Changeset 2515


Ignore:
Timestamp:
25/05/07 16:38:23 (12 years ago)
Author:
pjkersha
Message:
  • Working version of WS-Security interface with proxy certificates - chain

of trust containing proxy cert and user cert is passed in a base 64 encoded
DER in a 'X509PKIPathv1' type BinarySecurityToken?.

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • fix to soap_getX509Cert() - return base 64 encoded DER instead of PEM

format

ndg.security.server/ndg/security/server/AttAuthority/init.py,
ndg.security.server/ndg/security/server/ca/init.py,
ndg.security.server/ndg/security/server/SessionMgr/init.py,
ndg.security.client/ndg/security/client/SimpleCAClient.py:

  • added repr and get methods to better emulate dict behaviour

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py,
ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:

  • modified to enable correct passing of proxy certificates with WS-Security
  • all unit tests work with these changes

ndg.security.common/ndg/security/common/X509.py:

  • fix to X509Cert.toString method - added 'return'
  • fix to X500DN comparison operators - use eq and ne deleted cmp
  • various fixes to X509Stack particular iter and verifyCertChain.
  • get method now behaves like dict parent class

ndg.security.common/ndg/security/common/AttCert.py:

  • fixed bug in holderDN attribute - now correctly set to call getHolderDN

NOT getHolder!

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • added setSignatureHandler flag to init

ndg.security.common/ndg/security/common/wsSecurity.py:

  • working version to handle proxy certificates correctly - uses

'X509PKIPathv1' type BinarySecurityToken?.

Location:
TI12-security/trunk/python
Files:
11 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.client/ndg/security/client/SimpleCAClient.py

    r2270 r2515  
    8585    def __repr__(self): 
    8686        """Return file properties dictionary as representation""" 
    87         return str(self.__prop) 
     87        return repr(self.__prop) 
    8888 
    8989 
     
    116116    def __contains__(self, key): 
    117117        return key in self.__prop 
     118         
     119    def get(self, kw): 
     120        return self.__prop.get(kw) 
    118121 
    119122    def has_key(self, key): 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2420 r2515  
    4646     
    4747    #_________________________________________________________________________ 
    48     def __init__(self, uri=None, tracefile=None, **signatureHandlerKw): 
     48    def __init__(self,  
     49                 uri=None,  
     50                 tracefile=None,  
     51                 setSignatureHandler=True, 
     52                 **signatureHandlerKw): 
    4953        """ 
    5054        @type uri: string 
     
    6569        # WS-Security Signature handler - set only if any of the keywords were 
    6670        # set 
    67         if max(signatureHandlerKw.values()): 
     71        if setSignatureHandler: 
    6872            self.__signatureHandler = SignatureHandler(**signatureHandlerKw) 
    6973        else: 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttCert.py

    r2270 r2515  
    372372         return self.__holderDN 
    373373      
    374     holderDN = property(fget=__getHolder, 
     374    holderDN = property(fget=__getHolderDN, 
    375375                        doc="Attribute Certificate holder DN as X500DN type") 
    376376     
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

    r2510 r2515  
    7070 
    7171 
    72  
    73          
    7472    def parse(self, certTxt): 
    7573        """Read a certificate input as a string""" 
     
    149147        """Return certificate file content as a PEM format  
    150148        string""" 
    151         self.asPEM(**kw) 
     149        return self.asPEM(**kw) 
    152150         
    153151    def asPEM(self, filePath=None): 
     
    323321        @rtype: bool 
    324322        """ 
    325         return bool(self.__m2Crypto.verify(pubKey, **kw)) 
     323        return bool(self.__m2CryptoX509.verify(pubKey, **kw)) 
    326324 
    327325#_____________________________________________________________________________ 
     
    361359        @type m2X509Stack: M2Crypto.X509.X509_Stack""" 
    362360         
    363         self.__m2X509Stack = m2X509Stack 
     361        self.__m2X509Stack = m2X509Stack or M2Crypto.X509.X509_Stack() 
    364362         
    365363    def __len__(self): 
     
    375373        @rtype: ndg.security.common.X509.X509Cert""" 
    376374         
    377         return X509Cert(m2Crypto=self.__m2X509Stack.__getitem__(idx)) 
     375        return X509Cert(m2CryptoX509=self.__m2X509Stack.__getitem__(idx)) 
    378376     
    379377    def __iter__(self): 
    380         """@return: next element in stack 
    381         @rtype: ndg.security.common.X509.X509Cert""" 
    382         return X509Cert(m2Crypto=self.__m2X509Stack.__iter__()) 
     378        """@return: stack iterator 
     379        @rtype: listiterator""" 
     380        return iter([X509Cert(m2CryptoX509=i) for i in self.__m2X509Stack]) 
    383381 
    384382    def push(self, x509Cert): 
     
