Changeset 2515
- Timestamp:
- 25/05/07 16:38:23 (14 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/ndg.security.client/ndg/security/client/SimpleCAClient.py
r2270 r2515 85 85 def __repr__(self): 86 86 """Return file properties dictionary as representation""" 87 return str(self.__prop)87 return repr(self.__prop) 88 88 89 89 … … 116 116 def __contains__(self, key): 117 117 return key in self.__prop 118 119 def get(self, kw): 120 return self.__prop.get(kw) 118 121 119 122 def has_key(self, key): -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py
r2420 r2515 46 46 47 47 #_________________________________________________________________________ 48 def __init__(self, uri=None, tracefile=None, **signatureHandlerKw): 48 def __init__(self, 49 uri=None, 50 tracefile=None, 51 setSignatureHandler=True, 52 **signatureHandlerKw): 49 53 """ 50 54 @type uri: string … … 65 69 # WS-Security Signature handler - set only if any of the keywords were 66 70 # set 67 if max(signatureHandlerKw.values()):71 if setSignatureHandler: 68 72 self.__signatureHandler = SignatureHandler(**signatureHandlerKw) 69 73 else: -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py
r2270 r2515 372 372 return self.__holderDN 373 373 374 holderDN = property(fget=__getHolder ,374 holderDN = property(fget=__getHolderDN, 375 375 doc="Attribute Certificate holder DN as X500DN type") 376 376 -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py
r2510 r2515 70 70 71 71 72 73 74 72 def parse(self, certTxt): 75 73 """Read a certificate input as a string""" … … 149 147 """Return certificate file content as a PEM format 150 148 string""" 151 self.asPEM(**kw)149 return self.asPEM(**kw) 152 150 153 151 def asPEM(self, filePath=None): … … 323 321 @rtype: bool 324 322 """ 325 return bool(self.__m2Crypto .verify(pubKey, **kw))323 return bool(self.__m2CryptoX509.verify(pubKey, **kw)) 326 324 327 325 #_____________________________________________________________________________ … … 361 359 @type m2X509Stack: M2Crypto.X509.X509_Stack""" 362 360 363 self.__m2X509Stack = m2X509Stack 361 self.__m2X509Stack = m2X509Stack or M2Crypto.X509.X509_Stack() 364 362 365 363 def __len__(self): … … 375 373 @rtype: ndg.security.common.X509.X509Cert""" 376 374 377 return X509Cert(m2Crypto =self.__m2X509Stack.__getitem__(idx))375 return X509Cert(m2CryptoX509=self.__m2X509Stack.__getitem__(idx)) 378 376 379 377 def __iter__(self): 380 """@return: next element in stack381 @rtype: ndg.security.common.X509.X509Cert"""382 return X509Cert(m2Crypto=self.__m2X509Stack.__iter__())378 """@return: stack iterator 379 @rtype: listiterator""" 380 return iter([X509Cert(m2CryptoX509=i) for i in self.__m2X509Stack]) 383 381 384 382 def push(self, x509Cert): … … 415 413 416 414 417 def verifyCertChain(self, x509Cert2Verify=None ):415 def verifyCertChain(self, x509Cert2Verify=None, caX509Stack=None): 418 416 """Treat stack as a list of certificates in a chain of 419 417 trust. Validate the signatures through to a single root issuer. 420 418 421 @ paramx509Cert2Verify: X.509 certificate to be verified default is419 @keyword x509Cert2Verify: X.509 certificate to be verified default is 422 420 last in the stack 423 421 @type x509Cert2Verify: X509Cert 424 @return: stack in the order of issuer with root as the first element 425 @rtype: X509Stack""" 422 423 @keyword caX509Stack: X.509 stack containing CA certificates that are 424 trusted. 425 @type X509Stack""" 426 426 427 427 if x509Cert2Verify is None: … … 431 431 # signed cert. 432 432 nValidated = 0 433 while nValidated < len(self .__m2X509Stack):433 while nValidated < len(self): 434 434 issuerDN = x509Cert2Verify.issuer 435 435 issuerX509Cert = None … … 445 445 X509CertError, 'Signature is invalid for cert. "%s"' % \ 446 446 x509Cert2Verify.dn 447 else: 448 raise X509StackError, 'No issuer cert. found for cert."