler,
+                                doc="SignatureHandler object")
+
+
+    #_________________________________________________________________________
+    def __setSrvCertFilePath(self, srvCertFilePath):
+        
+        if not isinstance(srvCertFilePath, basestring):
+            raise CertificateAuthorityClientError, \
+                "Attribute Authority public key URI must be a valid string"
+        
+        self.__srvCertFilePath = srvCertFilePath
+        
+    srvCertFilePath = property(fset=__setSrvCertFilePath,
+                              doc="Set Attribute Authority public key URI")
+
+ 
+    #_________________________________________________________________________
+    def __setClntCertFilePath(self, clntCertFilePath):
+        
+        if not isinstance(clntCertFilePath, basestring):
+            raise CertificateAuthorityClientError, \
+                "Client public key file path must be a valid string"
+        
+        self.__clntCertFilePath = clntCertFilePath
+        
+        try:
+            self.__clntCert = open(self.__clntCertFilePath).read()
+            
+        except IOError, (errNo, errMsg):
+            raise CertificateAuthorityClientError, \
+                    "Reading certificate file \"%s\": %s" % \
+                    (self.__clntCertFilePath, errMsg)
+                               
+        except Exception, e:
+            raise CertificateAuthorityClientError, \
+                                    "Reading certificate file \"%s\": %s" % \
+                                    (self.__clntCertFilePath, str(e))
+        
+    clntCertFilePath = property(fset=__setClntCertFilePath,
+                                doc="File path for client public key")
+
+ 
+    #_________________________________________________________________________
+    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
+        
+        if not isinstance(clntPriKeyFilePath, basestring):
+            raise CertificateAuthorityClientError(\
+                "Client public key file path must be a valid string")
+        
+        self.__clntPriKeyFilePath = clntPriKeyFilePath
+        
+    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
+                                  doc="File path for client private key")
+
+ 
+    #_________________________________________________________________________
+    def __setClntPriKeyPwd(self, clntPriKeyPwd):
+        
+        if not isinstance(clntPriKeyPwd, basestring):
+            raise SessionMgrClientError, \
+                        "Client private key password must be a valid string"
+        
+        self.__clntPriKeyPwd = clntPriKeyPwd
+        
+    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
+                         doc="Password protecting client private key file")
+
+
+    #_________________________________________________________________________        
+    def __setCertReqDNparam(self, dict):
+        '''certReqDNparam property set method - forces setting of certificate 
+        request parameter names to valid values
+        
+        @param dict: dictionary of parameters'''
+        
+        invalidKw = [k for k in dict \
+                     if k not in self.__class__._certReqDNparamName]
+        if invalidKw:
+            raise CertificateAuthorityClientError, \
+    "Invalid certificate request keyword(s): %s.  Valid keywords are: %s" % \
+    (', '.join(invalidKw), ', '.join(self.__class__._certReqDNparamName))
+    
+        self.__certReqDNparam.update(dict)
+
+
+    #_________________________________________________________________________        
+    def __getCertReqDNparam(self):
+        """certReqDNparam property set method - for Certificate request 
+        parameters dict"""
+        return self.__certReqDNparam
+    
+    
+    certReqDNparam = property(fset=__setCertReqDNparam,
+                            fget=__getCertReqDNparam,
+                            doc="Dictionary of parameters for cert. request")
+
+        
+    #_________________________________________________________________________
+    def initService(self, uri=None):
+        """Set the WS proxy for the Attribute Authority
+        
+        @type uri: string
+        @param uri: URI for service to invoke"""
+        
+        if uri:
+            self.__setURI(uri)
+
+        # WS-Security Signature handler object is passed to binding
+        try:
+            locator = CertificateAuthorityServiceLocator()
+            self.__srv = locator.getCertificateAuthority(self.__uri, 
+                                         sig_handler=self.__signatureHandler,
+                                         tracefile=self.__tracefile)
+        except HTTPResponse, e:
+            raise CertificateAuthorityClientError, \
+                "Error initialising WSDL Service for \"%s\": %s %s" % \
+                (self.__uri, e.status, e.reason)
+            
+        except Exception, e:
+            raise CertificateAuthorityClientError, \
+                "Initialising WSDL Service for \"%s\": %s" % \
+                 (self.__uri, str(e))
+                 
+                 
+    #_________________________________________________________________________        
+    def _createCertReq(self, CN, nBitsForKey=1024, messageDigest="md5"):
+        """
+        Create a certificate request.
