Changeset 2437


Ignore:
Timestamp:
30/04/07 10:01:04 (12 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/SessionMgr/server-config.tac:

  • soap_disconnect: added call to SessionMgr?.disconnect, added logic for retrieving ID from cert.

used with WS-Security signature.

  • add code to check for useSignatureHandler config param. If this flag is set, get user ID from

cert in WS-Security header

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml,
ndg.security.server/ndg/security/server/SessionMgr/init.py: added "useSignatureHandler" parameter
to properties file elements.

www/html/sessionMgr.wsdl,
ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py,
ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py,
ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py: removed userCert
argument. - This is not needed as cert chain can be passed in by setting #X509PKIPathv1 for
BinarySecurityToken?.

ndg.security.client/ndg/security/client/ndgSessionClient.py: started on updates from alpha version -
--req-autho flag is now --req-attr

ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg,
ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg: added more tests for signature
verification tests.

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py: removed userCert arg from
disconnect call. It's passed in the signature in the WS-Security header.

ndg.security.common/ndg/security/common/XMLSec.py: fixed bug in applyEnvelopedSignature - removed
incorrect strip call from digest calc:

calcSignedInfoDigestValue = sha(signedInfoC14n).digest()#.strip()


ndg.security.common/ndg/security/common/SessionMgr/init.py: Session Manager client code -
remove refs to "userCert" for disconnect and connect calls. It's passed in the WS-Security header
instead.

ndg.security.common/ndg/security/common/wsSecurity.py: comment - query whitespace strip in
extraction of calculated signature value from message "b64EncSignatureValue".

Location:
TI12-security/trunk/python
Files:
15 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/Tests/attCertTest.py

    r1636 r2437  
    1919             
    2020    def testAttCert2Sign(self): 
     21        certFilePathList = [ "./Junk-cert.pem", 
     22                             "/usr/local/NDG/conf/certs/cacert.pem"] 
     23                              
     24        signingPriKeyFilePath = "./Junk-key.pem" 
     25        priKeyPwd = open("./tmp2").read().strip() 
    2126         
    22         try: 
    23             certFilePathList = [ "./Junk-cert.pem", 
    24                                  "/usr/local/NDG/conf/certs/cacert.pem"] 
    25                                   
    26             signingPriKeyFilePath = "./Junk-key.pem" 
    27             priKeyPwd = open("./tmp2").read().strip() 
    28              
    29             import pdb 
    30             pdb.set_trace() 
    31                          
    32             # Digitally sign certificate using Attribute Authority's 
    33             # certificate and private key 
    34             self.attCert.sign(certFilePathList=certFilePathList, 
    35                               signingKeyFilePath=signingPriKeyFilePath, 
    36                               signingKeyPwd=priKeyPwd) 
    37              
    38             # Check the certificate is valid 
    39             self.attCert.isValid(raiseExcep=True) 
    40             print "Signature is valid\n" 
    41              
    42             print "AttCert.asString()...\n" 
    43             print self.attCert.asString() 
     27        import pdb 
     28        pdb.set_trace() 
     29                     
     30        # Digitally sign certificate using Attribute Authority's 
     31        # certificate and private key 
     32        self.attCert.sign(certFilePathList=certFilePathList, 
     33                          signingKeyFilePath=signingPriKeyFilePath, 
     34                          signingKeyPwd=priKeyPwd) 
    4435         
    45         except Exception, e: 
    46             raise self.fail(str(e)) 
     36        # Check the certificate is valid 
     37        self.attCert.isValid(raiseExcep=True) 
     38        print "Signature is valid\n" 
     39         
     40        print "AttCert.asString()...\n" 
     41        print self.attCert.asString() 
    4742             
    4843             
  • TI12-security/trunk/python/ndg.security.client/ndg/security/client/ndgSessionClient.py

    r2058 r2437  
    102102 
    103103    usage = os.path.basename(sys.argv[0]) + " [--add-user=<username> ...]|"+\ 
    104             "[--connect=<username> ...]|[--req-autho ...]|" + \ 
    105             "[--connect=<username> ... --req-autho ...]" 
     104            "[--connect=<username> ...]|[--req-attr ...]|" + \ 
     105            "[--connect=<username> ... --req-attr ...]" 
    106106             
    107107    parser = optparse.OptionParser(usage=usage) 
     