%s"' %\ 449 x509Cert2Verify.dn 450 451 # Check for self signed certificate 452 if x509Cert2Verify.dn == issuerX509Cert.dn: 453 return 454 else: 447 448 # Initialise for next iteration 455 449 x509Cert2Verify = issuerX509Cert 456 450 nValidated += 1 457 451 else: 452 # All certs in the stack have been searched 453 break 454 455 # Check CA certificate stack 456 issuerX509Cert = None 457 for caCert in caX509Stack: 458 issuerDN = x509Cert2Verify.issuer 459 if caCert.dn == issuerDN: 460 issuerX509Cert = caCert 461 break 462 463 if issuerX509Cert: 464 if not x509Cert2Verify.verify(issuerX509Cert.pubKey): 465 X509CertError, 'Signature is invalid for cert. "%s"'%\ 466 x509Cert2Verify.dn 467 468 # Chain is validated through to CA cert 469 return 470 else: 471 raise X509StackError, 'No issuer cert. found for cert. "%s"' % \ 472 x509Cert2Verify.dn 473 474 # If this point is reached then an issuing cert is missing from the 475 # chain 458 476 raise X509CertError, 'Can\'t find issuer cert "%s" for cert "%s"' % \ 459 477 (x509Cert2Verify.issuer, x509Cert2Verify.dn) … … 468 486 @return: new stack object 469 487 @rtype: X509Stack""" 470 return X509Stack(m2X509Stack= new_stack_from_der(derString))488 return X509Stack(m2X509Stack=M2Crypto.X509.new_stack_from_der(derString)) 471 489 472 490 … … 542 560 543 561 if m2CryptoX509Name is not None: 544 545 562 # the argument is an x509 dn in m2crypto format 546 # self.__dat['CN'] = m2CryptoX509Name.CN547 #548 # # M2Crypto seems to default Email and L variables to None - in549 # # this case avoid making an assignment because it upsets calls to550 # # __cmp__() - None could be compared to '' conceptually the same551 # # but not equal progammatically552 # #553 # # P J Kershaw 13/06/05554 # if m2CryptoX509Name.L is not None:555 # self.__dat['L'] = m2CryptoX509Name.L556 #557 # self.__dat['O'] = m2CryptoX509Name.O558 # self.__dat['OU'] = m2CryptoX509Name.OU559 #560 # if m2CryptoX509Name.Email is not None:561 # self.__dat['EMAILADDRESS'] = m2CryptoX509Name.Email562 563 self.deserialise(m2CryptoX509Name.as_text()) 563 564 564 565 elif dn is not None: 565 566 566 # Separator can be parsed from the input DN string - only attempt 567 567 # if no explict separator was input … … 585 585 586 586 def __eq__(self, x500dn): 587 588 587 """Return true if the all the fields of the two DNs are equal""" 589 588 … … 594 593 595 594 596 def __cmp__(self, x500dn): 597 595 def __ne__(self, x500dn): 598 596 """Return true if the all the fields of the two DNs are equal""" 599 597 … … 601 599 return False 602 600 603 return cmp(self.__dat, x500dn.get())601 return self.__dat.items() != x500dn.items() 604 602 605 603 606 604 def __delitem__(self, key): 607 608 605 """Prevent keys from being deleted.""" 609 606 raise X500DNError('Keys cannot be deleted from the X500DN') … … 680 677 681 678 682 def get(self): 683 """Get Distinguished name as a data dictionary.""" 684 return self.__dat 679 def get(self, kw): 680 return self.__dat.get(kw) 685 681 686 682 687 683 def serialise(self, separator=None): 688 689 684 """Combine fields in Distinguished Name into a single string.""" 690 685 … … 722 717 723 718 def deserialise(self, dn, separator=None): 724 725 719 """Break up a DN string into it's constituent fields and use to 726 720 update the object's dictionary""" … … 754 748 # Strip leading and trailing space chars and convert into a 755 749 # dictionary 756 # parsedDN = dict([(keyVal[0].strip(), keyVal[1].strip()) \757 # for keyVal in items])758 750 parsedDN = {} 759 751 for (key, val) in items: … … 783 775 784 776 def parseSeparator(self, dn): 785 786 777 """Attempt to parse the separator character from a given input 787 778 DN string. If not found, return None -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py