    415413 
    416414 
    417     def verifyCertChain(self, x509Cert2Verify=None): 
     415    def verifyCertChain(self, x509Cert2Verify=None, caX509Stack=None): 
    418416        """Treat stack as a list of certificates in a chain of 
    419417        trust.  Validate the signatures through to a single root issuer.   
    420418 
    421         @param x509Cert2Verify: X.509 certificate to be verified default is 
     419        @keyword x509Cert2Verify: X.509 certificate to be verified default is 
    422420        last in the stack 
    423421        @type x509Cert2Verify: X509Cert 
    424         @return: stack in the order of issuer with root as the first element 
    425         @rtype: X509Stack""" 
     422         
     423        @keyword caX509Stack: X.509 stack containing CA certificates that are 
     424        trusted. 
     425        @type X509Stack""" 
    426426         
    427427        if x509Cert2Verify is None: 
     
    431431        # signed cert. 
    432432        nValidated = 0  
    433         while nValidated < len(self.__m2X509Stack):             
     433        while nValidated < len(self):             
    434434            issuerDN = x509Cert2Verify.issuer 
    435435            issuerX509Cert = None 
     
    445445                    X509CertError, 'Signature is invalid for cert. "%s"' % \ 
    446446                                    x509Cert2Verify.dn 
    447             else: 
    448                 raise X509StackError, 'No issuer cert. found for cert."%s"' %\ 
    449                                     x509Cert2Verify.dn 
    450                
    451             # Check for self signed certificate                                 
    452             if x509Cert2Verify.dn == issuerX509Cert.dn: 
    453                 return 
    454             else: 
     447 
     448                # Initialise for next iteration 
    455449                x509Cert2Verify = issuerX509Cert 
    456450                nValidated += 1 
    457                  
     451            else: 
     452                # All certs in the stack have been searched 
     453                break 
     454 
     455        # Check CA certificate stack 
     456        issuerX509Cert = None 
     457        for caCert in caX509Stack: 
     458            issuerDN = x509Cert2Verify.issuer 
     459            if caCert.dn == issuerDN: 
     460                issuerX509Cert = caCert 
     461                break 
     462         
     463        if issuerX509Cert:    
     464            if not x509Cert2Verify.verify(issuerX509Cert.pubKey): 
     465                X509CertError, 'Signature is invalid for cert. "%s"'%\ 
     466                                x509Cert2Verify.dn 
     467             
     468            # Chain is validated through to CA cert 
     469            return 
     470        else: 
     471            raise X509StackError, 'No issuer cert. found for cert. "%s"' % \ 
     472                                x509Cert2Verify.dn 
     473         
     474        # If this point is reached then an issuing cert is missing from the 
     475        # chain         
    458476        raise X509CertError, 'Can\'t find issuer cert "%s" for cert "%s"' % \ 
    459477                          (x509Cert2Verify.issuer, x509Cert2Verify.dn)   
     
    468486    @return: new stack object 
    469487    @rtype: X509Stack"""  
    470     return X509Stack(m2X509Stack=new_stack_from_der(derString)) 
     488    return X509Stack(m2X509Stack=M2Crypto.X509.new_stack_from_der(derString)) 
    471489 
    472490 
     
    542560             
    543561        if m2CryptoX509Name is not None: 
    544          
    545562            # the argument is an x509 dn in m2crypto format 
    546 #            self.__dat['CN'] = m2CryptoX509Name.CN 
    547 # 
    548 #            # M2Crypto seems to default Email and L variables to None - in 
    549 #            # this case avoid making an assignment because it upsets calls to 
    550 #            # __cmp__() - None could be compared to '' conceptually the same 
    551 #            # but not equal progammatically 
    552 #            # 
    553 #            # P J Kershaw 13/06/05 
    554 #            if m2CryptoX509Name.L is not None: 
    555 #                self.__dat['L'] = m2CryptoX509Name.L 
    556 # 
    557 #            self.__dat['O'] = m2CryptoX509Name.O 
    558 #            self.__dat['OU'] = m2CryptoX509Name.OU 
    559 # 
    560 #            if m2CryptoX509Name.Email is not None: 
    561 #                self.__dat['EMAILADDRESS'] = m2CryptoX509Name.Email 
    562563            self.deserialise(m2CryptoX509Name.as_text()) 
    563564             
    564565        elif dn is not None: 
    565  
    566566            # Separator can be parsed from the input DN string - only attempt 
    567567            # if no explict separator was input 
     
    585585         
    586586    def __eq__(self, x500dn): 
    587  
    588587        """Return true if the all the fields of the two DNs are equal""" 
    589588         
     