    117117     
    118118    parser.add_option("-r",  
    119                       "--req-autho",  
     119                      "--req-attr",  
    120120                      dest="attAuthorityURI",  
    121121                      help=\ 
     
    195195                      dest="sessCookie", 
    196196                      help=\ 
    197 """Session cookie for --req-autho/-r call.  This is returned from a previous 
     197"""Session cookie for --req-attr/-r call.  This is returned from a previous 
    198198connect call (-c USERNAME/--connect=USERNAME).  Note that connect and request 
    199199authoirsation calls can be combined.  In this case, this arg is not needed as 
     
    215215                      default=False, 
    216216                      help=\ 
    217 """For use with --req-autho/-r flag.  Set to allow the Session Manager to 
     217"""For use with --req-attr/-r flag.  Set to allow the Session Manager to 
    218218automatically use Attribute Certificates from the user's wallet or, if no 
    219219suitable ones are found, to contact other trusted hosts in order to get 
     
    224224                      dest="reqRole", 
    225225                      help="""\ 
    226 For use with --req-autho/-r flag.  Making certifcate mapping more efficient 
     226For use with --req-attr/-r flag.  Making certifcate mapping more efficient 
    227227by specifying to the Session Manager what role is needed for attribute 
    228228certificates from trusted hosts in order to get a mapped Attribute Certificate 
     
    235235                      default=False, 
    236236                      help=\ 
    237 """For use with --req-autho/-r flag.  Determines behaviour in the case where  
     237"""For use with --req-attr/-r flag.  Determines behaviour in the case where  
    238238authorisation is denied by an Attribute Authority.  If set, a list of 
    239239candidate Attribute Certificates from trusted hosts will be returned.  Any one 
     
    246246                      dest="extAttCertListFile", 
    247247                      help=\ 
    248 """For use with --req-autho/-r flag.  A file of concatenated Attribute 
     248"""For use with --req-attr/-r flag.  A file of concatenated Attribute 
    249249Certificates.  These are certificates from other import hosts trusted by the 
    250250Attribute Authority.  The Session Manager tries each in turn until the 
     
    256256                      dest="extTrustedHostsFile", 
    257257                      help=\ 
    258 """For use with --req-autho/-r flag.  Pass a file containing a comma  
     258"""For use with --req-attr/-r flag.  Pass a file containing a comma  
    259259separarated list of hosts that are trusted by the Attribute Authority.  The 
    260260Session Manager will contact these hosts in turn, stopping when one of them 
     
    327327    # Initialise session client 
    328328    try: 
    329         sessClnt = SessionClient(smWSDL=options.sessMgrURI, 
     329        sessClnt = SessionMgrClient(smWSDL=options.sessMgrURI, 
    330330                             smCertFilePath=options.smCertFilePath, 
    331331                             clntCertFilePath=options.clntCertFilePath, 
    332332                             clntPriKeyFilePath=options.clntPriKeyFilePath, 
    333                              traceFile=options.soapDebug) 
     333                             tracefile=options.soapDebug) 
    334334    except Exception, e: 
    335335        sys.stderr.write("Initialising client: %s\n" % str(e)) 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services.py

    r2108 r2437  
    2929        # no ws-addressing 
    3030 
    31     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6d0134c> 
     31    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406c062c> 
    3232    def addUser(self, username,passphrase): 
    3333 
     
    4343        return  
    4444 
    45     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6d0164c> 
     45    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406c092c> 
    4646    def connect(self, username,passphrase,createServerSess,getCookie): 
    4747 
     
    6363        return proxyCert,proxyPriKey,userCert,cookie 
    6464 
    65     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6d0836c> 
    66     def disconnect(self, userCert,sessID,encrSessionMgrURI): 
     65    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406c762c> 
     66    def disconnect(self, sessID,encrSessionMgrURI): 
    6767 
    6868        request = disconnectInputMsg() 
    69         request._userCert = userCert 
    7069        request._sessID = sessID 
    7170        request._encrSessionMgrURI = encrSessionMgrURI 
     
    7877        return  
    7978 
    80     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6d0850c> 
     79    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406c77cc> 
    8180    def getAttCert(self, userCert,sessID,encrSessionMgrURI,attAuthorityURI,attAuthorityCert,reqRole,mapFromTrustedHosts,rtnExtAttCertList,extAttCert,extTrustedHost): 
    8281 
     