r2510 r2515 48 48 49 49 50 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead 50 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \ 51 X509Stack, X509StackParseFromDER 51 52 52 53 … … 118 119 #_________________________________________________________________________ 119 120 def __init__(self, 121 reqBinSecTokValType="X509v3", 120 122 verifyingCert=None, 121 123 verifyingCertFilePath=None, … … 211 213 @type signedInfoC14nKw: dict 212 214 ''' 215 216 self.__setReqBinSecTokValType(reqBinSecTokValType) 217 213 218 # Set keywords for canonicalization of SignedInfo and reference 214 219 # elements … … 225 230 if signingCertChain: 226 231 self.__setSigningCertChain(signingCertChain) 227 232 else: 233 self.__signingCertChain = None 234 228 235 # MUST be set before __setSigningPriKeyFilePath / __setSigningPriKey 229 236 # are called … … 251 258 @type value: string 252 259 @param value: name space for BinarySecurityToken ValueType check 253 'binSec ValueType' class variable for supported types. Input can be254 shortened to binSec ValueType keyword if desired.260 'binSecTokValType' class variable for supported types. Input can be 261 shortened to binSecTokValType keyword if desired. 255 262 """ 256 263 257 if value in self.__class__.binSec ValueType:258 self.__reqBinSecTokValType = self.__class__.binSec ValueType[value]264 if value in self.__class__.binSecTokValType: 265 self.__reqBinSecTokValType = self.__class__.binSecTokValType[value] 259 266 260 elif value in self.__class__.binSec ValueType.values():267 elif value in self.__class__.binSecTokValType.values(): 261 268 self.__reqBinSecTokValType = value 262 269 else: … … 449 456 chain of trust to certificate used to verify a signature 450 457 451 @type signingCertChain: list or tuple 452 @param signingCertChain: list of file paths for CA certificates to 453 be used to verify certificate used to sign message''' 458 @type signingCertChain: list or tuple of M2Crypto.X509.X509Cert or 459 ndg.security.common.X509.X509Cert types. 460 @param signingCertChain: list of certificate objects making up the 461 chain of trust. The last certificate is the one associated with the 462 private key used to sign the message.''' 454 463 455 464 if not isinstance(signingCertChain, list) and \ … … 458 467 'Expecting a list or tuple for "signingCertChain"' 459 468 460 self.__signingCertChain = X509 .X509_Stack()469 self.__signingCertChain = X509Stack() 461 470 462 471 for cert in signingCertChain: 463 self.__signingCertChain.push( self.__setCert(cert).m2CryptoX509)472 self.__signingCertChain.push(cert) 464 473 465 474 signingCertChain = property(fset=__setSigningCertChain, … … 534 543 def __caCertIsSet(self): 535 544 '''Check for CA certificate set (X.509 Stack has been created)''' 536 return hasattr(self, '_ caX509Stack')545 return hasattr(self, '_SignatureHandler__caX509Stack') 537 546 538 547 caCertIsSet = property(fget=__caCertIsSet, … … 547 556 548 557 if not self.caCertIsSet: 549 self._ caX509Stack = X509.X509_Stack()558 self.__caX509Stack = X509Stack() 550 559 551 560 for cert in caCertList: 552 self._ caX509Stack.push(cert)561 self.__caX509Stack.push(cert) 553 562 554 563 … … 565 574 reg = re.compile('\d+\.0') 566 575 try: 567 caCertList = [X509 .load_cert(caFile) \576 caCertList = [X509CertRead(caFile) \ 568 577 for caFile in os.listdir(caCertDir) \ 569 578 if reg.match(caFile)] … … 597 606 # of form <Hash cert subject name>.0 598 607 try: 599 caCertList = [X509 .load_cert(caFile) \608 caCertList = [X509CertRead(caFile) \ 600 609 for caFile in caCertFilePathList] 601 610 except Exception, e: … … 609 618 caCertFilePathList = property(fset=__setCAX509StackFromCertFileList, 610 619 doc="List of CA cert. files used for verification") 611 612 613 #_________________________________________________________________________614 