Changeset 2679


Ignore:
Timestamp:
02/07/07 09:53:03 (12 years ago)
Author:
pjkersha
Message:

Replaced socket.ssl with M2Crypto https for web service clients

ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml:
swap to https

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:

  • added X509CertRead import for sslCACertList keyword processing
  • added sslPeerCertCN keyword input to AA client

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:

  • new keywords for SSL connections: sslpeercertcn and sslcacertfilepathlist

ndg.security.test/ndg/security/test/MyProxy/Makefile: PYTHONPATH macro to
enable custom python path setting

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • added sslPeerCertCN and sslCACertList keyword input SM client - M2Crypto

SSL integration not complete!!

ndg.security.common/ndg/security/common/ca/init.py:

  • fix to include HTTPResponse from ZSI.wstools.Utility

ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • urlparse import - use to determine http/https transport
  • new ndg.security.common.m2CryptoSSLUtility module used for M2Crypto SSL
  • added sslPeerCertCN property
  • removed getSrvX509Cert() - no longer needed
  • modified call to Binding in initService to use custom M2Crypto SSL client
  • Removed exception handling for soap call wrappers - these can surpress

useful info from being reported back higher in the stack

ndg.security.common/ndg/security/common/X509.py:

  • bug fix to X509Cert.init - init caX509Stack to []
  • altered X509Stack.verifyCertChain to enable verification be self stack

rather than need for caX509Stack

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • urlparse import - use to determine http/https transport
  • new ndg.security.common.m2CryptoSSLUtility module used for M2Crypto SSL
  • added sslPeerCertCN and sslCACertList properties for SSL host checks
  • removed setSrvCertFilePath() and getSrvCert() - no longer needed
  • modified call to Binding in initService to use custom M2Crypto SSL client
  • Removed exception handling for soap call wrappers - these can surpress

useful info from being reported back higher in the stack

ndg.security.common/ndg/security/common/wsSecurity.py:

  • bug fix to binSecTokValType class var - 'X509' wrongly keyed into 'X509v3'

namespace

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py: new module
containing class to extend M2Crypto.httpslib.HTTPSConnection and
M2Crypto.SSL.Checker.Checker

Location:
TI12-security/trunk/python
Files:
1 added
11 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2530 r2679  
    2525    ] 
    2626 
    27 # Handling for public key retrieval 
    28 import tempfile 
     27# Determine https http transport 
     28import urlparse 
     29from ZSI.wstools.Utility import HTTPResponse 
    2930 
    3031from AttAuthority_services import AttAuthorityServiceLocator 
    3132from ndg.security.common.wsSecurity import SignatureHandler 
    3233from ndg.security.common.AttCert import AttCert, AttCertParse 
     34from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 
     35    HostCheck 
     36 
    3337 
    3438#_____________________________________________________________________________ 
     
    4852    def __init__(self,  
    4953                 uri=None,  
    50                  tracefile=None,  
     54                 tracefile=None, 
     55                 sslCACertList=[], 
     56                 sslPeerCertCN=None,  
    5157                 setSignatureHandler=True, 
    5258                 **signatureHandlerKw): 
     
    5864        @keyword tracefile: set to file object such as sys.stderr to give  
    5965        extra WS debug information 
     66         
     67        @type transdict: dict 
     68        @keyword transdict: keywords to connection transport used by  
     69        ZSI.client.Binding.  If transport type is HTTPS,  
     70        m2CryptoSSLUtility.HTTPSConnection is used.  This is a customisation 
     71        of the M2Crypto version to enable setting of specific peer cert DN or 
     72        CN to check against.  By default, the peer's hostname is expected to 
     73        equal the peer CN. 
     74         
     75        @type sslPeerCertCN: string 
     76        @keyword sslPeerCertCN: short cut to the above for setting an 
     77        alternate CommonName to match with peer cert.  Setting this 
     78        keyword avoids messing around with transdict keyword explicitly.   
     79        This keyword is for use with SSL connections only. 
    6080                      
    6181        @type setSignatureHandler: bool 
     