    103102        return attCert,msg,extAttCertOut 
    104103 
    105     # op: <ZSI.wstools.WSDLTools.Message instance at 0xb6d0868c> 
     104    # op: <ZSI.wstools.WSDLTools.Message instance at 0x406c794c> 
    106105    def getX509Cert(self): 
    107106 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/SessionMgr_services_types.py

    r2108 r2437  
    109109        def __init__(self, **kw): 
    110110            ns = ns0.disconnect_Dec.schema 
    111             TClist = [ZSI.TC.String(pname="userCert", aname="_userCert", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="encrSessionMgrURI", aname="_encrSessionMgrURI", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
     111            TClist = [ZSI.TC.String(pname="sessID", aname="_sessID", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded")), ZSI.TC.String(pname="encrSessionMgrURI", aname="_encrSessionMgrURI", minOccurs=0, maxOccurs=1, nillable=False, typed=False, encoded=kw.get("encoded"))] 
    112112            kw["pname"] = ("urn:ndg:security:sessionMgr","disconnect") 
    113113            kw["aname"] = "_disconnect" 
     
    119119                def __init__(self): 
    120120                    # pyclass 
    121                     self._userCert = None 
    122121                    self._sessID = None 
    123122                    self._encrSessionMgrURI = None 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

    r2418 r2437  
    238238    #_________________________________________________________________________    
    239239    def disconnect(self, 
    240                    userCert=None, 
    241240                   sessCookie=None, 
    242241                   sessID=None, 
     
    244243        """Delete an existing user session from the Session Manager 
    245244         
    246         disconnect([sessCookie=s]|[sessID=i, encrSessionMgrURI=e]| 
    247                    [userCert=u][key=arg, ...]) 
    248                     
    249         @type userCert: 
    250         @keyword userCert: proxy certificate - use as ID instead of a cookie  
    251         in the case of a command line client. 
     245        disconnect([sessCookie=s]|[sessID=i, encrSessionMgrURI=e]) 
    252246         
    253247        @type sessCookie: ndg.security.common.SessionCookie or string                  
     
    275269            sessID = sessCookie.sessionID 
    276270            encrSessionMgrURI = sessCookie.encrSessionMgrURI 
    277              
    278         elif not sessID and not encrSessionMgrURI and not userCert: 
    279             raise SessionMgrClientError, '"sessCookie or "sessID" and ' + \ 
    280                     '"encrSessionMgrURI or "userCert" keywords must be set' 
    281271 
    282272        # Make connection 
    283273        try:  
    284             self.__srv.disconnect(userCert, sessID, encrSessionMgrURI) 
     274            self.__srv.disconnect(sessID, encrSessionMgrURI) 
    285275                
    286276        except Exception, e: 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/XMLSec.py

    r2270 r2437  
    501501 
    502502        # Calculate digest of SignedInfo 
    503         calcSignedInfoDigestValue = sha(signedInfoC14n).digest().strip() 
     503        calcSignedInfoDigestValue = sha(signedInfoC14n).digest() 
    504504         
    505505        # Read Private key to sign with     
     
    769769            verify = rsaPubKey.verify(calcSignedInfoDigestValue,  
    770770                                      signatureValue) 
    771         except RSA.RSAError: 
     771        except RSA.RSAError, e: 
    772772            raise VerifyError, "Error in Signature: " + str(e) 
    773773         
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2418 r2437  
    850850 
    851851        # Remove base 64 encoding 
     852        # This line necessary? - only decode call needed??  pyGridWare vers 
     853        # seems to preserve whitespace 
    852854        b64EncSignatureValue = \ 
    853855                    str(signatureValueNode.childNodes[0].nodeValue).strip() 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/SessionMgr_services_server.py

    r2108 r2437  
    5454        <xsd:complexType> 
    5555                  <xsd:sequence> 
    56                     <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"userCert\" type=\"xsd:string\"/> 
    5756                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"sessID\" type=\"xsd:string\"/> 
    5857                    <xsd:element maxOccurs=\"1\" minOccurs=\"0\" name=\"encrSessionMgrURI\" type=\"xsd:string\"/> 
     