def verifyCertChain(self, certIn=None, raiseExcep=True):615 """Check a certificate has been issued by one of the known CA's616 specified in X.509 stack617 618 @type: ndg.security.common.X509.X509Cert / M2Crypto.X509.X509 /619 string or None620 @keyword certIn: X.509 certificate.621 622 @type raiseExcep: bool623 @keyword raiseExcep: set to True (default) to raise an exception if624 the input certificate is invalid625 626 @rtype bool627 @return True if certificate was issued by a known CA"""628 629 if certIn:630 cert2Verify = self.__setCert(certIn)631 else:632 cert2Verify = self.__verifyingCert633 634 for cert in self._caX509Stack:635 try:636 assert cert2Verify.m2CryptoX509.verify(cert.get_pubkey())637 return True638 except:639 pass640 641 # No CA certs in the stack matched642 if raiseExcep:643 raise InvalidCertChain, \644 'Input certificate "%s" was not issued by a known CA' % cert2Verify.dn645 else:646 return False647 620 648 621 … … 666 639 # Add X.509 cert as binary security token 667 640 if self.__reqBinSecTokValType==self.binSecTokValType['X509PKIPathv1']: 668 binSecTokVal=base64.encodestring(self.__signingCertChain.as _der())641 binSecTokVal=base64.encodestring(self.__signingCertChain.asDER()) 669 642 else: 670 643 # Assume X.509 / X.509 vers 3 … … 1013 986 pass 1014 987 1015 import pdb;pdb.set_trace()988 #import pdb;pdb.set_trace() 1016 989 if binSecTokNode: 1017 990 try: … … 1040 1013 self.__setVerifyingCert(b64EncX509Cert) 1041 1014 1015 x509Stack = X509Stack() 1016 1042 1017 elif valueType == \ 1043 1018 self.__class__.binSecTokValType['X509PKIPathv1']: 1044 1019 1045 1020 derString = base64.decodestring(x509CertTxt) 1046 x509Stack =X509.new_stack_from_der(derString)1021 x509Stack = X509StackParseFromDER(derString) 1047 1022 1048 # TODO: Check ordering - is the first off the stack the1023 # TODO: Check ordering - is the last off the stack the 1049 1024 # one to use to verify the message? 1050 m2CryptoX509Cert = x509Stack.pop() 1051 self.__verifyCert = \ 1052 X509Cert(m2CryptoX509=m2CryptoX509Cert) 1025 self.__verifyingCert = x509Stack[-1] 1053 1026 else: 1054 1027 raise WSSecurityError, "BinarySecurityToken ValueType " +\ … … 1064 1037 1065 1038 # Extract RSA public key from the cert 1066 rsaPubKey = self.__verifyingCert. m2CryptoX509.get_pubkey().get_rsa()1039 rsaPubKey = self.__verifyingCert.pubKey.get_rsa() 1067 1040 1068 1041 # Apply the signature verification … … 1075 1048 raise InvalidSignature, "Invalid signature" 1076 1049 1077 # Verify c ertificate was issued by a known CA1078 if self.caCertIsSet:1079 self.verifyCertChain()1050 # Verify chain of trust 1051 x509Stack.verifyCertChain(x509Cert2Verify=self.__verifyingCert, 1052 caX509Stack=self.__caX509Stack) 1080 1053 1081 1054 #print "Signature OK" -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py
r2510 r2515 233 233 #_________________________________________________________________________ 234 234 # Methods for Attribute Authority dictionary like behaviour 235 def __repr__(self): 236 """Return file properties dictionary as representation""" 237 return repr(self.__prop) 238 235 239 def __delitem__(self, key): 236 240 self.__class__.__name__ + " keys cannot be removed" … … 247 251 return self.__prop[key] 248 252 249 253 def get(self, kw): 254 return self.__prop.get(kw) 255 250 256 def clear(self): 251 257 raise KeyError, "Data cannot be cleared from "+self.__class__.__name__ -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac
r2510 r2515 14 14 License, version 1.0 or later. 15 15 """ 16 import os 16 import os, base64 17 17 18 18 from ZSI.twisted.WSresource import WSResource … … 48 48 def soap_getAttCert(self, ps, **kw): 49 49 request, response = AttAuthorityService.soap_getAttCert(self, ps) 50 50 51 51 # Derive designated holder cert differently according to whether 52 52 # a signed message is expected from the client … … 106 106 107 107 def soap_getX509Cert(self, ps, **kw): 108 '''Retrieve Attribute Authority's X.509 certificate''' 108 109 request, response = AttAuthorityService.soap_getX509Cert(self, ps) 109 110 110 111 x509Cert = X509CertRead(srv.aa['certFile']) 111 response.X509Cert = x509Cert.toString()112 response.X509Cert = base64.encodestring(x509Cert.asDER()) 112 113 return request, response 113 114 -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py
r2437 r2515 470 470 471 471 #_________________________________________________________________________ 472 def __repr__(self): 473 """Return file properties dictionary as representation""" 474 return repr(self.__prop) 475 472 476 def __delitem__(self, key): 473 477 "Session Manager keys cannot be removed" … … 489 493 Manager properties""" 490 494 self.setProperties(**{key: item}) 491 495 496 def get(self, kw): 497 return self.__prop.get(kw) 492 498 493 499 def clear(self): -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/ca/__init__.py
r2270 r2515 184 184 #_________________________________________________________________________ 185 185 # dict derived methods ... 186 # 186 def __repr__(self): 187 """Return file properties dictionary as representation""" 188 return repr(self.__prop) 189 187 190 # Nb. read only - no __setitem__() method 188 191 def __delitem__(self, key): … … 200 203 else: 201 204 raise KeyError, "Property with key '%s' not found" % key 205 206 def get(self): 207 return self.__prop.get(kw) 202 208 203 209 def clear(self): -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py
r2510 r2515 15 15 16 16 import unittest 17 import os, sys, getpass 17 import os, sys, getpass, re 18 18 from ConfigParser import SafeConfigParser 19 19 20 20 from ndg.security.common.AttAuthority import AttAuthorityClient 21 21 from ndg.security.common.AttCert import AttCertRead 22 from ndg.security.common.X509 import X509CertParse 22 23 23 24 24 25 class AttAuthorityClientTestCase(unittest.TestCase): 25 userPriKeyPwd = None 26 26 clntPriKeyPwd = None 27 pemPat = "-----BEGIN CERTIFICATE-----[^\-]*-----END CERTIFICATE-----" 28 29 def _getCertChainFromProxyCertFile(self, proxyCertFilePath): 30 '''Read proxy cert and user cert from a single PEM file and put in 31 a list ready for input into SignatureHandler''' 32 proxyCertFileTxt = open(proxyCertFilePath).read() 33 34 pemPatRE = re.compile(self.__class__.pemPat, re.S) 35 x509CertList = pemPatRE.findall(proxyCertFileTxt) 36 37 signingCertChain = [X509CertParse(x509Cert) for x509Cert in \ 38 x509CertList] 39 40 # Expecting proxy cert first - move this to the end. This will 41 # be the cert used to verify the message signature 42 signingCertChain.reverse() 43 44 return signingCertChain 45 46 27 47 def setUp(self): 28 48 … … 36 56 tracefile = sys.stderr 37 57 38 if self. userPriKeyPwd is None:58 if self.clntPriKeyPwd is None: 39 59 try: 40 if self.cfg['setUp'].get(' userprikeypwd') is None:41 self. userPriKeyPwd = getpass.getpass(\60 if self.cfg['setUp'].get('clntprikeypwd') is None: 61 self.clntPriKeyPwd = getpass.getpass(\ 42 62 prompt="\nsetUp - client private key password: ") 43 63 else: 44 self. userPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd')64 self.clntPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd') 45 65 except KeyboardInterrupt: 46 66 sys.exit(0) … … 52 72 except: 53 73 caCertFilePathList = [] 54 74 75 76 reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 77 78 # Check certificate types proxy or standard 79 proxyCertFilePath = self.cfg['setUp'].get('proxycertfilepath') 80 if proxyCertFilePath: 81 signingCertChain = \ 82 self._getCertChainFromProxyCertFile(proxyCertFilePath) 83 84 setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 