    6888        self.__srv = None 
    6989        self.__uri = None 
    70         self.__srvCertTempFile = None 
    71          
     90        self._transdict = {}         
    7291         
    7392        if uri: 
    7493            self.__setURI(uri) 
    7594 
     95        if sslPeerCertCN: 
     96            self.__setSSLPeerCertCN(sslPeerCertCN) 
     97         
     98        if sslCACertList: 
     99            self.__setSSLCACertList(sslCACertList) 
     100         
     101         
    76102        # WS-Security Signature handler - set only if any of the keywords were 
    77103        # set 
     
    82108            
    83109        self.__tracefile = tracefile 
    84  
    85           
     110         
    86111        # Instantiate Attribute Authority WS proxy 
    87112        if self.__uri: 
     
    97122         
    98123        self.__uri = uri 
    99          
    100     uri = property(fset=__setURI, doc="Set Attribute Authority WSDL URI") 
    101  
    102  
     124        try: 
     125            scheme = urlparse.urlparse(self.__uri)[0] 
     126        except TypeError: 
     127            raise AttributeAuthorityClientError, \ 
     128                "Error parsing transport type from URI" 
     129                 
     130        if scheme == "https": 
     131            self._transport = HTTPSConnection 
     132        else: 
     133            self._transport = None 
     134                 
     135    uri = property(fset=__setURI, doc="Set Attribute Authority URI") 
     136 
     137 
     138    #_________________________________________________________________________ 
     139    def __setSSLPeerCertCN(self, cn): 
     140        """For use with HTTPS connections only.  Specify the Common 
     141        Name to match with Common Name of the peer certificate.  This is not 
     142        needed if the peer cert CN = peer hostname""" 
     143        if self._transport != HTTPSConnection: 
     144            raise AttAuthorityClientError, \ 
     145                "Setting peer cert CN - transport type must be HTTPS" 
     146         
     147        if self._transdict.get('postConnectionCheck'): 
     148            self._transdict['postConnectionCheck'].peerCertCN = cn 
     149        else: 
     150            self._transdict['postConnectionCheck'] = HostCheck(peerCertCN=cn) 
     151 
     152    sslPeerCertCN = property(fset=__setSSLPeerCertCN,  
     153doc="for https connections, set CN of peer cert if other than peer hostname") 
     154 
     155 
     156    #_________________________________________________________________________ 
     157    def __setSSLCACertList(self, caCertList): 
     158        """For use with HTTPS connections only.  Specify CA certs to one of  
     159        which the peer cert must verify its signature against""" 
     160        if self._transport != HTTPSConnection: 
     161            raise AttAuthorityClientError, \ 
     162            "Setting SSL check CA cert list - transport type must be HTTPS" 
     163         
     164        if self._transdict['postConnectionCheck']: 
     165            self._transdict['postConnectionCheck'].caCertList = caCertList 
     166        else: 
     167            self._transdict['postConnectionCheck'] = \ 
     168                                            HostCheck(caCertList=caCertList) 
     169 
     170    sslCACertList = property(fset=__setSSLCACertList,  
     171doc="for https connections, set list of CA certs from which to verify peer cert") 
     172 
     173     
    103174    #_________________________________________________________________________ 
    104175    def __setSignatureHandler(self, signatureHandler): 
     
    123194                                doc="SignatureHandler object") 
    124195 
    125  
    126     #_________________________________________________________________________ 
    127     def __setSrvCertFilePath(self, srvCertFilePath): 
    128          
    129         if not isinstance(srvCertFilePath, basestring): 
    130             raise AttAuthorityClientError, \ 
    131                 "Attribute Authority public key URI must be a valid string" 
    132          
    133         self.__srvCertFilePath = srvCertFilePath 
    134          
    135     srvCertFilePath = property(fset=__setSrvCertFilePath, 
    136                               doc="Set Attribute Authority public key URI") 
    137  
    138196  
    139197    #_________________________________________________________________________ 
     