    594593 
    595594         
    596     def __cmp__(self, x500dn): 
    597  
     595    def __ne__(self, x500dn): 
    598596        """Return true if the all the fields of the two DNs are equal""" 
    599597         
     
    601599            return False 
    602600 
    603         return cmp(self.__dat, x500dn.get()) 
     601        return self.__dat.items() != x500dn.items() 
    604602 
    605603     
    606604    def __delitem__(self, key): 
    607  
    608605        """Prevent keys from being deleted.""" 
    609606        raise X500DNError('Keys cannot be deleted from the X500DN') 
     
    680677 
    681678 
    682     def get(self): 
    683         """Get Distinguished name as a data dictionary.""" 
    684         return self.__dat 
     679    def get(self, kw): 
     680        return self.__dat.get(kw) 
    685681 
    686682     
    687683    def serialise(self, separator=None): 
    688  
    689684        """Combine fields in Distinguished Name into a single string.""" 
    690685         
     
    722717     
    723718    def deserialise(self, dn, separator=None): 
    724  
    725719        """Break up a DN string into it's constituent fields and use to 
    726720        update the object's dictionary""" 
     
    754748            # Strip leading and trailing space chars and convert into a 
    755749            # dictionary 
    756 #            parsedDN = dict([(keyVal[0].strip(), keyVal[1].strip()) \ 
    757 #                                                      for keyVal in items]) 
    758750            parsedDN = {} 
    759751            for (key, val) in items: 
     
    783775     
    784776    def parseSeparator(self, dn): 
    785  
    786777        """Attempt to parse the separator character from a given input 
    787778        DN string.  If not found, return None 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2510 r2515  
    4848 
    4949 
    50 from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead 
     50from ndg.security.common.X509 import X509Cert, X509CertParse, X509CertRead, \ 
     51X509Stack, X509StackParseFromDER 
    5152 
    5253 
     
    118119    #_________________________________________________________________________ 
    119120    def __init__(self, 
     121                 reqBinSecTokValType="X509v3", 
    120122                 verifyingCert=None, 
    121123                 verifyingCertFilePath=None, 
     
    211213        @type signedInfoC14nKw: dict 
    212214        ''' 
     215         
     216        self.__setReqBinSecTokValType(reqBinSecTokValType) 
     217         
    213218        # Set keywords for canonicalization of SignedInfo and reference  
    214219        # elements 
     
    225230        if signingCertChain: 
    226231            self.__setSigningCertChain(signingCertChain) 
    227              
     232        else: 
     233            self.__signingCertChain = None    
     234              
    228235        # MUST be set before __setSigningPriKeyFilePath / __setSigningPriKey 
    229236        # are called 
     
    251258        @type value: string 
    252259        @param value: name space for BinarySecurityToken ValueType check 
    253         'binSecValueType' class variable for supported types.  Input can be  
    254         shortened to binSecValueType keyword if desired. 
     260        'binSecTokValType' class variable for supported types.  Input can be  
     261        shortened to binSecTokValType keyword if desired. 
    255262        """ 
    256263         
    257         if value in self.__class__.binSecValueType: 
    258             self.__reqBinSecTokValType = self.__class__.binSecValueType[value] 
     264        if value in self.__class__.binSecTokValType: 
     265            self.__reqBinSecTokValType = self.__class__.binSecTokValType[value] 
    259266  
    260         elif value in self.__class__.binSecValueType.values(): 
     267        elif value in self.__class__.binSecTokValType.values(): 
    261268            self.__reqBinSecTokValType = value 
    262269        else: 
     
    449456        chain of trust to certificate used to verify a signature 
    450457         
    451         @type signingCertChain: list or tuple 
    452         @param signingCertChain: list of file paths for CA certificates to 
    453         be used to verify certificate used to sign message''' 
     458        @type signingCertChain: list or tuple of M2Crypto.X509.X509Cert or 
     459        ndg.security.common.X509.X509Cert types. 
     460        @param signingCertChain: list of certificate objects making up the 
     461        chain of trust.  The last certificate is the one associated with the 
     462        private key used to sign the message.''' 
    454463         
    455464        if not isinstance(signingCertChain, list) and \ 
     
    458467                        'Expecting a list or tuple for "signingCertChain"' 
    459468         
    460         self.__signingCertChain = X509.X509_Stack() 
     469        self.__signingCertChain = X509Stack() 
    461470             
    462471        for cert in signingCertChain: 
    463             self.__signingCertChain.push(self.__setCert(cert).m2CryptoX509) 
     472            self.__signingCertChain.push(cert) 
    464473             
    465474    signingCertChain = property(fset=__setSigningCertChain, 
     