85 55 86 # Instantiate WS proxy 56 87 self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 57 signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 58 signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 59 signingPriKeyPwd=self.userPriKeyPwd, 60 caCertFilePathList=caCertFilePathList, 61 tracefile=sys.stderr) 88 setSignatureHandler=setSignatureHandler, 89 reqBinSecTokValType=reqBinSecTokValType, 90 signingCertFilePath=self.cfg['setUp'].get('clntcertfilepath'), 91 signingCertChain=signingCertChain, 92 signingPriKeyFilePath=self.cfg['setUp'].get('clntprikeyfilepath'), 93 signingPriKeyPwd=self.clntPriKeyPwd, 94 caCertFilePathList=caCertFilePathList, 95 tracefile=sys.stderr) 62 96 63 97 … … 95 129 try: 96 130 userCertFilePath = \ 97 self.cfg['test5GetAttCert'].get('issuing usercertfilepath')131 self.cfg['test5GetAttCert'].get('issuingclntcertfilepath') 98 132 userCertTxt = open(userCertFilePath, 'r').read() 99 133 … … 122 156 try: 123 157 userCertFilePath = \ 124 self.cfg['test6GetAttCertWithUserIdSet'].get('issuing usercertfilepath')158 self.cfg['test6GetAttCertWithUserIdSet'].get('issuingclntcertfilepath') 125 159 userCertTxt = open(userCertFilePath, 'r').read() 126 160 … … 150 184 try: 151 185 userCertFilePath = \ 152 self.cfg['test7GetMappedAttCert'].get('issuing usercertfilepath')186 self.cfg['test7GetMappedAttCert'].get('issuingclntcertfilepath') 153 187 userCertTxt = open(userCertFilePath, 'r').read() 154 188 … … 172 206 173 207 try: 174 if self.cfg['test7GetMappedAttCert'].get(' userprikeypwd') is None:175 userPriKeyPwd = getpass.getpass(\208 if self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') is None: 209 clntPriKeyPwd = getpass.getpass(\ 176 210 prompt="\nsetUp - client private key password: ") 177 211 else: 178 userPriKeyPwd = \179 self.cfg['test7GetMappedAttCert'].get(' userprikeypwd')212 clntPriKeyPwd = \ 213 self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') 180 214 except KeyboardInterrupt: 181 215 sys.exit(0) … … 184 218 # signature for server reponse 185 219 try: 186 caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 220 caCertFilePathList=\ 221 self.cfg['test7GetMappedAttCert']['cacertfilepathlist'].split() 187 222 except: 188 223 caCertFilePathList = [] 189 224 225 reqBinSecTokValType = \ 226 self.cfg['test7GetMappedAttCert'].get('reqbinsectokvaltype') 227 228 # Check certificate types proxy or standard 229 proxyCertFilePath = \ 230 self.cfg['test7GetMappedAttCert'].get('proxycertfilepath') 231 if proxyCertFilePath: 232 signingCertChain = \ 233 self._getCertChainFromProxyCertFile(proxyCertFilePath) 234 235 setSignatureHandler = \ 236 eval(self.cfg['test7GetMappedAttCert']['setsignaturehandler']) 237 190 238 # Make client to site B Attribute Authority 191 239 clnt = AttAuthorityClient(\ 192 240 uri=self.cfg['test7GetMappedAttCert']['uri'], 193 signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('usercertfilepath'), 194 signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('userprikeyfilepath'), 195 signingPriKeyPwd=userPriKeyPwd, 241 setSignatureHandler=setSignatureHandler, 242 reqBinSecTokValType=reqBinSecTokValType, 243 signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('clntcertfilepath'), 244 signingCertChain=signingCertChain, 245 signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('clntprikeyfilepath'), 246 signingPriKeyPwd=clntPriKeyPwd, 196 247 caCertFilePathList=caCertFilePathList, 197 248 tracefile=sys.stderr) … … 214 265 try: 215 266 userCertFilePath = \ 216 self.cfg['test8GetMappedAttCertStressTest'].get('issuing usercertfilepath')267 self.cfg['test8GetMappedAttCertStressTest'].get('issuingclntcertfilepath') 217 268 userCertTxt = open(userCertFilePath, 'r').read() 218 269 … … 226 277 227 278 try: 228 if