    187245    clntPriKeyPwd = property(fset=__setClntPriKeyPwd, 
    188246                         doc="Password protecting client private key file") 
    189  
    190  
    191     #_________________________________________________________________________ 
    192     def __getSrvCert(self): 
    193         """Retrieve the public key from the URI""" 
    194          
    195         # Don't proceed unless URI was set - user may have set public key via 
    196         # srvCertFilePath instead 
    197         if self.__srvCertFilePath is not None: 
    198             return 
    199                  
    200         try: 
    201             self.__srvCertTempFile = tempfile.NamedTemporaryFile() 
    202              
    203             cert = self.getX509Cert() 
    204             open(self.__srvCertTempFile.name, "w").write(cert) 
    205              
    206             self.__srvCertFilePath = self.__srvCertTempFile.name 
    207              
    208         except IOError, (errNo, errMsg): 
    209             raise AttAuthorityClientError, \ 
    210                                 "Writing public key to temp \"%s\": %s" % \ 
    211                                 (self.__srvCertTempFile.name, errMsg)                                                                       
    212         except Exception, e: 
    213             raise AttAuthorityClientError, "Retrieving Attribute Authority "+\ 
    214                                           "public key: %s" % str(e) 
    215247     
    216248         
     
    220252         
    221253        @type uri: string 
    222         @param uri: URI for service to invoke""" 
     254        @keyword uri: URI for service to invoke""" 
    223255         
    224256        if uri: 
     
    230262            self.__srv = locator.getAttAuthority(self.__uri,  
    231263                                         sig_handler=self.__signatureHandler, 
    232                                          tracefile=self.__tracefile) 
     264                                         tracefile=self.__tracefile, 
     265                                         transport=self._transport, 
     266                                         transdict=self._transdict) 
    233267        except HTTPResponse, e: 
    234268            raise AttAuthorityClientError, \ 
    235                 "Error initialising WSDL Service for \"%s\": %s %s" % \ 
     269                "Error initialising service for \"%s\": %s %s" % \ 
    236270                (self.__uri, e.status, e.reason) 
    237              
    238         except Exception, e: 
    239             raise AttAuthorityClientError, \ 
    240                 "Initialising WSDL Service for \"%s\": %s" % \ 
    241                  (self.__uri, str(e)) 
    242271 
    243272                                     
     
    252281        """ 
    253282 
    254         try:    
    255             hostname, aaURI, loginURI = self.__srv.getHostInfo() 
    256  
    257         except Exception, e: 
    258             raise AttAuthorityClientError, \ 
    259                                     "Retrieving host information: " + str(e) 
     283        hostname, aaURI, loginURI = self.__srv.getHostInfo() 
    260284         
    261285        hostInfo = {} 
    262          
    263         hostInfo[hostname] = {}         
    264         hostInfo[hostname]['aaURI'] = aaURI 
    265         hostInfo[hostname]['loginURI'] = loginURI 
     286        hostInfo[hostname] = {'aaURI': aaURI, 'loginURI': loginURI} 
    266287 
    267288        return hostInfo 
     
    280301        from the map configuration""" 
    281302             
    282         try:    
    283             trustedHosts = self.__srv.getTrustedHostInfo(role) 
    284  
    285         except Exception, e: 
    286             raise AttAuthorityClientError, \ 
    287                                 "Getting trusted host information: " + str(e) 
     303        trustedHosts = self.__srv.getTrustedHostInfo(role) 
    288304 
    289305        # Convert into dictionary form as used by AttAuthority class 
     
    292308            hostname = trustedHost.get_element_hostname() 
    293309             
    294             trustedHostInfo[hostname] = {} 
    295              
    296             trustedHostInfo[hostname]['aaURI'] = \ 
    297                                             trustedHost.get_element_aaURI() 
    298             trustedHostInfo[hostname]['loginURI'] = \ 
    299                                             trustedHost.get_element_loginURI() 
    300             trustedHostInfo[hostname]['role'] = \ 
    301                                             trustedHost.get_element_roleList() 
     310            trustedHostInfo[hostname] = \ 
     311            { 
     312                'aaURI':    trustedHost.get_element_aaURI(), 
     313                'loginURI': trustedHost.get_element_loginURI(), 
     314                'role':     trustedHost.get_element_roleList() 
     315            } 
    302316             
    303317        return trustedHostInfo 
     
