Ignore:
Timestamp:
25/05/07 16:38:23 (13 years ago)
Author:
pjkersha
Message:
  • Working version of WS-Security interface with proxy certificates - chain

of trust containing proxy cert and user cert is passed in a base 64 encoded
DER in a 'X509PKIPathv1' type BinarySecurityToken?.

ndg.security.server/ndg/security/server/AttAuthority/server-config.tac:

  • fix to soap_getX509Cert() - return base 64 encoded DER instead of PEM

format

ndg.security.server/ndg/security/server/AttAuthority/init.py,
ndg.security.server/ndg/security/server/ca/init.py,
ndg.security.server/ndg/security/server/SessionMgr/init.py,
ndg.security.client/ndg/security/client/SimpleCAClient.py:

  • added repr and get methods to better emulate dict behaviour

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py,
ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:

  • modified to enable correct passing of proxy certificates with WS-Security
  • all unit tests work with these changes

ndg.security.common/ndg/security/common/X509.py:

  • fix to X509Cert.toString method - added 'return'
  • fix to X500DN comparison operators - use eq and ne deleted cmp
  • various fixes to X509Stack particular iter and verifyCertChain.
  • get method now behaves like dict parent class

ndg.security.common/ndg/security/common/AttCert.py:

  • fixed bug in holderDN attribute - now correctly set to call getHolderDN

NOT getHolder!

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • added setSignatureHandler flag to init

ndg.security.common/ndg/security/common/wsSecurity.py:

  • working version to handle proxy certificates correctly - uses

'X509PKIPathv1' type BinarySecurityToken?.

Location:
TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2510 r2515  
    1515 
    1616import unittest 
    17 import os, sys, getpass 
     17import os, sys, getpass, re 
    1818from ConfigParser import SafeConfigParser 
    1919 
    2020from ndg.security.common.AttAuthority import AttAuthorityClient 
    2121from ndg.security.common.AttCert import AttCertRead 
     22from ndg.security.common.X509 import X509CertParse 
    2223 
    2324 
    2425class AttAuthorityClientTestCase(unittest.TestCase): 
    25     userPriKeyPwd = None 
    26      
     26    clntPriKeyPwd = None 
     27    pemPat = "-----BEGIN CERTIFICATE-----[^\-]*-----END CERTIFICATE-----" 
     28 
     29    def _getCertChainFromProxyCertFile(self, proxyCertFilePath): 
     30        '''Read proxy cert and user cert from a single PEM file and put in 
     31        a list ready for input into SignatureHandler'''                
     32        proxyCertFileTxt = open(proxyCertFilePath).read() 
     33         
     34        pemPatRE = re.compile(self.__class__.pemPat, re.S) 
     35        x509CertList = pemPatRE.findall(proxyCertFileTxt) 
     36         
     37        signingCertChain = [X509CertParse(x509Cert) for x509Cert in \ 
     38                            x509CertList] 
     39     
     40        # Expecting proxy cert first - move this to the end.  This will 
     41        # be the cert used to verify the message signature 
     42        signingCertChain.reverse() 
     43         
     44        return signingCertChain 
     45 
     46 
    2747    def setUp(self): 
    2848 
     
    3656        tracefile = sys.stderr 
    3757 
    38         if self.userPriKeyPwd is None: 
     58        if self.clntPriKeyPwd is None: 
    3959            try: 
    40                 if self.cfg['setUp'].get('userprikeypwd') is None: 
    41                     self.userPriKeyPwd = getpass.getpass(\ 
     60                if self.cfg['setUp'].get('clntprikeypwd') is None: 
     61                    self.clntPriKeyPwd = getpass.getpass(\ 
    4262                            prompt="\nsetUp - client private key password: ") 
    4363                else: 
    44                     self.userPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd') 
     64                    self.clntPriKeyPwd=self.cfg['setUp'].get('clntprikeypwd') 
    4565            except KeyboardInterrupt: 
    4666                sys.exit(0) 
     