self.cfg['test8GetMappedAttCertStressTest'].get(' userprikeypwd') is None:229 userPriKeyPwd = getpass.getpass(\279 if self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') is None: 280 clntPriKeyPwd = getpass.getpass(\ 230 281 prompt="\nsetUp - client private key password: ") 231 282 else: 232 userPriKeyPwd = \233 self.cfg['test8GetMappedAttCertStressTest'].get(' userprikeypwd')283 clntPriKeyPwd = \ 284 self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') 234 285 except KeyboardInterrupt: 235 286 sys.exit(0) … … 238 289 # signature for server reponse 239 290 try: 240 caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 291 caCertFilePathList=\ 292 self.cfg['test8GetMappedAttCertStressTest']['cacertfilepathlist'].split() 241 293 except: 242 294 caCertFilePathList = [] 295 296 reqBinSecTokValType = \ 297 self.cfg['test8GetMappedAttCertStressTest'].get('reqbinsectokvaltype') 298 299 # Check certificate types proxy or standard 300 proxyCertFilePath = \ 301 self.cfg['test8GetMappedAttCertStressTest'].get('proxycertfilepath') 302 if proxyCertFilePath: 303 signingCertChain = \ 304 self._getCertChainFromProxyCertFile(proxyCertFilePath) 305 306 setSignatureHandler = \ 307 eval(self.cfg['test8GetMappedAttCertStressTest']['setsignaturehandler']) 243 308 244 309 # Make client to site B Attribute Authority 245 310 clnt = AttAuthorityClient(\ 246 311 uri=self.cfg['test8GetMappedAttCertStressTest']['uri'], 247 signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('usercertfilepath'), 248 signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('userprikeyfilepath'), 249 signingPriKeyPwd=userPriKeyPwd, 312 setSignatureHandler=setSignatureHandler, 313 reqBinSecTokValType=reqBinSecTokValType, 314 signingCertChain=signingCertChain, 315 signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntcertfilepath'), 316 signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeyfilepath'), 317 signingPriKeyPwd=clntPriKeyPwd, 250 318 caCertFilePathList=caCertFilePathList, 251 319 tracefile=sys.stderr) … … 267 335 userAttCert=userAttCert) 268 336 except Exception, e: 337 outFilePfx = 'test8GetMappedAttCertStressTest-%s' % \ 338 os.path.basename(acFilePath) 269 339 msgFile = open(outFilePfx+".msg", 'w') 270 340 msgFile.write('Failed for "%s": %s\n' % (acFilePath, e)) -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg
r2510 r2515 10 10 # ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this 11 11 # setting for test6GetMappedAttCert 12 #uri = http://localhost:5000/AttributeAuthority12 uri = http://localhost:5000/AttributeAuthority 13 13 #uri = https://localhost:5000/AttributeAuthority 14 14 #uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 15 uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority15 #uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 16 16 #uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 17 17 … … 22 22 # Password protecting client private key - if omitted it will be prompted for 23 23 # from tty 24 userprikeypwd =24 clntprikeypwd = 25 25 26 # All commented out to test service without WS-Security 27 #usercertfilepath = ./proxy-cert.pem 28 #userprikeyfilepath = ./proxy-key.pem 29 # Test with CA cert validation - proxy certs currently work with this as 30 # the user cert as well as proxy is needed to complete the chain of trust 31 # with the CA 32 #usercertfilepath = ./aa-cert.pem 33 #userprikeyfilepath = ./aa-key.pem 26 # Set to False to test service without WS-Security signature 27 setsignaturehandler = True 28 29 # ValueType for BinarySecurityToken element of WSSE header. Specify 30 # 'X509PKIPathv1' for use with proxy certificates 31 #reqbinsectokvaltype = X509v3 32 #reqbinsectokvaltype = X509 33 reqbinsectokvaltype = X509PKIPathv1 34 35 # Test with proxy certificates or with standard certs. Comment out as 36 # appropriate 37 proxycertfilepath = ./proxy-cert.pem 38 39 # Test without proxy certificates - uses AA server side cert/private key for 40 # client side too (!) 