    534543    def __caCertIsSet(self): 
    535544        '''Check for CA certificate set (X.509 Stack has been created)''' 
    536         return hasattr(self, '_caX509Stack') 
     545        return hasattr(self, '_SignatureHandler__caX509Stack') 
    537546     
    538547    caCertIsSet = property(fget=__caCertIsSet, 
     
    547556         
    548557        if not self.caCertIsSet: 
    549             self._caX509Stack = X509.X509_Stack() 
     558            self.__caX509Stack = X509Stack() 
    550559             
    551560        for cert in caCertList: 
    552             self._caX509Stack.push(cert) 
     561            self.__caX509Stack.push(cert) 
    553562 
    554563 
     
    565574        reg = re.compile('\d+\.0') 
    566575        try: 
    567             caCertList = [X509.load_cert(caFile) \ 
     576            caCertList = [X509CertRead(caFile) \ 
    568577                          for caFile in os.listdir(caCertDir) \ 
    569578                          if reg.match(caFile)] 
     
    597606        # of form <Hash cert subject name>.0 
    598607        try: 
    599             caCertList = [X509.load_cert(caFile) \ 
     608            caCertList = [X509CertRead(caFile) \ 
    600609                          for caFile in caCertFilePathList] 
    601610        except Exception, e: 
     
    609618    caCertFilePathList = property(fset=__setCAX509StackFromCertFileList, 
    610619                      doc="List of CA cert. files used for verification") 
    611  
    612          
    613     #_________________________________________________________________________ 
    614     def verifyCertChain(self, certIn=None, raiseExcep=True): 
    615         """Check a certificate has been issued by one of the known CA's 
    616         specified in X.509 stack 
    617          
    618         @type: ndg.security.common.X509.X509Cert / M2Crypto.X509.X509 / 
    619         string or None 
    620         @keyword certIn: X.509 certificate.   
    621          
    622         @type raiseExcep: bool 
    623         @keyword raiseExcep: set to True (default) to raise an exception if 
    624         the input certificate is invalid 
    625          
    626         @rtype bool 
    627         @return True if certificate was issued by a known CA""" 
    628          
    629         if certIn: 
    630             cert2Verify = self.__setCert(certIn) 
    631         else: 
    632             cert2Verify = self.__verifyingCert 
    633              
    634         for cert in self._caX509Stack: 
    635             try: 
    636                 assert cert2Verify.m2CryptoX509.verify(cert.get_pubkey()) 
    637                 return True 
    638             except: 
    639                 pass 
    640              
    641         # No CA certs in the stack matched 
    642         if raiseExcep: 
    643             raise InvalidCertChain, \ 
    644         'Input certificate "%s" was not issued by a known CA' % cert2Verify.dn 
    645         else: 
    646             return False 
    647620                 
    648621         
     
    666639        # Add X.509 cert as binary security token 
    667640        if self.__reqBinSecTokValType==self.binSecTokValType['X509PKIPathv1']: 
    668             binSecTokVal=base64.encodestring(self.__signingCertChain.as_der()) 
     641            binSecTokVal=base64.encodestring(self.__signingCertChain.asDER()) 
    669642        else: 
    670643            # Assume X.509 / X.509 vers 3 
     
    1013986            pass  
    1014987         
    1015         import pdb;pdb.set_trace()         
     988        #import pdb;pdb.set_trace() 
    1016989        if binSecTokNode: 
    1017990            try: 
     
    10401013                    self.__setVerifyingCert(b64EncX509Cert) 
    10411014                     
     1015                    x509Stack = X509Stack() 
     1016 
    10421017                elif valueType == \ 
    10431018                    self.__class__.binSecTokValType['X509PKIPathv1']: 
    10441019                     
    10451020                    derString = base64.decodestring(x509CertTxt) 
    1046                     x509Stack=X509.new_stack_from_der(derString) 
     1021                    x509Stack = X509StackParseFromDER(derString) 
    10471022                     
    1048                     # TODO: Check ordering - is the first off the stack the 
     1023                    # TODO: Check ordering - is the last off the stack the 
    10491024                    # one to use to verify the message? 
    1050                     m2CryptoX509Cert = x509Stack.pop() 
    1051                     self.__verifyCert = \ 
    1052                         X509Cert(m2CryptoX509=m2CryptoX509Cert) 
     1025                    self.__verifyingCert = x509Stack[-1] 
    10531026                else: 
    10541027                    raise WSSecurityError, "BinarySecurityToken ValueType " +\ 
     
    10641037         
    10651038        # Extract RSA public key from the cert 
    1066         rsaPubKey = self.__verifyingCert.m2CryptoX509.get_pubkey().get_rsa() 
     1039        rsaPubKey = self.__verifyingCert.pubKey.get_rsa() 
    10671040 
    10681041        # Apply the signature verification 
     