    5272        except: 
    5373            caCertFilePathList = [] 
    54              
     74           
     75           
     76        reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 
     77 
     78        # Check certificate types proxy or standard 
     79        proxyCertFilePath = self.cfg['setUp'].get('proxycertfilepath') 
     80        if proxyCertFilePath: 
     81            signingCertChain = \ 
     82                        self._getCertChainFromProxyCertFile(proxyCertFilePath) 
     83             
     84        setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 
     85 
    5586        # Instantiate WS proxy 
    5687        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
    57            signingCertFilePath=self.cfg['setUp'].get('usercertfilepath'), 
    58            signingPriKeyFilePath=self.cfg['setUp'].get('userprikeyfilepath'), 
    59            signingPriKeyPwd=self.userPriKeyPwd, 
    60            caCertFilePathList=caCertFilePathList, 
    61            tracefile=sys.stderr) 
     88            setSignatureHandler=setSignatureHandler, 
     89            reqBinSecTokValType=reqBinSecTokValType, 
     90            signingCertFilePath=self.cfg['setUp'].get('clntcertfilepath'), 
     91            signingCertChain=signingCertChain, 
     92            signingPriKeyFilePath=self.cfg['setUp'].get('clntprikeyfilepath'), 
     93            signingPriKeyPwd=self.clntPriKeyPwd, 
     94            caCertFilePathList=caCertFilePathList, 
     95            tracefile=sys.stderr) 
    6296             
    6397     
     
    95129        try: 
    96130            userCertFilePath = \ 
    97                 self.cfg['test5GetAttCert'].get('issuingusercertfilepath') 
     131                self.cfg['test5GetAttCert'].get('issuingclntcertfilepath') 
    98132            userCertTxt = open(userCertFilePath, 'r').read() 
    99133         
     
    122156        try: 
    123157            userCertFilePath = \ 
    124     self.cfg['test6GetAttCertWithUserIdSet'].get('issuingusercertfilepath') 
     158    self.cfg['test6GetAttCertWithUserIdSet'].get('issuingclntcertfilepath') 
    125159            userCertTxt = open(userCertFilePath, 'r').read() 
    126160         
     
    150184        try: 
    151185            userCertFilePath = \ 
    152             self.cfg['test7GetMappedAttCert'].get('issuingusercertfilepath') 
     186            self.cfg['test7GetMappedAttCert'].get('issuingclntcertfilepath') 
    153187            userCertTxt = open(userCertFilePath, 'r').read() 
    154188         
     
    172206 
    173207        try: 
    174             if self.cfg['test7GetMappedAttCert'].get('userprikeypwd') is None: 
    175                 userPriKeyPwd = getpass.getpass(\ 
     208            if self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') is None: 
     209                clntPriKeyPwd = getpass.getpass(\ 
    176210                            prompt="\nsetUp - client private key password: ") 
    177211            else: 
    178                 userPriKeyPwd = \ 
    179                         self.cfg['test7GetMappedAttCert'].get('userprikeypwd') 
     212                clntPriKeyPwd = \ 
     213                        self.cfg['test7GetMappedAttCert'].get('clntprikeypwd') 
    180214        except KeyboardInterrupt: 
    181215            sys.exit(0) 
     
    184218        # signature for server reponse 
    185219        try: 
    186             caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     220            caCertFilePathList=\ 
     221            self.cfg['test7GetMappedAttCert']['cacertfilepathlist'].split() 
    187222        except: 
    188223            caCertFilePathList = [] 
    189         
     224             
     225        reqBinSecTokValType = \ 
     226                self.cfg['test7GetMappedAttCert'].get('reqbinsectokvaltype') 
     227         
     228        # Check certificate types proxy or standard 
     229        proxyCertFilePath = \ 
     230                    self.cfg['test7GetMappedAttCert'].get('proxycertfilepath') 
     231        if proxyCertFilePath: 
     232            signingCertChain = \ 
     233                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     234 
     235        setSignatureHandler = \ 
     236                eval(self.cfg['test7GetMappedAttCert']['setsignaturehandler']) 
     237         
    190238        # Make client to site B Attribute Authority 
    191239        clnt = AttAuthorityClient(\ 
    192240uri=self.cfg['test7GetMappedAttCert']['uri'],  
    193 signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('usercertfilepath'), 
    194 signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('userprikeyfilepath'), 
    195 signingPriKeyPwd=userPriKeyPwd, 
     241setSignatureHandler=setSignatureHandler, 
     242reqBinSecTokValType=reqBinSecTokValType, 
     243signingCertFilePath=self.cfg['test7GetMappedAttCert'].get('clntcertfilepath'), 
     244signingCertChain=signingCertChain, 
     245signingPriKeyFilePath=self.cfg['test7GetMappedAttCert'].get('clntprikeyfilepath'), 
     246signingPriKeyPwd=clntPriKeyPwd, 
    196247caCertFilePathList=caCertFilePathList, 
    197248tracefile=sys.stderr) 
     
