Changeset 2685

Timestamp:

03/07/07 09:35:48 (13 years ago)

Author:

pjkersha

Message:

Preparing new DEWS 0.8.0 release -

ndg.security.server/setup.py: remove commented out code

setup.py, ndg.security.client/setup.py, ndg.security.test/setup.py,
ndg.security.server/setup.py, ndg.security.common/setup.py:
update version to 0.8.0

ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml:
reset default transport to http

ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg:
default test settings for DEWS

ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py:

• updated for tests with SSL - sslCACertList keyword

ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg:

• test with SSL

ndg.security.common/ndg/security/common/SessionMgr/init.py:

• include new SSL settings sslCACertList and sslCACertFilePathList

keywords / properties

• removed transdict keyword
• changed tranport attribute to _transport and transdict to _transdict

ndg.security.common/ndg/security/common/AttAuthority/init.py:

• import httplib to enable catch for httplib.BadStatusLine? exception - this

is thrown when trying to connect with http to https service

• include sslCACertFilePathList property
• remove clntCertFilePath, clntPriKeyFilePath and clntPriKeyPwd properties -

no longer needed

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py:

• new property caCertFilePathList enables setting of CA certs from file list
• fix to HTTPSConnection class - set _postConnectionCheck attribute to

SSL.Checker.Checker default if not equivalent keyword was set

ndg.security.common/ndg/security/common/CredWallet.py:

• enable calls to Attribute Authorities to set CA list for peer cert

verification with SSL connections

ndg-security-install.py: added new -t option to enable install of unit tests
package

Location:

TI12-security/trunk/python

Files:

• ndg-security-install.py (modified) (3 diffs)
• ndg.security.client/setup.py (modified) (2 diffs)
• ndg.security.common/ndg/security/common/AttAuthority/__init__.py (modified) (13 diffs)
• ndg.security.common/ndg/security/common/CredWallet.py (modified) (3 diffs)
• ndg.security.common/ndg/security/common/SessionMgr/__init__.py (modified) (8 diffs)
• ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py (modified) (6 diffs)
• ndg.security.common/setup.py (modified) (1 diff)
• ndg.security.server/setup.py (modified) (1 diff)
• ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg (modified) (3 diffs)
• ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml (modified) (1 diff)
• ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py (modified) (3 diffs)
• ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg (modified) (3 diffs)
• ndg.security.test/setup.py (modified) (1 diff)
• setup.py (modified) (1 diff)

TI12-security/trunk/python/ndg-security-install.py

@@ -67 +67 @@
                           help="Install server package only.")
         
+        parser.add_option("-u",
+                          "--install-unittests",
+                          dest="installUnitTests",
+                          action="store_true",
+                          default=False,
+                          help="Install unit test package only.")
+        
         parser.add_option("-o",
                           "--openssl-path",
@@ -103 +110 @@
         # Sanity check
         nInstallArgs = sum((self.opt.installClient, 
-                            self.opt.installServer, 
+                            self.opt.installServer,
+                            self.opt.installUnitTests, 
                             self.opt.installAll))
         if not nInstallArgs:
@@ -122 +130 @@
             self.installTwisted()
             
+        elif self.opt.installUnitTests:
+            main(['-f', self.opt.dependencyLinks, "ndg_security_test"])
+            self.installTwisted()
+           
         elif self.opt.installAll:
             main(['-f', self.opt.dependencyLinks, "ndg_security"])

TI12-security/trunk/python/ndg.security.client/setup.py

@@ -30 +30 @@
 setup(
     name =                      'ndg_security_client',
-    version =                   '0.7.4',
+    version =                   '0.8.0',
     description =               'NERC DataGrid Security Utilities',
     long_description =          'Software for securing NDG resources',
@@ -51 +51 @@
     #'exclude_package_data =    {}
     entry_points =           _entryPoints,
-    #'tSest_suite =                'ndg.utils.test.suite',
+    #'test_suite =                 'ndg.utils.test.suite',
     zip_safe =               False
 )