    341355            userAttCert = userAttCert.toString() 
    342356             
    343         try:  
    344             sAttCert, msg = self.__srv.getAttCert(userId,userCert,userAttCert)   
    345              
    346         except Exception, e: 
    347             raise AttAuthorityClientError, \ 
    348                                 "Requesting attribute certificate: " + str(e) 
    349  
     357        sAttCert, msg = self.__srv.getAttCert(userId, userCert, userAttCert)   
    350358        if sAttCert: 
    351359            return AttCertParse(sAttCert) 
     
    361369        @return X.509 certificate for Attribute Authority""" 
    362370         
    363         try:    
    364             return self.__srv.getX509Cert()                 
    365          
    366         except Exception, e: 
    367             raise AttAuthorityClientError, \ 
    368                                     "Error retrieving public key: " + str(e)   
     371        return self.__srv.getX509Cert()                 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

    r2620 r2679  
    1818import os 
    1919 
    20 # Handle retrieval of public key cert for Session Manager/Attribute Authority 
    21 # at remote location 
    22 import tempfile 
    23 import urllib 
     20# Determine https http transport 
     21import urlparse 
     22 
     23from ZSI.wstools.Utility import HTTPResponse 
    2424 
    2525from ndg.security.common.SessionCookie import SessionCookie 
     
    2727from ndg.security.common.X509 import * 
    2828from ndg.security.common.AttCert import AttCertParse 
     29from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 
     30    HostCheck 
    2931from SessionMgr_services import SessionMgrServiceLocator 
    3032 
     
    4648                 uri=None,  
    4749                 tracefile=None, 
     50                 transdict={}, 
     51                 sslPeerCertCN=None,  
    4852                 setSignatureHandler=True, 
    4953                 **signatureHandlerKw): 
     
    5761        WS debug information 
    5862         
     63        @type transdict: dict 
     64        @keyword transdict: keywords to connection transport used by  
     65        ZSI.client.Binding.  If transport type is HTTPS,  
     66        m2CryptoSSLUtility.HTTPSConnection is used.  This is a customisation 
     67        of the M2Crypto version to enable setting of specific peer cert DN or 
     68        CN to check against.  By default, the peer's hostname is expected to 
     69        equal the peer CN. 
     70         
     71        @type sslPeerCertCN: string 
     72        @keyword sslPeerCertCN: short cut to the above for setting an 
     73        alternate CommonName to match with peer cert.  Setting this 
     74        keyword avoids messing around with transdict keyword explicitly.   
     75        This keyword is for use with SSL connections only. 
     76         
    5977        @type setSignatureHandler: bool 
    6078        @param setSignatureHandler: flag to determine whether to apply 
     
    6684        self.__srv = None 
    6785        self.__uri = None 
    68          
    69         self.__srvCertTempFile = None 
    70          
     86        self.transdict = transdict         
    7187         
    7288        if uri: 
    7389            self.__setURI(uri) 
     90 
     91        if sslPeerCertCN: 
     92            self.__setSSLPeerCertCN(sslPeerCertCN) 
    7493 
    7594        # WS-Security Signature handler - set only if any of the keywords were 
     
