Ignore:
Timestamp:
24/05/07 14:13:53 (13 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.

ndg.security.server/ndg/security/server/AttAuthority/init.py:
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
added additional config params for the above.

ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml and
ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg:
switched cert ID of test machine.

ndg.security.common/ndg/security/common/X509.py:

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps

M2Crypto.X509.new_stack_from_der

  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised.

ndg.security.common/ndg/security/common/wsSecurity.py: changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.

types.

BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

Location:
TI12-security/trunk/python
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python

    • Property svn:ignore
      •  

        old new  
        22dist 
        33ndg_security.egg-info 
         4.metadata 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2420 r2510  
    205205                    self.cfg['test7GetMappedAttCert']['mappedattcertfilepath'] 
    206206        attCert.write() 
    207   
    208   
     207         
     208         
     209    def test8GetMappedAttCertStressTest(self):         
     210        """test8GetMappedAttCertStressTest: Request mapped attribute certificate from  
     211        NDG Attribute Authority Web Service.""" 
     212     
     213        # Read user Certificate into a string ready for passing via WS 
     214        try: 
     215            userCertFilePath = \ 
     216    self.cfg['test8GetMappedAttCertStressTest'].get('issuingusercertfilepath') 
     217            userCertTxt = open(userCertFilePath, 'r').read() 
     218         
     219        except TypeError: 
     220            # No issuing cert set 
     221            userCertTxt = None 
     222                 
     223        except IOError, ioErr: 
     224            raise "Error reading certificate file \"%s\": %s" % \ 
     225                                    (ioErr.filename, ioErr.strerror) 
     226 
     227        try: 
     228            if self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') is None: 
     229                userPriKeyPwd = getpass.getpass(\ 
     230                            prompt="\nsetUp - client private key password: ") 
     231            else: 
     232                userPriKeyPwd = \ 
     233            self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') 
     234        except KeyboardInterrupt: 
     235            sys.exit(0) 
     236 
     237        # List of CA certificates for use in validation of certs used in 
     238        # signature for server reponse 
     239        try: 
     240            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     241        except: 
     242            caCertFilePathList = [] 
     243        
     244        # Make client to site B Attribute Authority 
     245        clnt = AttAuthorityClient(\ 
     246uri=self.cfg['test8GetMappedAttCertStressTest']['uri'],  
     247signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('usercertfilepath'), 
     248signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('userprikeyfilepath'), 
     249signingPriKeyPwd=userPriKeyPwd, 
     250caCertFilePathList=caCertFilePathList, 
     251tracefile=sys.stderr) 
     252 
     253        acFilePathList = \ 
     254self.cfg['test8GetMappedAttCertStressTest']['userattcertfilepathlist'].split() 
     255 
     256        for acFilePath in acFilePathList: 
     257            try: 
     258                userAttCert = AttCertRead(acFilePath) 
     259                 
     260            except IOError, ioErr: 
     261                raise "Error reading attribute certificate file \"%s\": %s" %\ 
     262                                        (ioErr.filename, ioErr.strerror) 
     263         
     264            # Make attribute certificate request 
     265            try: 
     266                attCert = clnt.getAttCert(userCert=userCertTxt, 
     267                                          userAttCert=userAttCert) 
     268            except Exception, e: 
     269                msgFile = open(outFilePfx+".msg", 'w') 
     270                msgFile.write('Failed for "%s": %s\n' % (acFilePath, e)) 
     271              
    209272#_____________________________________________________________________________        
    210273class AttAuthorityClientTestSuite(unittest.TestSuite): 
     
    219282                    "test6GetAttCertWithUserIdSet", 
    220283                    "test7GetMappedAttCert", 
     284                    "test8GetMappedAttCertStressTest", 
    221285                  )) 
    222286        unittest.TestSuite.__init__(self, map) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2420 r2510  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 uri = http://localhost:5000/AttributeAuthority 
     12#uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     
    5353 
    5454[test6GetAttCertWithUserIdSet] 
    55 userId = dewsPortalUser 
     55userId = system 
    5656issuingusercertfilepath = ./aa-cert.pem 
    5757 
     
    7676mappedAttCertFilePath = ./mapped-ac.xml 
    7777 
     78[test8GetMappedAttCertStressTest] 
     79# Comment out to set for no signature handling 
     80userprikeypwd =  
     81usercertfilepath = ./aa-cert.pem 
     82userprikeyfilepath = ./aa-key.pem 
    7883 
     84# Space separated list of CA certificate files used to verify certificate used 
     85# in message signature 
     86cacertfilepathlist = ./cacert.pem 
     87 
     88uri = http://localhost:5000/AttributeAuthority 
     89userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml 
     90 
     91 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg

    r2420 r2510  
    1111 
    1212[test1Store] 
    13 #username: sstljakTestUser 
    14 username: gabriel 
     13username: raphaelTest 
     14#username: gabriel 
    1515passphrase: 
    16 certFile: ./userCert.pem 
    17 keyFile: ./userKey.pem 
    18 ownerCertFile: ./userCert.pem 
    19 ownerKeyFile: ./userKey.pem 
     16certFile: ./user-cert.pem 
     17keyFile: ./user-key.pem 
     18ownerCertFile: ./user-cert.pem 
     19ownerKeyFile: ./user-key.pem 
    2020ownerPassphrase: 
    2121 
    2222[test2GetDelegation] 
    23 #username: sstljakTestUser 
    24 username: gabriel 
     23username: raphaelTest 
     24#username: gabriel 
    2525passphrase: 
    2626 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml

    r2420 r2510  
    1515        CN is usually set to "host/<fqdn>".  Delete this element and set from  
    1616        MYPROXY_SERVER_DN environment variable if prefered 
    17         <serverDN>/O=NDG/OU=sstljak/CN=host/sstljak</serverDN> 
     17        <serverDN>/O=NDG/OU=Raphael/CN=raphael</serverDN> 
    1818        --> 
    1919        <!-- 
Note: See TracChangeset for help on using the changeset viewer.