Changeset 2251


Ignore:
Timestamp:
08/03/07 17:12:22 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/setup.py:

ndg.security.server/setup.cfg:

  • removed EasyInstall? and build sections
  • reinstated tag_build - set to '_dews' - and tag_svn_revision

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • removed socket import and added os
  • added M2Crypto SSL support - works with Python client unit tests (required setting SSL v2 and 3 support)

but problems with WebSphere? client

ndg.security.server/ndg/security/server/AttAuthority/init.py,
ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml,
ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml,
ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml:

  • added sslKeyPwd setting for properties

ndg.security.server/ndg/security/server/MyProxy.py:

  • ensure cnHostPfx is reinitialised to if equal to None

ndg.security.common/setup.py:

  • added M2Crypto, ZSI and 4Suite to dependencies
  • revised dependency links to use NDG site, http://ndg.nerc.ac.uk/dist and ZSI sourceforge link taken

from pyGridWare settings. Latter won't work for PyXML but does work from command line ??

ndg.security.common/ndg/security/common/wsSecurity.py:

  • IMPORTANT FIX * - removed strip() from signed info digest calc - NOT needed and caused some problems

with verify.

Location:
TI12-security/trunk/python
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2148 r2251  
    475475        # Signed Info - Signature method 
    476476        sigMethodElem = signedInfoElem.createAppendElement(DSIG.BASE, 
    477                                                     'SignatureMethod') 
     477                                                           'SignatureMethod') 
    478478        sigMethodElem.node.setAttribute('Algorithm', DSIG.SIG_RSA_SHA1) 
    479479         
     
    565565 
    566566        # Calculate digest of SignedInfo 
    567         signedInfoDigestValue = sha(c14nSignedInfo).digest().strip() 
     567        # 
     568        # TODO: check status for strip call - almost certainly wrong and not 
     569        # needed 
     570        signedInfoDigestValue = sha(c14nSignedInfo).digest()#.strip() 
    568571         
    569572        # Sign using the private key and base 64 encode the result 
     
    700703 
    701704        # Canonicalize the SignedInfo node and take digest 
    702         c14nSignedInfo = Canonicalize(signedInfoNode, **signedInfoC14nKw)         
    703         signedInfoDigestValue = sha(c14nSignedInfo).digest() 
     705        c14nSignedInfo = Canonicalize(signedInfoNode, **signedInfoC14nKw)  
     706                
     707        # TODO: strip() call? - almost certainly wrong - leave out!        
     708        signedInfoDigestValue = sha(c14nSignedInfo).digest()#.strip() 
    704709         
    705710        # Get the signature value in order to check against the digest just 
     
    712717        b64EncSignatureValue = \ 
    713718                    str(signatureValueNode.childNodes[0].nodeValue).strip() 
    714                      
     719         
    715720        signatureValue = base64.decodestring(b64EncSignatureValue) 
    716721 
  • TI12-security/trunk/python/ndg.security.common/setup.cfg

    r2234 r2251  
    1010# This software may be distributed under the terms of the Q Public License, 
    1111# version 1.0 or later. 
    12 [EasyInstall] 
    13  
    1412[build_ext] 
    1513include_dirs: /usr/local/include 
     
    1917 
    2018[egg_info] 
    21 tag_build = -DevPostAlpha 
    22 #tag_svn_revision = true 
     19tag_build = _dews 
     20tag_svn_revision = true 
    2321 
  • TI12-security/trunk/python/ndg.security.common/setup.py

    r2238 r2251  
    2727# TODO: subdivide these into server and client specific and comon dependencies 
    2828_pkgDependencies = [ 
    29     'ZSI', 
     29    'ZSI >= 2.0rc3', 
     30    '4Suite-XML >= 1.0rc3', 
    3031    'pycrypto', 
    3132    'SQLObject', 
     33    'M2Crypto', 
    3234#    'MySQL-python', - gcc: unrecognized option `-restrict' 
    3335] 
     
    4143_pkgDependencyLinks = [ 
    4244    # Custom M2Crypto for use with Python MyProxy client 
    43     "http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/branches/Dependencies/m2crypto/dist/M2Crypto-0.16-py2.4-linux-i686.egg?format=raw", 
    44     "ftp://ftp.4suite.org/pub/4Suite/4Suite-XML-1.0.tar.gz", 
    45     "http://prdownloads.sourceforge.net/pyxml/PyXML-0.8.4.tar.gz?use_mirror=kent" 
     45    "http://ndg.nerc.ac.uk/dist", 
     46    # ZSI - use this link to ensure correct dependency download for PyXML 
     47    "http://sourceforge.net/project/showfiles.php?group_id=26590&package_id=30660", 
    4648    # Twisted won't install as an egg 
    4749#    "http://tmrc.mit.edu/mirror/twisted/Web/0.5/TwistedWeb-0.5.0.tar.bz2", 
  • TI12-security/trunk/python/ndg.security.server/ndg.security.server.egg-info/PKG-INFO