    97116         
    98117        self.__uri = uri 
     118        try: 
     119            scheme = urlparse.urlparse(self.__uri)[0] 
     120        except TypeError: 
     121            raise AttributeAuthorityClientError, \ 
     122                "Error parsing transport type from URI" 
     123                 
     124        if scheme == "https": 
     125            self.__transport = HTTPSConnection 
     126        else: 
     127            self.__transport = None 
     128             
     129            # Ensure SSL settings are cancelled 
     130            self.__setSSLPeerCertCN(None) 
    99131         
    100132    uri = property(fset=__setURI, doc="Set Session Manager URI") 
     133 
     134 
     135    #_________________________________________________________________________ 
     136    def __setSSLPeerCertCN(self, cn): 
     137        """For use with HTTPS connections only.  Specify the Common 
     138        Name to match with Common Name of the peer certificate.  This is not 
     139        needed if the peer cert CN = peer hostname""" 
     140        if cn is None: 
     141            # Remove any HostCheck object created previously 
     142            try: 
     143                del self.transdict['postConnectionCheck'] 
     144            except KeyError: 
     145                pass 
     146        elif self.transdict['postConnectionCheck']: 
     147            self.transdict['postConnectionCheck'].peerCertCN = cn 
     148        else: 
     149            self.transdict['postConnectionCheck'] = HostCheck(peerCertCN=cn) 
     150 
     151    sslPeerCertCN = property(fset=__setSSLPeerCertCN,  
     152doc="for https connections, set CN of peer cert if other than peer hostname") 
     153 
     154 
     155    #_________________________________________________________________________ 
     156    def __setSignatureHandler(self, signatureHandler): 
     157        """Set SignatureHandler object property method - set to None to for no 
     158        digital signature and verification""" 
     159        if signatureHandler is not None and \ 
     160           not isinstance(signatureHandler, signatureHandler): 
     161            raise AttributeError, \ 
     162    "Signature Handler must be %s type or None for no message security" % \ 
     163        "ndg.security.common.wsSecurity.SignatureHandler" 
     164                             
     165        self.__signatureHandler = signatureHandler 
    101166 
    102167 
     
    107172     
    108173    signatureHandler = property(fget=__getSignatureHandler, 
     174                                fset=__setSignatureHandler, 
    109175                                doc="SignatureHandler object") 
    110      
    111      
    112     #_________________________________________________________________________ 
    113     def __getSrvX509Cert(self): 
    114         """Retrieve the X.509 certificate from file or if not available, from 
    115         the Session Manager service""" 
    116          
    117         # Don't proceed unless URI was set - user may have set public key via 
    118         # srvCertFilePath instead 
    119         if self.__srvCertFilePath is not None: 
    120             return 
    121                  
    122         try: 
    123             self.__srvCertTempFile = tempfile.NamedTemporaryFile() 
    124              
    125             cert = self.getX509Cert() 
    126             open(self.__srvCertTempFile.name, "w").write(cert) 
    127              
    128             self.__srvCertFilePath = self.__srvCertTempFile.name 
    129              
    130         except IOError, (errNo, errMsg): 
    131             raise SessionMgrClientError, \ 
    132                             "Writing X.509 certificate to temp \"%s\": %s" % \ 
    133                             (self.__srvCertTempFile.name, errMsg)                                                                     
    134         except Exception, e: 
    135             raise SessionMgrClientError, "Retrieving Session Manager " + \ 
    136                                          "X.509 certificate: %s" % str(e) 
    137176     
    138177         
     
    148187            self.__srv = locator.getSessionMgr(self.__uri, 
    149188                                       sig_handler=self.__signatureHandler, 
    150                                        tracefile=self.__tracefile) 
     189                                       tracefile=self.__tracefile, 
     190                                         transport=self.__transport, 
     191                                         transdict=self.transdict) 
    151192        except HTTPResponse, e: 
    152193            raise SessionMgrClientError, \ 
    153194                "Initialising Service for \"%s\": %s %s" % \ 
    154195                (self.__uri, e.status, e.reason) 
    155              
    156         except Exception, e: 
    157             raise SessionMgrClientError, \ 
    158                 "Initialising Service for \"%s\": %s" % (self.__uri, str(e)) 
    159196 
    160197                                     
     