    214265        try: 
    215266            userCertFilePath = \ 
    216     self.cfg['test8GetMappedAttCertStressTest'].get('issuingusercertfilepath') 
     267    self.cfg['test8GetMappedAttCertStressTest'].get('issuingclntcertfilepath') 
    217268            userCertTxt = open(userCertFilePath, 'r').read() 
    218269         
     
    226277 
    227278        try: 
    228             if self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') is None: 
    229                 userPriKeyPwd = getpass.getpass(\ 
     279            if self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') is None: 
     280                clntPriKeyPwd = getpass.getpass(\ 
    230281                            prompt="\nsetUp - client private key password: ") 
    231282            else: 
    232                 userPriKeyPwd = \ 
    233             self.cfg['test8GetMappedAttCertStressTest'].get('userprikeypwd') 
     283                clntPriKeyPwd = \ 
     284            self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeypwd') 
    234285        except KeyboardInterrupt: 
    235286            sys.exit(0) 
     
    238289        # signature for server reponse 
    239290        try: 
    240             caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
     291            caCertFilePathList=\ 
     292    self.cfg['test8GetMappedAttCertStressTest']['cacertfilepathlist'].split() 
    241293        except: 
    242294            caCertFilePathList = [] 
     295             
     296        reqBinSecTokValType = \ 
     297        self.cfg['test8GetMappedAttCertStressTest'].get('reqbinsectokvaltype') 
     298         
     299        # Check certificate types proxy or standard 
     300        proxyCertFilePath = \ 
     301        self.cfg['test8GetMappedAttCertStressTest'].get('proxycertfilepath') 
     302        if proxyCertFilePath: 
     303            signingCertChain = \ 
     304                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     305 
     306        setSignatureHandler = \ 
     307    eval(self.cfg['test8GetMappedAttCertStressTest']['setsignaturehandler']) 
    243308        
    244309        # Make client to site B Attribute Authority 
    245310        clnt = AttAuthorityClient(\ 
    246311uri=self.cfg['test8GetMappedAttCertStressTest']['uri'],  
    247 signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('usercertfilepath'), 
    248 signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('userprikeyfilepath'), 
    249 signingPriKeyPwd=userPriKeyPwd, 
     312setSignatureHandler=setSignatureHandler, 
     313reqBinSecTokValType=reqBinSecTokValType, 
     314signingCertChain=signingCertChain, 
     315signingCertFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntcertfilepath'), 
     316signingPriKeyFilePath=self.cfg['test8GetMappedAttCertStressTest'].get('clntprikeyfilepath'), 
     317signingPriKeyPwd=clntPriKeyPwd, 
    250318caCertFilePathList=caCertFilePathList, 
    251319tracefile=sys.stderr) 
     
    267335                                          userAttCert=userAttCert) 
    268336            except Exception, e: 
     337                outFilePfx = 'test8GetMappedAttCertStressTest-%s' % \ 
     338                        os.path.basename(acFilePath)     
    269339                msgFile = open(outFilePfx+".msg", 'w') 
    270340                msgFile.write('Failed for "%s": %s\n' % (acFilePath, e)) 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2510 r2515  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 #uri = http://localhost:5000/AttributeAuthority 
     12uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    15 uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
     15#uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    1616#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
    1717 
     
    2222# Password protecting client private key - if omitted it will be prompted for 
    2323# from tty 
    24 userprikeypwd =  
     24clntprikeypwd =  
    2525 
    26 # All commented out to test service without WS-Security 
    27 #usercertfilepath = ./proxy-cert.pem 
    28 #userprikeyfilepath = ./proxy-key.pem 
    29 # Test with CA cert validation - proxy certs currently work with this as 
    30 # the user cert as well as proxy is needed to complete the chain of trust 
    31 # with the CA 
    32 #usercertfilepath = ./aa-cert.pem 
    33 #userprikeyfilepath = ./aa-key.pem 
     26# Set to False to test service without WS-Security signature 
     27setsignaturehandler = True 
     28 
     29# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     30# 'X509PKIPathv1' for use with proxy certificates 
     31#reqbinsectokvaltype = X509v3 
     32#reqbinsectokvaltype = X509 
     33reqbinsectokvaltype = X509PKIPathv1 
     34 
     35# Test with proxy certificates or with standard certs.  Comment out as  
     36# appropriate 
     37proxycertfilepath = ./proxy-cert.pem 
     38 
     39# Test without proxy certificates - uses AA server side cert/private key for 
     40# client side too (!) 
     41#clntcertfilepath = ./aa-cert.pem 
     42 
     43#clntprikeyfilepath = ./aa-key.pem 
     44clntprikeyfilepath = ./proxy-key.pem 
     45 
    3446 
    3547# Space separated list of CA certificate files used to verify certificate used 
    3648# in message signature 
    37 #cacertfilepathlist = ./cacert.pem 
     49cacertfilepathlist = ./cacert.pem 
    3850 
    3951[test3GetTrustedHostInfo] 
     
