Changeset 2401


Ignore:
Timestamp:
13/04/07 14:09:19 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac: added caCertFilePathList
keyword to SignatureHandler? creation. This enables CA certs to be used to check the X.509 certs
used with the signatures of client requests in SignatureHandler?.verify.

ndg.security.server/ndg/security/server/Log.py: experimenting with SysLogHandler? - currently won't
write to syslog but equivalent syslog package does work!

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py: added
caCertFilePathList keyword to SignatureHandler? creation - enables CA certs to be used to check the
X.509 certs used with signatures.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: added
cacertfilepathlist item to enable setting of CA certs for cert validation

ndg.security.test/ndg/security/test/Log/LogTest.py: experiment with settings to try rotating file
handler.

Tests/dewsBinaryDataGet/binaryDataGet.py: enable uri to be set from command line.

ndg.security.common/ndg/security/common/wsSecurity.py:

  • added new exception type WSSecurityError
  • added capability to verify X.509 certs used in signatures against CA certs. CA certs are held

in an M2Crypto X509_Stack object. They are added to this using the caCertDirPath and/or
caCertFilePathList SignatureHandler? properties. New verifyCert method does the validation at the
end of the SignatureHandler?.verify.

! Current version can't validate proxy certs because an extra cert is present in the chain of
trust:

proxy cert -> user cert -> CA cert

rather than just:

user cert -> CA cert.

Location:
TI12-security/trunk/python
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2360 r2401  
    6969 
    7070 
     71class WSSecurityError(Exception): 
     72    """For WS-Security generic exceptions not covered by other exception 
     73    classes in this module""" 
     74     
    7175class VerifyError(Exception): 
    7276    """Raised from SignatureHandler.verify if an error occurs in the signature 
     
    8084         
    8185class SignatureHandler(object): 
    82     """class to handle signature and verification of signature with  
     86    """Class to handle signature and verification of signature with  
    8387    WS-Security 
    8488     
     
    109113                 signingPriKeyFilePath=None,  
    110114                 signingPriKeyPwd=None, 
     115                 caCertDirPath=None, 
     116                 caCertFilePathList=[], 
    111117                 refC14nKw={'unsuppressedPrefixes': ['xmlns',  
    112                                                   'xsi',  
    113                                                   'xsd',  
    114                                                   'SOAP-ENV',  
    115                                                   'wsu',  
    116                                                   'wsse',  
    117                                                   'ns1']}, 
     118                                                     'xsi',  
     119                                                     'xsd',  
     120                                                     'SOAP-ENV',  
     121                                                     'wsu',  
     122                                                     'wsse',  
     123                                                     'ns1']}, 
    118124                # Added 'ec' to list P J Kershaw 01/02/07 
    119125                signedInfoC14nKw = {'unsuppressedPrefixes': ['xsi',  
     
    145151             
    146152        self.__setSigningPriKeyFilePath(signingPriKeyFilePath) 
     153         
     154        # CA certificate(s) for verification of X.509 certificate used with 
     155        # signature. 
     156        if caCertDirPath: 
     157            self.caCertDirPath = caCertDirPath 
     158             
     159        elif caCertFilePathList: 
     160            self.caCertFilePathList = caCertFilePathList 
    147161         
    148162 
     
    382396                      doc="File path for private key used to sign message") 
    383397 
    384  
     398    def __caCertIsSet(self): 
     399        '''Check for CA certificate set (X.509 Stack has been created)''' 
     400        return hasattr(self, '_caX509Stack') 
     401     
     402    caCertIsSet = property(fget=__caCertIsSet, 
     403           doc='Check for CA certificate set (X.509 Stack has been created)') 
     404     
     405    #_________________________________________________________________________ 
     406    def __appendCAX509Stack(self, caCertList): 
     407        '''Store CA certificates in an X.509 Stack''' 
     408         
     409        if not self.caCertIsSet: 
     410            self._caX509Stack = X509.X509_Stack() 
     411             
     412        for cert in caCertList: 
     413            self._caX509Stack.push(cert) 
     414 
     415 
     416    #_________________________________________________________________________ 
     417    def __setCAX509StackFromDir(self, caCertDir): 
     418        '''Read CA certificates from directory and add them to the X.509 
     419        stack''' 
     420         
     421        # Mimic OpenSSL -CApath option which expects directory of CA files 
     422        # of form <Hash cert subject name>.0 
     423        reg = re.compile('\d+\.0') 
     424        try: 
     425            caCertList = [X509.load_cert(caFile) \ 
     426                          for caFile in os.listdir(caCertDir) \ 
     427                          if reg.match(caFile)] 
     428        except Exception, e: 
     429            raise WSSecurityError, \ 
     430                'Loading CA certificate "%s" from CA directory: %s' % \ 
     431                                                        (caFile, str(e)) 
     432                     
     433        # Add to stack 
     434        self.__appendCAX509Stack(caCertList) 
     435         
     436    caCertDirPath = property(fset=__setCAX509StackFromDir, 
     437                      doc="Dir. containing CA cert.s used for verification") 
     438 
     439 
     440    #_________________________________________________________________________ 
     441    def __setCAX509StackFromCertFileList(self, caCertFilePathList): 
     442        '''Read CA certificates from file and add them to the X.509 
     443        stack 
     444         
     445        @type caCertFilePathList: string 
     446        @param caCertFilePathList: list of file paths for CA certificates to 
     447        be used to verify certificate used to sign message''' 
     448         
     449        if not isinstance(caCertFilePathList, list) and \ 
     450           not isinstance(caCertFilePathList, tuple): 
     451            raise WSSecurityError, \ 
     452                        'Expecting a list or tuple for "caCertFilePathList"' 
     453 
     454        # Mimic OpenSSL -CApath option which expects directory of CA files 
     455        # of form <Hash cert subject name>.0 
     456        try: 
     457            caCertList = [X509.load_cert(caFile) \ 
     458                          for caFile in caCertFilePathList] 
     459        except Exception, e: 
     460            raise WSSecurityError, \ 
     461                    'Loading CA certificate "%s" from file list: %s' % \ 
     462                                                        (caFile, str(e)) 
     463                     
     464        # Add to stack 
     465        self.__appendCAX509Stack(caCertList) 
     466         
     467    caCertFilePathList = property(fset=__setCAX509StackFromCertFileList, 
     468                      doc="List of CA cert. files used for verification") 
     469 
     470         
     471    #_________________________________________________________________________ 
     472    def verifyCert(self, certIn=None): 
     473        """Check a certificate has been issued by one of the known CA's 
     474        specified in X.509 stack""" 
     475        if certIn: 
     476            cert2Verify = self.__setCert(certIn) 
     477        else: 
     478            cert2Verify = self.__verifyingCert 
     479             
     480        for cert in self._caX509Stack: 
     481            try: 
     482                assert cert2Verify.m2CryptoX509.verify(cert.get_pubkey()) 
     483                return True 
     484            except: 
     485                return False 
     486                 
     487         
    385488    #_________________________________________________________________________ 
    386489    def sign(self, soapWriter): 
     