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -26 +26 @@
 
 # Determine https http transport
-import urlparse
+import urlparse, httplib
 from ZSI.wstools.Utility import HTTPResponse
 
@@ -54 +54 @@
                  tracefile=None,
                  sslCACertList=[],
+                 sslCACertFilePathList=[],
                  sslPeerCertCN=None, 
                  setSignatureHandler=True,
@@ -65 +66 @@
         extra WS debug information
         
-        @type transdict: dict
-        @keyword transdict: keywords to connection transport used by 
-        ZSI.client.Binding.  If transport type is HTTPS, 
-        m2CryptoSSLUtility.HTTPSConnection is used.  This is a customisation
-        of the M2Crypto version to enable setting of specific peer cert DN or
-        CN to check against.  By default, the peer's hostname is expected to
-        equal the peer CN.
+        @type sslCACertList: list
+        @keyword sslCACertList: This keyword is for use with SSL connections 
+        only.  Set a list of one ore more CA certificates.  The peer cert.
+        must verify against at least one of these otherwise the connection
+        is dropped.
+        
+        @type sslCACertFilePathList: list
+        @keyword sslCACertFilePathList: the same as the above except CA certs
+        can be passed as a list of file paths to read from
         
         @type sslPeerCertCN: string
-        @keyword sslPeerCertCN: short cut to the above for setting an
-        alternate CommonName to match with peer cert.  Setting this
-        keyword avoids messing around with transdict keyword explicitly.  
-        This keyword is for use with SSL connections only.
+        @keyword sslPeerCertCN: set an alternate CommonName to match with peer
+        cert.  This keyword is for use with SSL connections only.
                      
         @type setSignatureHandler: bool
@@ -98 +99 @@
         if sslCACertList:
             self.__setSSLCACertList(sslCACertList)
-        
+        elif sslCACertFilePathList:
+            self.__setSSLCACertFilePathList(sslCACertFilePathList)
         
         # WS-Security Signature handler - set only if any of the keywords were
@@ -116 +118 @@
     #_________________________________________________________________________
     def __setURI(self, uri):
-        
+        """Set URI for service
+        @type uri: string
+        @param uri: URI for service to connect to"""
         if not isinstance(uri, basestring):
             raise AttAuthorityClientError, \
@@ -142 +146 @@
         needed if the peer cert CN = peer hostname"""
         if self._transport != HTTPSConnection:
-            raise AttAuthorityClientError, \
-                "Setting peer cert CN - transport type must be HTTPS"
+            return
         
         if self._transdict.get('postConnectionCheck'):
@@ -159 +162 @@
         which the peer cert must verify its signature against"""
         if self._transport != HTTPSConnection:
-            raise AttAuthorityClientError, \
-            "Setting SSL check CA cert list - transport type must be HTTPS"
-        
-        if self._transdict['postConnectionCheck']:
+            return
+        
+        if self._transdict.get('postConnectionCheck'):
             self._transdict['postConnectionCheck'].caCertList = caCertList
         else:
@@ -170 +172 @@
     sslCACertList = property(fset=__setSSLCACertList, 
 doc="for https connections, set list of CA certs from which to verify peer cert")
+
+
+    #_________________________________________________________________________
+    def __setSSLCACertFilePathList(self, caCertFilePathList):
+        """For use with HTTPS connections only.  Specify CA certs to one of 
+        which the peer cert must verify its signature against"""
+        if self._transport != HTTPSConnection:
+            return
+        
+        if self._transdict.get('postConnectionCheck'):
+            self._transdict['postConnectionCheck'].caCertFilePathList = \
+                                            caCertFilePathList
+        else:
+            self._transdict['postConnectionCheck'] = \
+                            HostCheck(caCertFilePathList=caCertFilePathList)
+
+    sslCACertFilePathList = property(fset=__setSSLCACertFilePathList, 
+doc="for https connections, set list of CA cert files from which to verify peer cert")
 