    r2239 r2251  
    11Metadata-Version: 1.0 
    22Name: ndg.security.server 
    3 Version: 0.7.2-DevPostAlpha 
     3Version: 0.7.2-dews-r2240 
    44Summary: NERC DataGrid Security Services 
    55Home-page: http://proj.badc.rl.ac.uk/ndg 
  • TI12-security/trunk/python/ndg.security.server/ndg.security.server.egg-info/SOURCES.txt

    r2239 r2251  
    22setup.cfg 
    33setup.py 
     4dist/ndg.security.server-0.7.2_DevPostAlpha-py2.4.egg 
    45ndg/__init__.py 
    56ndg.security.server.egg-info/PKG-INFO 
  • TI12-security/trunk/python/ndg.security.server/ndg.security.server.egg-info/dependency_links.txt

    r2239 r2251  
    1 http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/trunk/python/ndg.security.common/dist/ndg.security.common-0.7.2_DevPostAlpha-py2.4.egg?format=raw 
    2 http://www.zope.org/Products/ZopeInterface/3.0.1final/ZopeInterface-3.0.1.tgz 
     1http://ndg.nerc.ac.uk/dist 
  • TI12-security/trunk/python/ndg.security.server/ndg.security.server.egg-info/requires.txt

    r2239 r2251  
     1ndg.security.common 
    12pycrypto 
    2 ndg.security.common 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r2181 r2251  
    3636class AttAuthorityError(Exception): 
    3737    """Exception handling for NDG Attribute Authority class.""" 
    38  
    3938 
    4039#_____________________________________________________________________________ 
     
    8887                    'sslCertFile', 
    8988                    'sslKeyFile', 
     89                    'sslKeyPwd', 
     90                    'certFile', 
    9091                    'keyFile', 
    9192                    'keyPwd', 
    92                     'certFile', 
    9393                    'caCertFile', 
    9494                    'clntCertFile', 
     
    589589                if elem.tag in self.__class__.__validKeys: 
    590590                 
    591                     if elem.tag != 'keyPwd' and elem.text:  
     591                    # Make sure to leave password element contents unchanged 
     592                    if 'eyPwd' not in elem.tag and elem.text:  
    592593                        self.__prop[elem.tag] = \ 
    593594                                        os.path.expandvars(elem.text.strip()) 
     
    622623        except OSError, osError: 
    623624            raise AttAuthorityError, \ 
    624                 "Invalid directory path Attribute Certificates store: %s" % \ 
    625                 osError.strerror 
     625            'Invalid directory path Attribute Certificates store "%s": %s' % \ 
     626                (self.__prop['attCertDir'], osError.strerror) 
    626627        
    627628         
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

    r2240 r2251  
    1414License, version 1.0 or later. 
    1515""" 
    16 import socket 
     16import os 
    1717 
    1818from ZSI.twisted.WSresource import WSResource 
     
    144144    siteFactory.sslChecker = SSL.Checker.Checker() 
    145145 
    146     ctx = SSL.Context('sslv3') 
     146        # TODO: Python ssl client seems to require SSL vers 2 is this a security 
     147        # risk? 
     148    ctx = SSL.Context(protocol='sslv23') 
    147149    ctx.set_cipher_list("NULL-MD5:ALL:!ADH:!EXP:@STRENGTH") 
    148     ctx.load_cert(CERTFILE, KEYFILE) 
     150    ctx.load_cert(srv.aa['sslCertFile'],  
     151                          srv.aa['sslKeyFile'], 
     152                          callback=lambda *args, **kw: srv.aa['sslKeyPwd']) 
     153                           
    149154    ctx.set_allow_unknown_ca(False) 
    150155    ctx.set_verify(SSL.verify_peer, 10) 
     
    168173 
    169174    siteFactory = factory 
    170  
    171         port = internet.TCPServer(PORT, siteFactory) 
    172         port.CERTFILE = srv.aa['sslCertFile'] 
    173         port.KEYFILE = srv.aa['sslKeyFile'] 
    174         root.__class__.server = port 
     175     
     176    port = internet.TCPServer(srv.aa['portNum'], siteFactory) 
     177    port.CERTFILE = srv.aa['sslCertFile'] 
     178    port.KEYFILE = srv.aa['sslKeyFile'] 
     179    root.__class__.server = port 
    175180else:    
    176181        # Non-SSL 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/MyProxy.py

    r2170 r2251  
    7979        # Globus host certificate has a "host/" prefix - see explanation in 
    8080        # __init__.__doc__ 
    81         host = None or self.cnHostPfx + self.host 
     81        cnHostPfx = isinstance(self.cnHostPfx, basestring) \ 
     82                    and self.cnHostPfx or '' 
     83        host = None or cnHostPfx + self.host 
    8284         
    8385        try: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