    287286    def soap_disconnect(self, ps): 
    288287        self.request = ps.Parse(disconnectInputMsg.typecode) 
    289         parameters = (self.request._userCert, self.request._sessID, self.request._encrSessionMgrURI) 
    290  
    291         # If we have an implementation object use it 
    292         if hasattr(self,'impl'): 
    293             parameters = self.impl.disconnect(parameters[0],parameters[1],parameters[2]) 
     288        parameters = (self.request._sessID, self.request._encrSessionMgrURI) 
     289 
     290        # If we have an implementation object use it 
     291        if hasattr(self,'impl'): 
     292            parameters = self.impl.disconnect(parameters[0],parameters[1]) 
    294293 
    295294        result = disconnectOutputMsg() 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

    r2270 r2437  
    308308    __validElem = \ 
    309309    { 
    310         'portNum':        None, 
    311         'useSSL':         None, 
    312         'sslCertFile':    None, 
    313         'sslKeyFile':     None, 
    314         'caCertFile':     None, 
    315         'certFile':       None, 
    316         'keyFile':        None, 
    317         'keyPwd':         None, 
    318         'clntCertFile':   None, 
    319         'sessMgrEncrKey': None,  
    320         'sessMgrURI':     None, 
    321         'cookieDomain':   None,  
    322         'myProxyProp':    None,  
    323         'credReposProp':  ('modFilePath', 'modName', 'className', 'propFile'), 
    324         'simpleCACltProp':('uri', 'xmlSigKeyFile', 'xmlSigCertFile',  
    325                            'xmlSigCertPwd') 
     310        'portNum':                None, 
     311        'useSSL':                 None, 
     312        'sslCertFile':            None, 
     313        'sslKeyFile':             None, 
     314        'useSignatureHandler':    None, 
     315        'caCertFile':             None, 
     316        'certFile':               None, 
     317        'keyFile':                None, 
     318        'keyPwd':                 None, 
     319        'clntCertFile':           None, 
     320        'sessMgrEncrKey':         None,  
     321        'sessMgrURI':             None, 
     322        'cookieDomain':           None,  
     323        'myProxyProp':            None,  
     324        'credReposProp':          ('modFilePath', 'modName', 'className',  
     325                                   'propFile'), 
     326        'simpleCACltProp':        ('uri', 'xmlSigKeyFile', 'xmlSigCertFile',  
     327                                   'xmlSigCertPwd') 
    326328    } 
    327329 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/server-config.tac

    r2418 r2437  
    8383        @rtype: tuple 
    8484        @return: request and response objects''' 
    85  
     85             
    8686        request, response = SessionMgrService.soap_disconnect(self, ps) 
     87         
     88        # Derive designated user ID differently according to whether 
     89        # a session ID was passed and the message was signed 
     90        if request.SessID: 
     91                sessID = request.SessID 
     92        else: 
     93                sessID = None 
     94                 
     95        if srv.sm['useSignatureHandler']: 
     96            # Get certificate corresponding to private key that signed the 
     97            # message - i.e. the user's proxy 
     98            userCert = WSSecurityHandler.signatureHandler.verifyingCert 
     99        else: 
     100            userCert = None 
     101         
     102        self.sm.disconnect(sessID=sessID, proxyCert=userCert) 
    87103        return request, response 
    88104 
     
    100116         
    101117        # Get certificate corresponding to private key that signed the 
    102         # message - i.e. the user's 
    103         userCert = WSSecurityHandler.signatureHandler.verifyingCert 
     118        # message - i.e. the user's              
     119        if srv.sm['useSignatureHandler']: 
     120            # Get certificate corresponding to private key that signed the 
     121            # message - i.e. the user's proxy 
     122            userCert = WSSecurityHandler.signatureHandler.verifyingCert 
     123        else: 
     124            userCert = None 
    104125         
    105126                # Cert used in signature is prefered over userCert input element -  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/AttCertTest.py

    r2178 r2437  
    202202 
    203203    def test12IsValid(self): 
    204         '''test5Verify: check signature of XML document'''             
     204        '''test12IsValid: check signature of XML document'''             
    205205        self.test11Read() 
    206206        self.attCert.certFilePathList=self.cfg['test12IsValid']['certfile'] 
     