    4355  
    4456[test5GetAttCert] 
    45 # If usercertfilepath is a proxy set this cert as the one that issued the  
    46 # proxy.  Comment out if usercertfilepath is a standard X.509 cert. 
    47 #issuingusercertfilepath = ./user-cert.pem 
     57# If clntcertfilepath is a proxy set this cert as the one that issued the  
     58# proxy.  Comment out if clntcertfilepath is a standard X.509 cert. 
     59#issuingclntcertfilepath = ./user-cert.pem 
    4860 
    4961# Test with no digital signature applied 
    50 #issuingusercertfilepath = ./proxy-cert.pem 
     62#issuingclntcertfilepath = ./proxy-cert.pem 
    5163# Setup for use by testGetMappedAttCert test 
    5264attCertFilePath = ./ac.xml 
     
    5466[test6GetAttCertWithUserIdSet] 
    5567userId = system 
    56 issuingusercertfilepath = ./aa-cert.pem 
     68issuingclntcertfilepath = ./aa-cert.pem 
    5769 
    5870[test7GetMappedAttCert] 
    59 # Comment out to set for no signature handling 
    60 userprikeypwd =  
    61 #usercertfilepath = ./proxy-cert.pem 
    62 #userprikeyfilepath = ./proxy-key.pem 
    63 usercertfilepath = ./aa-cert.pem 
    64 userprikeyfilepath = ./aa-key.pem 
     71# Set to False to test service without WS-Security signature 
     72setsignaturehandler = True 
     73 
     74# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     75# 'X509PKIPathv1' for use with proxy certificates 
     76#reqbinsectokvaltype = X509v3 
     77#reqbinsectokvaltype = X509 
     78reqbinsectokvaltype = X509PKIPathv1 
     79 
     80# Test with proxy certificates or with standard certs.  Comment out as  
     81# appropriate 
     82proxycertfilepath = ./proxy-cert.pem 
     83#clntcertfilepath = ./aa-cert.pem 
     84 
     85clntprikeypwd =  
     86clntprikeyfilepath = ./proxy-key.pem 
     87#clntprikeyfilepath = ./aa-key.pem 
    6588 
    6689# Space separated list of CA certificate files used to verify certificate used 
     
    6891cacertfilepathlist = ./cacert.pem 
    6992 
    70 #uri = http://localhost:5100/AttributeAuthority 
     93uri = http://localhost:5100/AttributeAuthority 
    7194# Heath Data Server 
    7295#uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
    7396# Marine Data Server 
    74 uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     97#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    7598userAttCertFilePath = ./ac.xml 
    7699mappedAttCertFilePath = ./mapped-ac.xml 
    77100 
    78101[test8GetMappedAttCertStressTest] 
    79 # Comment out to set for no signature handling 
    80 userprikeypwd =  
    81 usercertfilepath = ./aa-cert.pem 
    82 userprikeyfilepath = ./aa-key.pem 
     102# Set to False for no signature handling 
     103setSignatureHandler = True 
     104 
     105# ValueType for BinarySecurityToken element of WSSE header.  Specify 
     106# 'X509PKIPathv1' for use with proxy certificates 
     107#reqbinsectokvaltype = X509v3 
     108#reqbinsectokvaltype = X509 
     109reqbinsectokvaltype = X509PKIPathv1 
     110 
     111# Test with proxy certificates or with standard certs.  Comment out as  
     112# appropriate 
     113proxycertfilepath = ./proxy-cert.pem 
     114#clntcertfilepath = ./aa-cert.pem 
     115 
     116clntprikeypwd =  
     117clntprikeyfilepath = ./aa-key.pem 
    83118 
    84119# Space separated list of CA certificate files used to verify certificate used 
     
    87122 
    88123uri = http://localhost:5000/AttributeAuthority 
    89 userAttCertFilePathList = ../AttCert/badSignature2.xml ../AttCert/badSignature.xml ../AttCert/badSignature3.xml 
     124userAttCertFilePathList = ./ac.xml 
    90125 
    91126 
Note: See TracChangeset for help on using the changeset viewer.