    10751048            raise InvalidSignature, "Invalid signature" 
    10761049         
    1077         # Verify certificate was issued by a known CA 
    1078         if self.caCertIsSet: 
    1079             self.verifyCertChain() 
     1050        # Verify chain of trust  
     1051        x509Stack.verifyCertChain(x509Cert2Verify=self.__verifyingCert, 
     1052                                  caX509Stack=self.__caX509Stack) 
    10801053             
    10811054        #print "Signature OK" 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r2510 r2515  
    233233    #_________________________________________________________________________ 
    234234    # Methods for Attribute Authority dictionary like behaviour         
     235    def __repr__(self): 
     236        """Return file properties dictionary as representation""" 
     237        return repr(self.__prop) 
     238     
    235239    def __delitem__(self, key): 
    236240        self.__class__.__name__ + " keys cannot be removed"         
     
    247251        return self.__prop[key] 
    248252         
    249  
     253    def get(self, kw): 
     254        return self.__prop.get(kw) 
     255     
    250256    def clear(self): 
    251257        raise KeyError, "Data cannot be cleared from "+self.__class__.__name__ 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/server-config.tac

    r2510 r2515  
    1414License, version 1.0 or later. 
    1515""" 
    16 import os 
     16import os, base64 
    1717 
    1818from ZSI.twisted.WSresource import WSResource 
     
    4848    def soap_getAttCert(self, ps, **kw): 
    4949        request, response = AttAuthorityService.soap_getAttCert(self, ps) 
    50          
     50 
    5151        # Derive designated holder cert differently according to whether 
    5252        # a signed message is expected from the client 
     
    106106 
    107107    def soap_getX509Cert(self, ps, **kw): 
     108        '''Retrieve Attribute Authority's X.509 certificate''' 
    108109        request, response = AttAuthorityService.soap_getX509Cert(self, ps) 
    109110         
    110111        x509Cert = X509CertRead(srv.aa['certFile']) 
    111         response.X509Cert = x509Cert.toString() 
     112        response.X509Cert = base64.encodestring(x509Cert.asDER()) 
    112113        return request, response 
    113114 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

    r2437 r2515  
    470470         
    471471    #_________________________________________________________________________         
     472    def __repr__(self): 
     473        """Return file properties dictionary as representation""" 
     474        return repr(self.__prop) 
     475 
    472476    def __delitem__(self, key): 
    473477        "Session Manager keys cannot be removed"         
     
    489493        Manager properties""" 
    490494        self.setProperties(**{key: item}) 
    491          
     495            
     496    def get(self, kw): 
     497        return self.__prop.get(kw) 
    492498 
    493499    def clear(self): 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/ca/__init__.py

    r2270 r2515  
    184184    #_________________________________________________________________________ 
    185185    # dict derived methods ... 
    186     # 
     186    def __repr__(self): 
     187        """Return file properties dictionary as representation""" 
     188        return repr(self.__prop) 
     189 
    187190    # Nb. read only - no __setitem__() method 
    188191    def __delitem__(self, key): 
     
    200203        else: 
    201204            raise KeyError, "Property with key '%s' not found" % key 
     205     
     206    def get(self): 
     207        return self.__prop.get(kw) 
    202208         
    203209    def clear(self): 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2510 r2515  
    1515 
    1616import unittest 
    17 import os, sys, getpass 
     17import os, sys, getpass, re 
    1818from ConfigParser import SafeConfigParser 
    1919 
    2020from ndg.security.common.AttAuthority import AttAuthorityClient 
    2121from ndg.security.common.AttCert import AttCertRead 
     22from ndg.security.common.X509 import X509CertParse 
    2223 
    2324 
    2425class AttAuthorityClientTestCase(unittest.TestCase): 
    25     userPriKeyPwd = None 
    26      
     26    clntPriKeyPwd = None 
     27    pemPat = "-----BEGIN CERTIFICATE-----[^\-]*-----END CERTIFICATE-----" 
     28 
     29    def _getCertChainFromProxyCertFile(self, proxyCertFilePath): 
     30        '''Read proxy cert and user cert from a single PEM file and put in 
     31        a list ready for input into SignatureHandler'''                
     32        proxyCertFileTxt = open(proxyCertFilePath).read() 
     33         
     34        pemPatRE = re.compile(self.__class__.pemPat, re.S) 
     35        x509CertList = pemPatRE.findall(proxyCertFileTxt) 
     36         
     37        signingCertChain = [X509CertParse(x509Cert) for x509Cert in \ 
     38                            x509CertList] 
     39     
     40        # Expecting proxy cert first - move this to the end.  This will 
     41        # be the cert used to verify the message signature 
     42        signingCertChain.reverse() 
     43         
     44        return signingCertChain 
     45 
     46 
    2747    def setUp(self): 
    2848 
     