    r2181 r2251  
    77    <name>BADC</name>  
    88    <portNum>5000</portNum> 
    9     <useSSL>Yes</useSSL> <!-- leave blank to use http --> 
     9    <!-- 
     10    PKI settings for transport level encryption 
     11    --> 
     12    <useSSL></useSSL> <!-- leave blank to use http --> 
    1013    <sslCertFile></sslCertFile> 
    1114    <sslKeyFile></sslKeyFile> 
     15    <sslKeyPwd></sslKeyPwd> 
    1216    <!-- 
    1317    PKI settings for signature of outbound SOAP messages 
    1418    --> 
     19    <certFile></certFile> 
    1520    <keyFile></keyFile> 
    1621    <keyPwd></keyPwd> 
    17     <certFile></certFile> 
    1822    <caCertFile></caCertFile> 
    1923    <!--  
  • TI12-security/trunk/python/ndg.security.server/setup.cfg

    r2239 r2251  
    1010# This software may be distributed under the terms of the Q Public License, 
    1111# version 1.0 or later. 
    12 [EasyInstall] 
    13  
    1412[build_ext] 
    1513include_dirs: /usr/local/include 
    1614library_dirs: /usr/local/lib 
    1715 
    18 [install] 
     16[egg_info] 
     17tag_build = -dews 
     18tag_svn_revision = true 
    1919 
    20 [egg_info] 
    21 tag_build = -DevPostAlpha 
    22 #tag_svn_revision = true 
    23  
  • TI12-security/trunk/python/ndg.security.server/setup.py

    r2239 r2251  
    2626# TODO: subdivide these into server and client specific and comon dependencies 
    2727_pkgDependencies = [ 
     28    'ndg.security.common', 
    2829    'pycrypto', 
    29     'ndg.security.common', 
    3030#    MySQL-python', - gcc: unrecognized option `-restrict' 
    3131] 
     
    5050    # the explicit URL.  This may cause problems later! 
    5151    dependency_links = [ 
    52         "http://proj.badc.rl.ac.uk/ndg/browser/TI12-security/trunk/python/ndg.security.common/dist/ndg.security.common-0.7.2_DevPostAlpha-py2.4.egg?format=raw", 
    53         "http://www.zope.org/Products/ZopeInterface/3.0.1final/ZopeInterface-3.0.1.tgz" 
     52        "http://ndg.nerc.ac.uk/dist", 
     53#        "http://www.zope.org/Products/ZopeInterface/3.0.1final/ZopeInterface-3.0.1.tgz" 
    5454        ], 
    5555 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2178 r2251  
    4040               signingPriKeyFilePath=self.cfg['setUp']['userprikeyfilepath'], 
    4141               tracefile=sys.stderr) 
    42                     
    43     
     42             
    4443     
    4544    def test1GetX509Cert(self): 
    4645        '''test1GetX509Cert: retrieve Attribute Authority's X.509 cert.''' 
    47         #import pdb;pdb.set_trace() 
    4846        resp = self.clnt.getX509Cert() 
    4947        print "Attribute Authority X.509 cert.:\n" + resp 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2214 r2251  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 uri = http://localhost:5000/AttributeAuthority 
    13 uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
     12#uri = http://localhost:5000/AttributeAuthority 
     13uri = https://localhost:5000/AttributeAuthority 
    1414 
    1515# X.509 certificate for Attribute Authority - to verify the signature of 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r2181 r2251  
    33    <name>Site A</name> 
    44    <portNum>5000</portNum> 
    5     <useSSL></useSSL> <!-- leave blank to use http --> 
    6     <sslCertFile></sslCertFile> 
    7     <sslKeyFile></sslKeyFile> 
     5    <useSSL>True</useSSL> <!-- leave blank to use http --> 
     6    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
     7    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
     8    <sslKeyPwd>Junk</sslKeyPwd> 
     9    <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    810    <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 
    911    <keyPwd>Junk</keyPwd> 
    10     <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    1112    <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
    1213    <!--  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml

    r2181 r2251  
    66    <sslCertFile></sslCertFile> 
    77    <sslKeyFile></sslKeyFile> 
     8    <sslKeyPwd>Junk</sslKeyPwd> 
     9    <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
     10    <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
    811    <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 
    912    <keyPwd>Junk</keyPwd> 
    10     <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    11     <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
    1213    <!--  
    1314    Set the certificate used to verify the signature of messages from the  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml

    r2017 r2251  
    2020        Set "host/" prefix to host cert CN as is default with globus 
    2121        --> 
    22         <serverCNprefix>host/</serverCNprefix>   
     22        <serverCNprefix></serverCNprefix>        
    2323        <!-- 
    2424        Nb. GRID_SECURITY_DIR environment variable if set, overrides this setting 
Note: See TracChangeset for help on using the changeset viewer.