Ignore:
Timestamp:
02/07/07 09:53:03 (13 years ago)
Author:
pjkersha
Message:

Replaced socket.ssl with M2Crypto https for web service clients

ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml:
swap to https

ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py:

  • added X509CertRead import for sslCACertList keyword processing
  • added sslPeerCertCN keyword input to AA client

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:

  • new keywords for SSL connections: sslpeercertcn and sslcacertfilepathlist

ndg.security.test/ndg/security/test/MyProxy/Makefile: PYTHONPATH macro to
enable custom python path setting

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

  • added sslPeerCertCN and sslCACertList keyword input SM client - M2Crypto

SSL integration not complete!!

ndg.security.common/ndg/security/common/ca/init.py:

  • fix to include HTTPResponse from ZSI.wstools.Utility

ndg.security.common/ndg/security/common/SessionMgr/init.py:

  • urlparse import - use to determine http/https transport
  • new ndg.security.common.m2CryptoSSLUtility module used for M2Crypto SSL
  • added sslPeerCertCN property
  • removed getSrvX509Cert() - no longer needed
  • modified call to Binding in initService to use custom M2Crypto SSL client
  • Removed exception handling for soap call wrappers - these can surpress

useful info from being reported back higher in the stack

ndg.security.common/ndg/security/common/X509.py:

  • bug fix to X509Cert.init - init caX509Stack to []
  • altered X509Stack.verifyCertChain to enable verification be self stack

rather than need for caX509Stack

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • urlparse import - use to determine http/https transport
  • new ndg.security.common.m2CryptoSSLUtility module used for M2Crypto SSL
  • added sslPeerCertCN and sslCACertList properties for SSL host checks
  • removed setSrvCertFilePath() and getSrvCert() - no longer needed
  • modified call to Binding in initService to use custom M2Crypto SSL client
  • Removed exception handling for soap call wrappers - these can surpress

useful info from being reported back higher in the stack

ndg.security.common/ndg/security/common/wsSecurity.py:

  • bug fix to binSecTokValType class var - 'X509' wrongly keyed into 'X509v3'

namespace

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py: new module
containing class to extend M2Crypto.httpslib.HTTPSConnection and
M2Crypto.SSL.Checker.Checker

Location:
TI12-security/trunk/python/ndg.security.test/ndg/security/test
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r2530 r2679  
    2020from ndg.security.common.AttAuthority import AttAuthorityClient 
    2121from ndg.security.common.AttCert import AttCertRead 
    22 from ndg.security.common.X509 import X509CertParse 
     22from ndg.security.common.X509 import X509CertParse, X509CertRead 
    2323 
    2424 
     
    7070        try: 
    7171            caCertFilePathList=self.cfg['setUp']['cacertfilepathlist'].split() 
    72         except: 
     72        except KeyError: 
    7373            caCertFilePathList = [] 
    7474           
     75        try: 
     76            sslCACertList = [X509CertRead(file) for file in \ 
     77                         self.cfg['setUp']['sslcacertfilepathlist'].split()] 
     78        except KeyError: 
     79            sslCACertList = [] 
     80             
    7581           
    7682        reqBinSecTokValType = self.cfg['setUp'].get('reqbinsectokvaltype') 
     
    8187            signingCertChain = \ 
    8288                        self._getCertChainFromProxyCertFile(proxyCertFilePath) 
    83              
     89        else: 
     90            signingCertChain = None 
     91                 
    8492        setSignatureHandler = eval(self.cfg['setUp']['setsignaturehandler']) 
    8593 
    8694        # Instantiate WS proxy 
    8795        self.clnt = AttAuthorityClient(uri=self.cfg['setUp']['uri'], 
     96            sslPeerCertCN=self.cfg['setUp'].get('sslpeercertcn'), 
     97            sslCACertList=sslCACertList, 
    8898            setSignatureHandler=setSignatureHandler, 
    8999            reqBinSecTokValType=reqBinSecTokValType, 
     
    232242            signingCertChain = \ 
    233243                        self._getCertChainFromProxyCertFile(proxyCertFilePath)        
     244        else: 
     245            signingCertChain = None 
    234246 
    235247        setSignatureHandler = \ 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r2530 r2679  
    1010# ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this  
    1111# setting for test6GetMappedAttCert 
    12 uri = http://localhost:5000/AttributeAuthority 
    13 #uri = https://localhost:5000/AttributeAuthority 
     12#uri = http://localhost:5000/AttributeAuthority 
     13uri = https://localhost:5000/AttributeAuthority 
    1414#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
     15#uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority 
    1516#uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    1617#uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
     18 
     19# For https connections only.  !Omit ssl* settings if using http! 
     20# sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the  
     21# same as peer hostname.  
     22sslpeercertcn = Junk 
     23sslcacertfilepathlist = cacert.pem 
    1724 
    1825# X.509 certificate for Attribute Authority - to verify the signature of 
     
    4552 
    4653# Space separated list of CA certificate files used to verify certificate used 
    47 # in message signature 
     54# in message signature / peer cert in SSL connection 
    4855cacertfilepathlist = ./cacert.pem 
    4956 
     
    6572[test6GetAttCertWithUserIdSet] 
    6673userId = system 
    67 issuingclntcertfilepath = ./aa-cert.pem 
     74# Comment out if SignatureHandler is being used 
     75#issuingclntcertfilepath = ./aa-cert.pem 
    6876 
    6977[test7GetMappedAttCert] 
     
    92100uri = http://localhost:5100/AttributeAuthority 
    93101# Heath Data Server 
    94 #uri = https://glue.badc.rl.ac.uk:42000/AttributeAuthority 
     102#uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority 
    95103# Marine Data Server 
    96104#uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r2420 r2679  
    33    <name>Site A</name> 
    44    <portNum>5000</portNum> 
    5     <useSSL></useSSL> <!-- leave blank to use http --> 
     5    <useSSL>Yes</useSSL> <!-- leave blank to use http --> 
    66    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    77    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/MyProxy/Makefile

    r2178 r2679  
    1313# $Id:$ 
    1414PROXYFILES=proxy-cert.pem proxy-key.pem 
     15PYTHONPATH=/usr/bin/python 
    1516 
    1617initAttAuthorityClientUnittest: ${PROXYFILES} 
    1718        @echo Set-up AttAuthority unit test by copying proxy file output from this test... 
    18         ./MyProxyClientTest.py MyProxyClientTestCase.test2GetDelegation 
     19        ${PYTHONPATH} ./MyProxyClientTest.py MyProxyClientTestCase.test2GetDelegation 
    1920        cp ${PROXYFILES} ../AttAuthority 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

    r2620 r2679  
    9999        # Omit traceFile keyword to leave out SOAP debug info 
    100100        self.clnt = SessionMgrClient(uri=self.cfg['setUp']['smuri'], 
     101                sslCACertList=caCertFilePathList, 
     102                sslPeerCertCN=self.cfg['setUp'].get('sslpeercertcn'), 
    101103                setSignatureHandler=setSignatureHandler, 
    102104                reqBinSecTokValType=reqBinSecTokValType, 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

    r2620 r2679  
    1111[setUp] 
    1212smuri = https://localhost:5700/SessionManager 
     13 
     14# For https connections only.  The expected CommonName of peer cert.  Omit 
     15# if it's the same as peer hostname 
     16sslpeercertcn = webSphereTest 
    1317 
    1418# Set to False to test service without WS-Security signature 
Note: See TracChangeset for help on using the changeset viewer.