    3656        tracefile = sys.stderr 
    3757 
    38         if self.userPriKeyPwd is None: 
     58        if self.clntPriKeyPwd is None: 
    3959            try: 
    40                 if self.cfg['setUp'].get('userprikeypwd') is None: 
    41                     self.userPriKeyPwd = getpass.getpass(\ 
     60                if self.cfg['setUp'].get('clntprikeypwd') is None: 
     61                    self.clntPriKeyPwd = getpass.getpass(\ 
    4262                            prompt="\nsetUp - client private key password: ") 
    4363                else: 
    44                     self.userPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd') 
     64                    self.clntPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd') 
    4565            except KeyboardInterrupt: 
    4666                sys.exit(0) 
     
    5272        except: 
    5373            caCertFilePathList = [] 
    54              
     74           
     75           
     76        reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 
     77 
     78        # Check certificate types proxy or standard 
     79        proxyCertFilePath = self.cfg['setUp'].get('proxycertfilepath') 
     80        if proxyCertFilePath: 
     81            signingCertChain = \ 
     82                        self._getCertChainFromProxyCertFile(proxyCertFilePath) 
     83             
     84        setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 
     85 
    5586        # Instantiate WS proxy 
    5687        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
    57            signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 
    58            signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 
    59            signingPriKeyPwd=self.userPriKeyPwd, 
    60            caCertFilePathList=caCertFilePathList, 
    61            tracefile=sys.stderr) 
     88            setSignatureHandler=setSignatureHandler, 
     89            reqBinSecTokValType=reqBinSecTokValType, 
     90            signingCertFilePath=self.cfg['setUp'].get('clntcertfilepath'), 
     91            signingCertChain=signingCertChain, 
     92            signingPriKeyFilePath=self.cfg['setUp'].get('clntprikeyfilepath'), 
     93            signingPriKeyPwd=self.clntPriKeyPwd, 
     94            caCertFilePathList=caCertFilePathList, 
     95            tracefile=sys.stderr) 
    6296             
    6397     
     
    95129        try: 
    96130            userCertFilePath = \ 
    97                 self.cfg['test5GetAttCert'].get('issuingusercertfilepath') 
     131                self.cfg['test5GetAttCert'].get('issuingclntcertfilepath') 
    98132            userCertTxt = open(userCertFilePath, 'r').read() 
    99133         
     
    122156        try: 
    123157            userCertFilePath = \ 
    124     self.cfg['test6GetAttCertWithUserIdSet'].get('issuingusercertfilepath') 
     158    self.cfg['test6GetAttCertWithUserIdSet'].get('issuingclntcertfilepath') 
    125159            userCertTxt = open(userCertFilePath, 'r').read() 
    126160         
     
    150184        try: 
    151185            userCertFilePath = \ 
    152             self.cfg['test7GetMappedAttCert'].get('issuingusercertfilepath') 
     186            self.cfg['test7GetMappedAttCert'].get('issuingclntcertfilepath') 
    153187            userCertTxt = open(userCertFilePath, 'r').read() 
    154188         
     
    172206 
    173207        try: 
    174             if self.cfg['test7GetMappedAttCert'].get('userprikeypwd') is None: 
    175                 userPriKeyPwd = getpass.getpass(\ 
     208            if self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') is None: 
     209                clntPriKeyPwd = getpass.getpass(\ 
    176210                            prompt="\nsetUp - client private key password: ") 
    177211            else: 
    178                 userPriKeyPwd = \ 
    179                         self.cfg['test7GetMappedAttCert'].get('userprikeypwd') 
     212                clntPriKeyPwd = \ 
     213                        self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') 
    180214        except KeyboardInterrupt: 
    181215            sys.exit(0) 
     
    184218        # signature for server reponse 
    185219        try: 
    186             caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     220            caCertFilePathList=\ 
     221            self.cfg['test7GetMappedAttCert']['cacertfilepathlist'].split() 
    187222        except: 
    188223            caCertFilePathList = [] 
    189         
     224             
     225        reqBinSecTokValType = \ 
     226                self.cfg['test7GetMappedAttCert'].get('reqbinsectokvaltype') 
     227         
     228        # Check certificate types proxy or standard 
     229        proxyCertFilePath = \ 
     230                    self.cfg['test7GetMappedAttCert'].get('proxycertfilepath') 
     231        if proxyCertFilePath: 
     232            signingCertChain = \ 
     233                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     234 
     235        setSignatureHandler = \ 
     236                eval(self.cfg['test7GetMappedAttCert']['setsignaturehandler']) 
     237         
    190238        # Make client to site B Attribute Authority 
    191239        clnt = AttAuthorityClient(\ 
    192240uri=self.cfg['test7GetMappedAttCert']['uri'],  
    193 signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('usercertfilepath'), 
    194 signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('userprikeyfilepath'), 
    195 signingPriKeyPwd=userPriKeyPwd, 
     241setSignatureHandler=setSignatureHandler, 
     242reqBinSecTokValType=reqBinSecTokValType, 
     243signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('clntcertfilepath'), 
     244signingCertChain=signingCertChain, 
     245signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('clntprikeyfilepath'), 
     246signingPriKeyPwd=clntPriKeyPwd, 
    196247caCertFilePathList=caCertFilePathList, 
    197248tracefile=sys.stderr) 
     