     
@@ -193 +213 @@
                                 fset=__setSignatureHandler,
                                 doc="SignatureHandler object")
-
- 
-    #_________________________________________________________________________
-    def __setClntCertFilePath(self, clntCertFilePath):
-        
-        if not isinstance(clntCertFilePath, basestring):
-            raise AttAuthorityClientError, \
-                "Client public key file path must be a valid string"
-        
-        self.__clntCertFilePath = clntCertFilePath
-        
-        try:
-            self.__clntCert = open(self.__clntCertFilePath).read()
-            
-        except IOError, (errNo, errMsg):
-            raise AttAuthorityClientError, \
-                    "Reading certificate file \"%s\": %s" % \
-                    (self.__clntCertFilePath, errMsg)
-                               
-        except Exception, e:
-            raise AttAuthorityClientError, \
-                                    "Reading certificate file \"%s\": %s" % \
-                                    (self.__clntCertFilePath, str(e))
-        
-    clntCertFilePath = property(fset=__setClntCertFilePath,
-                                doc="File path for client public key")
-
- 
-    #_________________________________________________________________________
-    def __setClntPriKeyFilePath(self, clntPriKeyFilePath):
-        
-        if not isinstance(clntPriKeyFilePath, basestring):
-            raise AttAuthorityClientError(\
-                "Client public key file path must be a valid string")
-        
-        self.__clntPriKeyFilePath = clntPriKeyFilePath
-        
-    clntPriKeyFilePath = property(fset=__setClntPriKeyFilePath,
-                                  doc="File path for client private key")
-
- 
-    #_________________________________________________________________________
-    def __setClntPriKeyPwd(self, clntPriKeyPwd):
-        
-        if not isinstance(clntPriKeyPwd, basestring):
-            raise SessionMgrClientError, \
-                        "Client private key password must be a valid string"
-        
-        self.__clntPriKeyPwd = clntPriKeyPwd
-        
-    clntPriKeyPwd = property(fset=__setClntPriKeyPwd,
-                         doc="Password protecting client private key file")
     
         
@@ -281 +249 @@
         """
 
-        hostname, aaURI, loginURI = self.__srv.getHostInfo()
-        
+        try:
+            hostname, aaURI, loginURI = self.__srv.getHostInfo()
+        except httplib.BadStatusLine, e:
+            raise AttAuthorityClientError, "HTTP bad status line: %s" % e
+
         hostInfo = {}
         hostInfo[hostname] = {'aaURI': aaURI, 'loginURI': loginURI}
@@ -301 +272 @@
         from the map configuration"""
             
-        trustedHosts = self.__srv.getTrustedHostInfo(role)
+        try:
+            trustedHosts = self.__srv.getTrustedHostInfo(role)
+        except httplib.BadStatusLine, e:
+            raise AttAuthorityClientError, "HTTP bad status line: %s" % e
 
         # Convert into dictionary form as used by AttAuthority class
@@ -355 +329 @@
             userAttCert = userAttCert.toString()
             
-        sAttCert, msg = self.__srv.getAttCert(userId, userCert, userAttCert)  
+        try:
+            sAttCert, msg = self.__srv.getAttCert(userId, userCert, userAttCert)  
+        except httplib.BadStatusLine, e:
+            raise AttAuthorityClientError, "HTTP bad status line: %s" % e
+        
         if sAttCert:
             return AttCertParse(sAttCert)
@@ -369 +347 @@
         @return X.509 certificate for Attribute Authority"""
         
-        return self.__srv.getX509Cert()                
+        try:
+            return self.__srv.getX509Cert()                
+        except httplib.BadStatusLine, e:
+            raise AttAuthorityClientError, "HTTP bad status line: %s" % e

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

@@ -439 +439 @@
         # BinarySecurityToken containing proxy cert and user cert that issued
         # the proxy
+
         reqBinSecTokValType=SignatureHandler.binSecTokValType["X509PKIPathv1"]
         certChain = (self.__userCert, self.__proxyCert)
@@ -447 +448 @@
                                     signingCertChain=certChain,
                                     signingPriKey=self.__proxyPriKey,
-                                    caCertFilePathList=caCertFilePathList)
+                                    caCertFilePathList=caCertFilePathList,
+                                    sslCACertFilePathList=caCertFilePathList)
         return aaClnt
 