    742845            pass  
    743846         
    744         #import pdb;pdb.set_trace()         
     847        import pdb;pdb.set_trace()         
    745848        if binSecTokNode: 
    746849            try: 
     
    785888            raise InvalidSignature, "Invalid signature" 
    786889         
     890        # Verify certificate was issued by a known CA 
     891        if self.caCertIsSet: 
     892            self.verifyCert() 
     893             
    787894        #print "Signature OK" 
    788895 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

    r2360 r2401  
    6262        try:     
    6363                attCert = self.aa.getAttCert(userId=request.UserId, 
    64                                              holderCert=holderCert, 
    65                                              userAttCert=request.UserAttCert)   
     64                                         holderCert=holderCert, 
     65                                         userAttCert=request.UserAttCert)   
    6666                response.AttCert = attCert.toString() 
    6767                 
     
    8484    def soap_getTrustedHostInfo(self, ps, **kw): 
    8585        request, response = \ 
    86                     AttAuthorityService.soap_getTrustedHostInfo(self, ps) 
     86                        AttAuthorityService.soap_getTrustedHostInfo(self, ps) 
    8787         
    8888        trustedHostInfo = srv.aa.getTrustedHostInfo(role=request.Role) 
     
    122122    # public and private keys 
    123123    WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    124                                     verifyingCertFilePath=srv.aa['clntCertFile'], 
    125                                     signingCertFilePath=srv.aa['certFile'], 
    126                                     signingPriKeyFilePath=srv.aa['keyFile'], 
    127                                     signingPriKeyPwd=srv.aa['keyPwd']) 
     124                                verifyingCertFilePath=srv.aa['clntCertFile'], 
     125                                signingCertFilePath=srv.aa['certFile'], 
     126                                signingPriKeyFilePath=srv.aa['keyFile'], 
     127                                signingPriKeyPwd=srv.aa['keyPwd'], 
     128                                caCertFilePathList=(srv.aa['caCertFile'],)) 
    128129 
    129130# Add Service to Attribute Authority branch 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/Log.py

    r2397 r2401  
    1414 
    1515import logging 
    16 from logging.handlers import * 
     16from logging.handlers import RotatingFileHandler, SysLogHandler 
     17 
     18from logger import Logger, LogContainer 
    1719 
    1820# Inherit directly from Logger 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2350 r2401  
    4646                sys.exit(0) 
    4747 
     48        # List of CA certificates for use in validation of certs used in 
     49        # signature for server reponse 
     50        try: 
     51            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     52        except: 
     53            caCertFilePathList = [] 
     54             
    4855        # Instantiate WS proxy 
    4956        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
    50                signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 
    51                signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 
    52                signingPriKeyPwd=self.userPriKeyPwd, 
    53                tracefile=sys.stderr) 
     57           signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 
     58           signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 
     59           signingPriKeyPwd=self.userPriKeyPwd, 
     60           caCertFilePathList=caCertFilePathList, 
     61           tracefile=sys.stderr) 
    5462             
    5563     
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2397 r2401  
    2323# from tty 
    2424userprikeypwd =  
    25 usercertfilepath = ./proxy-cert.pem 
    26 userprikeyfilepath = ./proxy-key.pem 
     25#usercertfilepath = ./proxy-cert.pem 
     26#userprikeyfilepath = ./proxy-key.pem 
     27# Test with CA cert validation - proxy certs currently work with this as 
     28# the user cert as well as proxy is needed to complete the chain of trust 
     29# with the CA 
     30usercertfilepath = ./aa-cert.pem 
     31userprikeyfilepath = ./aa-key.pem 
     32 
     33# Space separated list of CA certificate files used to verify certificate used 
     34# in message signature 
     35cacertfilepathlist = ./cacert.pem 
    2736 
    2837[test3GetTrustedHostInfo] 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/Log/LogTest.py

    r2397 r2401  
    1919    def setUp(self): 
    2020        import pdb;pdb.set_trace() 
    21         self.log = Log(logFilePath="./ndg.log",  
     21        self.log = Log(logName='LogUnitTest', 
     22                       logFilePath="./ndg.log",  
    2223                       console=True, 
    2324                       sysLog=True) 
     25         
     26        # Force rotating file handler to produce multiple files 
     27        self.log.__class__.maxBytes = 10 
    2428 
    2529    def test(self): 
Note: See TracChangeset for help on using the changeset viewer.