    214265        try: 
    215266            userCertFilePath = \ 
    216     self.cfg['test8GetMappedAttCertStressTest'].get('issuingusercertfilepath') 
     267    self.cfg['test8GetMappedAttCertStressTest'].get('issuingclntcertfilepath') 
    217268            userCertTxt = open(userCertFilePath, 'r').read() 
    218269         
     
    226277 
    227278        try: 
    228             if self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') is None: 
    229                 userPriKeyPwd = getpass.getpass(\ 
     279            if self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') is None: 
     280                clntPriKeyPwd = getpass.getpass(\ 
    230281                            prompt="\nsetUp - client private key password: ") 
    231282            else: 
    232                 userPriKeyPwd = \ 
    233             self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') 
     283                clntPriKeyPwd = \ 
     284            self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') 
    234285        except KeyboardInterrupt: 
    235286            sys.exit(0) 
     
    238289        # signature for server reponse 
    239290        try: 
    240             caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     291            caCertFilePathList=\ 
     292    self.cfg['test8GetMappedAttCertStressTest']['cacertfilepathlist'].split() 
    241293        except: 
    242294            caCertFilePathList = [] 
     295             
     296        reqBinSecTokValType = \ 
     297        self.cfg['test8GetMappedAttCertStressTest'].get('reqbinsectokvaltype') 
     298         
     299        # Check certificate types proxy or standard 
     300        proxyCertFilePath = \ 
     301        self.cfg['test8GetMappedAttCertStressTest'].get('proxycertfilepath') 
     302        if proxyCertFilePath: 
     303            signingCertChain = \ 
     304                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     305 
     306        setSignatureHandler = \ 
     307    eval(self.cfg['test8GetMappedAttCertStressTest']['setsignaturehandler']) 
    243308        
    244309        # Make client to site B Attribute Authority 
    245310        clnt = AttAuthorityClient(\ 
    246311uri=self.cfg['test8GetMappedAttCertStressTest']['uri'],  
    247 signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('usercertfilepath'), 
    248 signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('userprikeyfilepath'), 
    249 signingPriKeyPwd=userPriKeyPwd, 
     312setSignatureHandler=setSignatureHandler, 
     313reqBinSecTokValType=reqBinSecTokValType, 
     314signingCertChain=signingCertChain, 
     315signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntcertfilepath'), 
     316signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeyfilepath'), 
     317signingPriKeyPwd=clntPriKeyPwd, 
    250318caCertFilePathList=caCertFilePathList, 
    251319tracefile=sys.stderr) 
     
    267335                                          userAttCert=userAttCert) 
    268336            except Exception, e: 
     337                outFilePfx = 'test8GetMappedAttCertStressTest-%s' % \ 
     338                        os.path.basename(acFilePath)     
    269339                msgFile = open(outFilePfx+".msg", 'w') 
    270340                msgFile.write('Failed for "%s": %s\n' % (acFilePath, e)) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2510 r2515  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 #uri = http://localhost:5000/AttributeAuthority 
     12uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    15 uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
     15#uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    1616#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
    1717 
     
    2222# Password protecting client private key - if omitted it will be prompted for 
    2323# from tty 
    24 userprikeypwd =  
     24clntprikeypwd =  
    2525 
    26 # All commented out to test service without WS-Security 
    27 #usercertfilepath = ./proxy-cert.pem 
    28 #userprikeyfilepath = ./proxy-key.pem 
    29 # Test with CA cert validation - proxy certs currently work with this as 
    30 # the user cert as well as proxy is needed to complete the chain of trust 
    31 # with the CA 
    32 #usercertfilepath = ./aa-cert.pem 
    33 #userprikeyfilepath = ./aa-key.pem 
     26# Set to False to test service without WS-Security signature 
     27setsignaturehandler = True 
     28 
     29# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     30# 'X509PKIPathv1' for use with proxy certificates 
     31#reqbinsectokvaltype = X509v3 
     32#reqbinsectokvaltype = X509 
     33reqbinsectokvaltype = X509PKIPathv1 
     34 
     35# Test with proxy certificates or with standard certs.  Comment out as  
     36# appropriate 
     37proxycertfilepath = ./proxy-cert.pem 
     38 
     39# Test without proxy certificates - uses AA server side cert/private key for 
     40# client side too (!) 
     41#clntcertfilepath = ./aa-cert.pem 
     42 
     43#clntprikeyfilepath = ./aa-key.pem 
     44clntprikeyfilepath = ./proxy-key.pem 
     45 
    3446 
    3547# Space separated list of CA certificate files used to verify certificate used 
    3648# in message signature 
    37 #cacertfilepathlist = ./cacert.pem 
     49cacertfilepathlist = ./cacert.pem 
    3850 
    3951[test3GetTrustedHostInfo] 
     
