Ignore:
Timestamp:
24/05/07 14:13:53 (13 years ago)
Author:
pjkersha
Message:

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:
fix to caCertFilePathList input to SignatureHandler?. Correctly initialise
if not set.

ndg.security.server/ndg/security/server/AttAuthority/init.py:
Corrected error message text for where a user is not registered or no
mapping is available: ref. userId rather than AC holder DN to allow for the
case in DEWS where a userId distinct from a Proxy cert. DN is used.

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:
added test8GetMappedAttCertStressTest test for WebSphere? integration tests.
It makes multiple calls with different ACs input to check for errors in
signature or verification.

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
added additional config params for the above.

ndg.security.test/ndg/security/test/MyProxy/myProxyProperties.xml and
ndg.security.test/ndg/security/test/MyProxy/myProxyClientTest.cfg:
switched cert ID of test machine.

ndg.security.common/ndg/security/common/X509.py:

  • new X509Cert methods asDER and asPEM to convert to these formats.

toString now calls to asPEM

  • new class X509Stack to wrap M2Crypto.X509.X509_Stack. This includes an

extra method, verifyCertChain, to verify a chain of trust in the certs
contained in the stack.

  • standalone function, X509StackParseFromDER, wraps

M2Crypto.X509.new_stack_from_der

  • fix to X500DN class to enable correct parsing of proxy certificate DNs.

These have multiple CN entries. These are represented by changing the CN
dict entry to a tuple when initialised.

ndg.security.common/ndg/security/common/wsSecurity.py: changes to enable
handling of certificate chains in WSSE BinarySecurityToken? elements. This
will enable use of proxy certificates with signatures as their chain of
trust is proxy cert -> user cert -> CA cert rather than just cert -> CA cert.

types.

BinarySecurityToken? ValueType? to use

  • SignatureHandler?.init includes new signingCertChain keyword.
  • signingCertChain attribute of class enables setting of an X509Stack object

to assign to BinarySecurityToken?.

then Base 64 encode rather than converting into PEM and then having to
strip BEGIN CERT / END CERT delimiters.

to enable check of Canonicalization - REMOVE in future check in.

BinarySecurityToken? ValueTypes? - 'X509PKIPathv1', 'X509' and 'X509v3'

Location:
TI12-security/trunk/python
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python

    • Property svn:ignore
      •  

        old new  
        22dist 
        33ndg_security.egg-info 
         4.metadata 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2420 r2510  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 uri = http://localhost:5000/AttributeAuthority 
     12#uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     
    5353 
    5454[test6GetAttCertWithUserIdSet] 
    55 userId = dewsPortalUser 
     55userId = system 
    5656issuingusercertfilepath = ./aa-cert.pem 
    5757 
     
    7676mappedAttCertFilePath = ./mapped-ac.xml 
    7777 
     78[test8GetMappedAttCertStressTest] 
     79# Comment out to set for no signature handling 
     80userprikeypwd =  
     81usercertfilepath = ./aa-cert.pem 
     82userprikeyfilepath = ./aa-key.pem 
    7883 
     84# Space separated list of CA certificate files used to verify certificate used 
     85# in message signature 
     86cacertfilepathlist = ./cacert.pem 
     87 
     88uri = http://localhost:5000/AttributeAuthority 
     89userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml 
     90 
     91 
Note: See TracChangeset for help on using the changeset viewer.