+        
+        @param CN: Common Name for certificate - effectively the same as the
+        username for the MyProxy credential
+        @param nBitsForKey: number of bits for private key generation - 
+        default is 1024
+        @param messageDigest: message disgest type - default is MD5
+        @return tuple of certificate request PEM text and private key PEM text
+        """
+        
+        # Check all required certifcate request DN parameters are set                
+        # Create certificate request
+        req = X509.Request()
+    
+        # Generate keys
+        key = RSA.gen_key(nBitsForKey, m2.RSA_F4)
+    
+        # Create public key object
+        pubKey = EVP.PKey()
+        pubKey.assign_rsa(key)
+        
+        # Add the public key to the request
+        req.set_version(0)
+        req.set_pubkey(pubKey)
+        
+        if self.__certReqDNparam:
+            certReqDNparam = self.__certReqDNparam
+        else:
+            defaultReqDN = self.__openSSLConf.getReqDN()
+            
+            certReqDNparam = {}
+            certReqDNparam['O'] = defaultReqDN['0.organizationName']
+            certReqDNparam['OU'] = defaultReqDN['0.organizationalUnitName']
+            
+        # Set DN
+        x509Name = X509.X509_Name()
+        x509Name.CN = CN
+        x509Name.OU = certReqDNparam['OU']
+        x509Name.O = certReqDNparam['O']
+        req.set_subject_name(x509Name)
+        
+        req.sign(pubKey, messageDigest)
+        
+        return (req.as_pem(), key.as_pem(cipher=None))
+    
+                                    
+    #_________________________________________________________________________
+    def signCert(self, 
+                 certReq=None, 
+                 CN=None, 
+                 opensslConfigFilePath=None,
+                 **createCertReqKw):
+        """Send a certificate request to the CA for signing
+        
+        signCert([certReq=cr]|[CN=cn, opensslConfigFilePath=p, **kw])
+        
+        @type certReq: M2Crypto.X509.Request
+        @keyword certReq: X.509 certificate request.  If omitted,
+        _createCertReq method is called to create a new public and private 
+        key and a certificate request
+        
+        @type CN: string
+        @keyword CN: common name component of Distinguished Name for new
+        cert.  This keyword is ignored if certReq keyword is set.
+        
+        @type opensslConfigFilePath: string
+        @keyword opensslConfigFilePath: file path for OpenSSL configuration
+        file from which to get settings for Distinguished Name for new 
+        certificate.  This keyword is ignored if certReq keyword is set.
+        @rtype: tuple
+        @return: signed certificate and private key.  Private key will be 
+        None if certReq keyword was passed in
+        """
+
+        priKey = None
+        if not certReq:
+            # Create the certificate request
+            certReq, priKey = self._createCertReq(CN, **createCertReqKw)
+        
+        try:   
+            cert = self.__srv.signCert(certReq.as_pem())
+
+        except Exception, e:
+            raise CertificateAuthorityClientError, \
+                                            "Signing Certificate: " + str(e)      
+        return cert, priKey
+
+                                    
+    #_________________________________________________________________________
+    def revokeCert(self, x509Cert):
+        """Request that the CA revoke the given certificate
+        
+        @type x509Cert: string
+        @param x509Cert: X.509 certificate to be revoked"""
+            
+        try:   
+            self.__srv.revokeCert(x509Cert)
+
+        except Exception, e:
+            raise CertificateAuthorityClientError, \
+                                            "Revoking certificate: " + str(e)
+    
+
+    #_________________________________________________________________________
+    def getCRL(self):
+        """Request Certificate Revocation List (CRL) for the CA
+        
+        @rtype string
+        @return PEM encoded CRL"""
+
+        try: 
+            crl = self.__srv.getCRL()  
+            
+        except Exception, e:
+            raise CertificateAuthorityClientError, "Requesting CRL: " + str(e)
+
+        return crl