    231268 
    232269        # Make connection 
    233         try:  
    234             res = self.__srv.connect(username, passphrase, createServerSess) 
    235  
    236             # Convert from unicode because unicode causes problems with 
    237             # M2Crypto private key load 
    238             return tuple([isinstance(i,unicode) and str(i) or i for i in res]) 
    239                 
    240         except Exception, e: 
    241             raise SessionMgrClientError, \ 
    242                                     "Connecting to Session Manager: " + str(e) 
     270        res = self.__srv.connect(username, passphrase, createServerSess) 
     271 
     272        # Convert from unicode because unicode causes problems with 
     273        # M2Crypto private key load 
     274        return tuple([isinstance(i,unicode) and str(i) or i for i in res]) 
    243275     
    244276         
     
    260292 
    261293        # Make connection 
    262         try:  
    263             self.__srv.disconnect(userCert, sessID) 
    264                 
    265         except Exception, e: 
    266             raise SessionMgrClientError, \ 
    267                         "Disconnecting from Session Manager: " + str(e) 
     294        self.__srv.disconnect(userCert, sessID) 
    268295    
    269296     
     
    315342         
    316343        # Make request 
    317         try: 
    318             attCert, msg, extAttCertList = self.__srv.getAttCert(proxyCert, 
     344        attCert, msg, extAttCertList = self.__srv.getAttCert(proxyCert, 
    319345                                                       sessID,  
    320346                                                       attAuthorityURI, 
     
    325351                                                       extAttCertList, 
    326352                                                       extTrustedHostList) 
    327         except Exception, e: 
    328             raise SessionMgrClientError, \ 
    329                                 "Attribute Certificate request: " + str(e) 
    330353        if not attCert: 
    331354            raise AttributeRequestDenied, msg 
     
    337360    def getX509Cert(self): 
    338361        """Retrieve the public key of the Session Manager""" 
    339          
    340         try:    
    341             resp = self.__srv.getX509Cert() 
    342             return resp 
    343          
    344         except Exception, e: 
    345             raise SessionMgrClientError, "Retrieving X.509 certificate: " + \ 
    346                                          str(e) 
     362        return self.__srv.getX509Cert() 
    347363                             
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py

    r2620 r2679  
    418418 
    419419 
    420     def verifyCertChain(self, x509Cert2Verify=None, caX509Stack=None): 
     420    def verifyCertChain(self, x509Cert2Verify=None, caX509Stack=[]): 
    421421        """Treat stack as a list of certificates in a chain of 
    422422        trust.  Validate the signatures through to a single root issuer.   
     
    459459 
    460460        # Check CA certificate stack 
    461         issuerX509Cert = None 
     461        if not caX509Stack: 
     462            caX509Stack = [issuerX509Cert] 
     463             
    462464        for caCert in caX509Stack: 
    463465            issuerDN = x509Cert2Verify.issuer 
     
    468470        if issuerX509Cert:    
    469471            if not x509Cert2Verify.verify(issuerX509Cert.pubKey): 
    470                 X509CertError, 'Signature is invalid for cert. "%s"'%\ 
     472                X509CertError, 'Signature is invalid for cert. "%s"' % \ 
    471473                                x509Cert2Verify.dn 
    472474             
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca/__init__.py

    r2270 r2679  
    2121# Handling for public key retrieval 
    2222import tempfile 
     23from ZSI.wstools.Utility import HTTPResponse 
    2324from M2Crypto import X509, RSA, EVP, m2 
    2425 
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/wsSecurity.py

    r2620 r2679  
    119119    binSecTokValType = { 
    120120        "X509PKIPathv1": "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1", 
    121         "X509":          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3", 
     121        "X509":          "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509", 
    122122        "X509v3":        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
    123123    } 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2530 r2679  
    2020from ndg.security.common.AttAuthority import AttAuthorityClient 
    2121from ndg.security.common.AttCert import AttCertRead 
    22 from ndg.security.common.X509 import X509CertParse 
     22from ndg.security.common.X509 import X509CertParse, X509CertRead 
    2323 
    2424 
     
    7070        try: 
    7171            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
    72         except: 
     72        except KeyError: 
    7373            caCertFilePathList = [] 
    7474           
     75        try: 
     76            sslCACertList = [X509CertRead(file) for file in \ 
     77                         self.cfg['setUp']['sslcacertfilepathlist'].split()] 
     78        except KeyError: 
     79            sslCACertList = [] 
     80             
    7581           
    7682        reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 
     