@@ -935 +937 @@
             
         # Repeat authorisation attempts until succeed or means are exhausted
+        import pdb;pdb.set_trace()
         while True:
             

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -48 +48 @@
                  uri=None, 
                  tracefile=None,
-                 transdict={},
+                 sslCACertList=[],
+                 sslCACertFilePathList=[],
                  sslPeerCertCN=None, 
                  setSignatureHandler=True,
@@ -61 +62 @@
         WS debug information
         
-        @type transdict: dict
-        @keyword transdict: keywords to connection transport used by 
-        ZSI.client.Binding.  If transport type is HTTPS, 
-        m2CryptoSSLUtility.HTTPSConnection is used.  This is a customisation
-        of the M2Crypto version to enable setting of specific peer cert DN or
-        CN to check against.  By default, the peer's hostname is expected to
-        equal the peer CN.
+        @type sslCACertList: list
+        @keyword sslCACertList: This keyword is for use with SSL connections 
+        only.  Set a list of one ore more CA certificates.  The peer cert.
+        must verify against at least one of these otherwise the connection
+        is dropped.
+        
+        @type sslCACertFilePathList: list
+        @keyword sslCACertFilePathList: the same as the above except CA certs
+        can be passed as a list of file paths to read from
         
         @type sslPeerCertCN: string
-        @keyword sslPeerCertCN: short cut to the above for setting an
-        alternate CommonName to match with peer cert.  Setting this
-        keyword avoids messing around with transdict keyword explicitly.  
-        This keyword is for use with SSL connections only.
+        @keyword sslPeerCertCN: set an alternate CommonName to match with peer
+        cert.  This keyword is for use with SSL connections only.
         
         @type setSignatureHandler: bool
@@ -84 +85 @@
         self.__srv = None
         self.__uri = None
-        self.transdict = transdict        
+        self._transdict = {}        
         
         if uri:
@@ -91 +92 @@
         if sslPeerCertCN:
             self.__setSSLPeerCertCN(sslPeerCertCN)
+        
+        if sslCACertList:
+            self.__setSSLCACertList(sslCACertList)
+        elif sslCACertFilePathList:
+            self.__setCACertFilePathList(sslCACertFilePathList)
 
         # WS-Security Signature handler - set only if any of the keywords were
@@ -109 +115 @@
     #_________________________________________________________________________
     def __setURI(self, uri):
-        "Set URI property method"
+        """Set URI for service
+        @type uri: string
+        @param uri: URI for service to connect to"""
         
         if not isinstance(uri, basestring):
@@ -123 +131 @@
                 
         if scheme == "https":
-            self.__transport = HTTPSConnection
+            self._transport = HTTPSConnection
         else:
-            self.__transport = None
+            self._transport = None
             
             # Ensure SSL settings are cancelled
@@ -138 +146 @@
         Name to match with Common Name of the peer certificate.  This is not
         needed if the peer cert CN = peer hostname"""
-        if cn is None:
-            # Remove any HostCheck object created previously
-            try:
-                del self.transdict['postConnectionCheck']
-            except KeyError:
-                pass
-        elif self.transdict['postConnectionCheck']:
-            self.transdict['postConnectionCheck'].peerCertCN = cn
+        if self._transport != HTTPSConnection:
+            return
+        
+        if self._transdict.get('postConnectionCheck'):
+            self._transdict['postConnectionCheck'].peerCertCN = cn
         else:
-            self.transdict['postConnectionCheck'] = HostCheck(peerCertCN=cn)
+            self._transdict['postConnectionCheck'] = HostCheck(peerCertCN=cn)
 