    208208         
    209209 
     210    def test13IsValidStressTest(self): 
     211        '''test13IsValidStressTest: check signature of XML document'''             
     212        self.test2SetProvenance() 
     213        self.test5SetDefaultValidityTime() 
     214        self.test6aSet()     
     215         
     216        self.attCert.certFilePathList = \ 
     217                            self.cfg['test13IsValidStressTest']['certfile'] 
     218        self.attCert.signingKeyFilePath = \ 
     219                            self.cfg['test13IsValidStressTest']['keyfile'] 
     220         
     221        try: 
     222            self.attCert.signingKeyPwd = \ 
     223                        self.cfg['test13IsValidStressTest'].get('keypwd') or \ 
     224                        getpass.getpass(\ 
     225                    prompt="\ntest13IsValidStressTest private key password: ") 
     226        except KeyboardInterrupt: 
     227            self.fail("test13IsValidStressTest: Aborting test") 
     228            return 
     229 
     230        import base64 
     231        for i in range(0, int(self.cfg['test13IsValidStressTest']['nruns'])): 
     232            # Generate a range of random role names to try to trip up the 
     233            # signature validation 
     234            roles = [base64.encodestring(os.urandom(i)).strip() \ 
     235                     for role in range(0, i)] 
     236            self.attCert.addRoles(roles) 
     237             
     238            # Write AC file names by index 
     239            self.attCert.filePath = "%03d.xml" % i 
     240             
     241            self.attCert.applyEnvelopedSignature() 
     242            self.attCert.write() 
     243 
     244            self.attCert.certFilePathList = \ 
     245                            self.cfg['test13IsValidStressTest']['certfile'] 
     246 
     247            try: 
     248                self.attCert.isValid(raiseExcep=True) 
     249            except Exception, e: 
     250                msg = "Verification failed for %s: %s" % \ 
     251                    (self.attCert.filePath, str(e)) 
     252                print msg 
     253                open('%03d.msg' % i, 'w').write(msg)     
     254 
     255    def test14IsValidSignature(self): 
     256        '''test14IsValidSignature: check signature of XML document'''             
     257        self.attCert.filePath = self.cfg['test14IsValidSignature']['filepath'] 
     258        self.attCert.read() 
     259         
     260        self.attCert.certFilePathList=self.cfg['test14IsValidSignature']['certfile'] 
     261        import pdb;pdb.set_trace() 
     262        self.attCert.verifyEnvelopedSignature() 
     263         
     264        print 'test14IsValidSignature: \n\n%s' % self.attCert 
     265         
    210266class AttCertTestSuite(unittest.TestSuite): 
    211267    def __init__(self): 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttCert/attCertTest.cfg

    r1967 r2437  
    1818filePath: ./ac.xml 
    1919 
    20 [test11Read] 
     20[test11Read]]]] 
    2121filePath: ./ac.xml 
    2222 
     
    2424certFile: ./cert.pem 
    2525 
     26[test13IsValidStressTest] 
     27certFile: ./cert.pem 
     28keyFile: ./key.pem 
     29#keyPwd: 
     30nruns: 100 
     31 
     32[test14IsValidSignature] 
     33certFile: ./cert.pem 
     34filePath: ./badSignature.xml 
    2635 
    2736 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2418 r2437  
    126126        self.clnt.signatureHandler.signingCert = self.proxyCert 
    127127        self.clnt.signatureHandler.signingCertPriKey = self.proxyPriKey 
    128          
    129         self.clnt.disconnect(userCert=self.userCert, 
    130                              sessCookie=str(self.sessCookie)) 
     128        import pdb;pdb.set_trace() 
     129        self.clnt.disconnect(sessCookie=str(self.sessCookie)) 
    131130         
    132131        print "User disconnected from Session Manager:\n%s" % self.sessCookie 
     
    145144        self.clnt.signingPriKeyPwd = None 
    146145         
    147         self.clnt.disconnect(userCert=self.proxyCert) 
     146        # Proxy cert in signature determines ID of session to  
     147        # delete 
     148        self.clnt.disconnect() 
    148149        print "User disconnected from Session Manager:\n%s" % self.proxyCert 
    149150 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrProperties.xml

    r2136 r2437  
    55    <sslCertFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</sslCertFile> 
    66    <sslKeyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</sslKeyFile> 
     7    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    78    <caCertFile>$NDGSEC_SM_UNITTEST_DIR/cacert.pem</caCertFile> 
    89    <certFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</certFile> 
  • TI12-security/trunk/python/www/html/sessionMgr.wsdl

    r2108 r2437  
    5050        <xsd:complexType> 
    5151                  <xsd:sequence> 
    52                     <xsd:element name="userCert" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    5352                    <xsd:element name="sessID" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
    5453                    <xsd:element name="encrSessionMgrURI" type="xsd:string" minOccurs="0" maxOccurs="1"/> 
Note: See TracChangeset for help on using the changeset viewer.