41 #clntcertfilepath = ./aa-cert.pem 42 43 #clntprikeyfilepath = ./aa-key.pem 44 clntprikeyfilepath = ./proxy-key.pem 45 34 46 35 47 # Space separated list of CA certificate files used to verify certificate used 36 48 # in message signature 37 #cacertfilepathlist = ./cacert.pem49 cacertfilepathlist = ./cacert.pem 38 50 39 51 [test3GetTrustedHostInfo] … … 43 55 44 56 [test5GetAttCert] 45 # If usercertfilepath is a proxy set this cert as the one that issued the46 # proxy. Comment out if usercertfilepath is a standard X.509 cert.47 #issuing usercertfilepath = ./user-cert.pem57 # If clntcertfilepath is a proxy set this cert as the one that issued the 58 # proxy. Comment out if clntcertfilepath is a standard X.509 cert. 59 #issuingclntcertfilepath = ./user-cert.pem 48 60 49 61 # Test with no digital signature applied 50 #issuing usercertfilepath = ./proxy-cert.pem62 #issuingclntcertfilepath = ./proxy-cert.pem 51 63 # Setup for use by testGetMappedAttCert test 52 64 attCertFilePath = ./ac.xml … … 54 66 [test6GetAttCertWithUserIdSet] 55 67 userId = system 56 issuing usercertfilepath = ./aa-cert.pem68 issuingclntcertfilepath = ./aa-cert.pem 57 69 58 70 [test7GetMappedAttCert] 59 # Comment out to set for no signature handling 60 userprikeypwd = 61 #usercertfilepath = ./proxy-cert.pem 62 #userprikeyfilepath = ./proxy-key.pem 63 usercertfilepath = ./aa-cert.pem 64 userprikeyfilepath = ./aa-key.pem 71 # Set to False to test service without WS-Security signature 72 setsignaturehandler = True 73 74 # ValueType for BinarySecurityToken element of WSSE header. Specify 75 # 'X509PKIPathv1' for use with proxy certificates 76 #reqbinsectokvaltype = X509v3 77 #reqbinsectokvaltype = X509 78 reqbinsectokvaltype = X509PKIPathv1 79 80 # Test with proxy certificates or with standard certs. Comment out as 81 # appropriate 82 proxycertfilepath = ./proxy-cert.pem 83 #clntcertfilepath = ./aa-cert.pem 84 85 clntprikeypwd = 86 clntprikeyfilepath = ./proxy-key.pem 87 #clntprikeyfilepath = ./aa-key.pem 65 88 66 89 # Space separated list of CA certificate files used to verify certificate used … … 68 91 cacertfilepathlist = ./cacert.pem 69 92 70 #uri = http://localhost:5100/AttributeAuthority93 uri = http://localhost:5100/AttributeAuthority 71 94 # Heath Data Server 72 95 #uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 73 96 # Marine Data Server 74 uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority97 #uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 75 98 userAttCertFilePath = ./ac.xml 76 99 mappedAttCertFilePath = ./mapped-ac.xml 77 100 78 101 [test8GetMappedAttCertStressTest] 79 # Comment out to set for no signature handling 80 userprikeypwd = 81 usercertfilepath = ./aa-cert.pem 82 userprikeyfilepath = ./aa-key.pem 102 # Set to False for no signature handling 103 setSignatureHandler = True 104 105 # ValueType for BinarySecurityToken element of WSSE header. Specify 106 # 'X509PKIPathv1' for use with proxy certificates 107 #reqbinsectokvaltype = X509v3 108 #reqbinsectokvaltype = X509 109 reqbinsectokvaltype = X509PKIPathv1 110 111 # Test with proxy certificates or with standard certs. Comment out as 112 # appropriate 113 proxycertfilepath = ./proxy-cert.pem 114 #clntcertfilepath = ./aa-cert.pem 115 116 clntprikeypwd = 117 clntprikeyfilepath = ./aa-key.pem 83 118 84 119 # Space separated list of CA certificate files used to verify certificate used … … 87 122 88 123 uri = http://localhost:5000/AttributeAuthority 89 userAttCertFilePathList = . ./AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml124 userAttCertFilePathList = ./ac.xml 90 125 91 126
Note: See TracChangeset
for help on using the changeset viewer.