    8187            signingCertChain = \ 
    8288                        self._getCertChainFromProxyCertFile(proxyCertFilePath) 
    83              
     89        else: 
     90            signingCertChain = None 
     91                 
    8492        setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 
    8593 
    8694        # Instantiate WS proxy 
    8795        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
     96            sslPeerCertCN=self.cfg['setUp'].get('sslpeercertcn'), 
     97            sslCACertList=sslCACertList, 
    8898            setSignatureHandler=setSignatureHandler, 
    8999            reqBinSecTokValType=reqBinSecTokValType, 
     
    232242            signingCertChain = \ 
    233243                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     244        else: 
     245            signingCertChain = None 
    234246 
    235247        setSignatureHandler = \ 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2530 r2679  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 uri = http://localhost:5000/AttributeAuthority 
    13 #uri = https://localhost:5000/AttributeAuthority 
     12#uri = http://localhost:5000/AttributeAuthority 
     13uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     15#uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority 
    1516#uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    1617#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
     18 
     19# For https connections only.  !Omit ssl* settings if using http! 
     20# sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the  
     21# same as peer hostname.  
     22sslpeercertcn = Junk 
     23sslcacertfilepathlist = cacert.pem 
    1724 
    1825# X.509 certificate for Attribute Authority - to verify the signature of 
     
    4552 
    4653# Space separated list of CA certificate files used to verify certificate used 
    47 # in message signature 
     54# in message signature / peer cert in SSL connection 
    4855cacertfilepathlist = ./cacert.pem 
    4956 
     
    6572[test6GetAttCertWithUserIdSet] 
    6673userId = system 
    67 issuingclntcertfilepath = ./aa-cert.pem 
     74# Comment out if SignatureHandler is being used 
     75#issuingclntcertfilepath = ./aa-cert.pem 
    6876 
    6977[test7GetMappedAttCert] 
     
    92100uri = http://localhost:5100/AttributeAuthority 
    93101# Heath Data Server 
    94 #uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
     102#uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority 
    95103# Marine Data Server 
    96104#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r2420 r2679  
    33    <name>Site A</name> 
    44    <portNum>5000</portNum> 
    5     <useSSL></useSSL> <!-- leave blank to use http --> 
     5    <useSSL>Yes</useSSL> <!-- leave blank to use http --> 
    66    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    77    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/Makefile

    r2178 r2679  
    1313# $Id:$ 
    1414PROXYFILES=proxy-cert.pem proxy-key.pem 
     15PYTHONPATH=/usr/bin/python 
    1516 
    1617initAttAuthorityClientUnittest: ${PROXYFILES} 
    1718        @echo Set-up AttAuthority unit test by copying proxy file output from this test... 
    18         ./MyProxyClientTest.py MyProxyClientTestCase.test2GetDelegation 
     19        ${PYTHONPATH} ./MyProxyClientTest.py MyProxyClientTestCase.test2GetDelegation 
    1920        cp ${PROXYFILES} ../AttAuthority 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2620 r2679  
    9999        # Omit traceFile keyword to leave out SOAP debug info 
    100100        self.clnt = SessionMgrClient(uri=self.cfg['setUp']['smuri'], 
     101                sslCACertList=caCertFilePathList, 
     102                sslPeerCertCN=self.cfg['setUp'].get('sslpeercertcn'), 
    101103                setSignatureHandler=setSignatureHandler, 
    102104                reqBinSecTokValType=reqBinSecTokValType, 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

    r2620 r2679  
    1111[setUp] 
    1212smuri = https://localhost:5700/SessionManager 
     13 
     14# For https connections only.  The expected CommonName of peer cert.  Omit 
     15# if it's the same as peer hostname 
     16sslpeercertcn = webSphereTest 
    1317 
    1418# Set to False to test service without WS-Security signature 
Note: See TracChangeset for help on using the changeset viewer.