    4355  
    4456[test5GetAttCert] 
    45 # If usercertfilepath is a proxy set this cert as the one that issued the  
    46 # proxy.  Comment out if usercertfilepath is a standard X.509 cert. 
    47 #issuingusercertfilepath = ./user-cert.pem 
     57# If clntcertfilepath is a proxy set this cert as the one that issued the  
     58# proxy.  Comment out if clntcertfilepath is a standard X.509 cert. 
     59#issuingclntcertfilepath = ./user-cert.pem 
    4860 
    4961# Test with no digital signature applied 
    50 #issuingusercertfilepath = ./proxy-cert.pem 
     62#issuingclntcertfilepath = ./proxy-cert.pem 
    5163# Setup for use by testGetMappedAttCert test 
    5264attCertFilePath = ./ac.xml 
     
    5466[test6GetAttCertWithUserIdSet] 
    5567userId = system 
    56 issuingusercertfilepath = ./aa-cert.pem 
     68issuingclntcertfilepath = ./aa-cert.pem 
    5769 
    5870[test7GetMappedAttCert] 
    59 # Comment out to set for no signature handling 
    60 userprikeypwd =  
    61 #usercertfilepath = ./proxy-cert.pem 
    62 #userprikeyfilepath = ./proxy-key.pem 
    63 usercertfilepath = ./aa-cert.pem 
    64 userprikeyfilepath = ./aa-key.pem 
     71# Set to False to test service without WS-Security signature 
     72setsignaturehandler = True 
     73 
     74# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     75# 'X509PKIPathv1' for use with proxy certificates 
     76#reqbinsectokvaltype = X509v3 
     77#reqbinsectokvaltype = X509 
     78reqbinsectokvaltype = X509PKIPathv1 
     79 
     80# Test with proxy certificates or with standard certs.  Comment out as  
     81# appropriate 
     82proxycertfilepath = ./proxy-cert.pem 
     83#clntcertfilepath = ./aa-cert.pem 
     84 
     85clntprikeypwd =  
     86clntprikeyfilepath = ./proxy-key.pem 
     87#clntprikeyfilepath = ./aa-key.pem 
    6588 
    6689# Space separated list of CA certificate files used to verify certificate used 
     
    6891cacertfilepathlist = ./cacert.pem 
    6992 
    70 #uri = http://localhost:5100/AttributeAuthority 
     93uri = http://localhost:5100/AttributeAuthority 
    7194# Heath Data Server 
    7295#uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
    7396# Marine Data Server 
    74 uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     97#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    7598userAttCertFilePath = ./ac.xml 
    7699mappedAttCertFilePath = ./mapped-ac.xml 
    77100 
    78101[test8GetMappedAttCertStressTest] 
    79 # Comment out to set for no signature handling 
    80 userprikeypwd =  
    81 usercertfilepath = ./aa-cert.pem 
    82 userprikeyfilepath = ./aa-key.pem 
     102# Set to False for no signature handling 
     103setSignatureHandler = True 
     104 
     105# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     106# 'X509PKIPathv1' for use with proxy certificates 
     107#reqbinsectokvaltype = X509v3 
     108#reqbinsectokvaltype = X509 
     109reqbinsectokvaltype = X509PKIPathv1 
     110 
     111# Test with proxy certificates or with standard certs.  Comment out as  
     112# appropriate 
     113proxycertfilepath = ./proxy-cert.pem 
     114#clntcertfilepath = ./aa-cert.pem 
     115 
     116clntprikeypwd =  
     117clntprikeyfilepath = ./aa-key.pem 
    83118 
    84119# Space separated list of CA certificate files used to verify certificate used 
     
    87122 
    88123uri = http://localhost:5000/AttributeAuthority 
    89 userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml 
     124userAttCertFilePathList = ./ac.xml 
    90125 
    91126 
Note: See TracChangeset for help on using the changeset viewer.