     sslPeerCertCN = property(fset=__setSSLPeerCertCN, 
 doc="for https connections, set CN of peer cert if other than peer hostname")
+
+
+    #_________________________________________________________________________
+    def __setSSLCACertList(self, caCertList):
+        """For use with HTTPS connections only.  Specify CA certs to one of 
+        which the peer cert must verify its signature against"""
+        if self._transport != HTTPSConnection:
+            return
+        
+        if self._transdict.get('postConnectionCheck'):
+            self._transdict['postConnectionCheck'].caCertList = caCertList
+        else:
+            self._transdict['postConnectionCheck'] = \
+                                            HostCheck(caCertList=caCertList)
+
+    sslCACertList = property(fset=__setSSLCACertList, 
+doc="for https connections, set list of CA certs from which to verify peer cert")
+
+
+    #_________________________________________________________________________
+    def __setSSLCACertFilePathList(self, caCertFilePathList):
+        """For use with HTTPS connections only.  Specify CA certs to one of 
+        which the peer cert must verify its signature against"""
+        if self._transport != HTTPSConnection:
+            raise AttAuthorityClientError, \
+            "Setting SSL check CA cert list - transport type must be HTTPS"
+        
+        if self._transdict.get('postConnectionCheck'):
+            self._transdict['postConnectionCheck'].caCertFilePathList = \
+                                            caCertFilePathList
+        else:
+            self._transdict['postConnectionCheck'] = \
+                                            HostCheck(caCertList=caCertList)
+
+    sslCACertFilePathList = property(fset=__setSSLCACertFilePathList, 
+doc="for https connections, set list of CA cert files from which to verify peer cert")
 
 
@@ -188 +229 @@
                                        sig_handler=self.__signatureHandler,
                                        tracefile=self.__tracefile,
-                                         transport=self.__transport,
-                                         transdict=self.transdict)
+                                         transport=self._transport,
+                                         transdict=self._transdict)
         except HTTPResponse, e:
             raise SessionMgrClientError, \

TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py

@@ -2 +2 @@
 import socket
 
-from M2Crypto import SSL
+from M2Crypto import SSL, X509
 from M2Crypto.httpslib import HTTPSConnection as _HTTPSConnection
 
@@ -15 +15 @@
     setting match for peer cert"""
 
-    def __init__(self, peerCertDN=None, peerCertCN=None, caCertList=[], **kw):
+    def __init__(self, 
+                 peerCertDN=None, 
+                 peerCertCN=None, 
+                 caCertList=[],
+                 caCertFilePathList=[], 
+                 **kw):
         """Override parent class __init__ to enable setting of myProxyServerDN
         setting
@@ -29 +34 @@
         
         @type caCertList: list type of M2Crypto.X509.X509 types
-        @keyword caCert: CA X.509 certificates - if set the peer cert's 
+        @keyword caCertList: CA X.509 certificates - if set the peer cert's 
         CA signature is verified against one of these.  At least one must
-        verify"""
+        verify
+        
+        @type caCertFilePathList: list string types
+        @keyword caCertFilePathList: same as caCertList except input as list
+        of CA cert file paths"""
         
         SSL.Checker.Checker.__init__(self, **kw)
@@ -37 +46 @@
         self.peerCertDN = peerCertDN
         self.peerCertCN = peerCertCN
-        self.caCertList = caCertList
-        
+        if caCertList:
+            self.caCertList = caCertList
+        elif caCertFilePathList:
+            self.caCertFilePathList = caCertFilePathList
+            
         
     def __call__(self, peerCert, host=None):
@@ -81 +93 @@
 
 
+    #_________________________________________________________________________
+    def __setCACertsFromFileList(self, caCertFilePathList):
+        '''Read CA certificates from file and add them to the X.509
+        stack
+        
+        @type caCertFilePathList: list or tuple
+        @param caCertFilePathList: list of file paths for CA certificates to
+        be used to verify certificate used to sign message'''
+        
+        if not isinstance(caCertFilePathList, list) and \
+           not isinstance(caCertFilePathList, tuple):
+            raise AttributeError, \
+                        'Expecting a list or tuple for "caCertFilePathList"'
+
+        self.__caCertStack = X509Stack()
+
+        for caCertFilePath in caCertFilePathList:
+            self.__caCertStack.push(X509.load_cert(caCertFilePath))
+        
+    caCertFilePathList = property(fset=__setCACertsFromFileList,
+    doc="list of CA cert file paths - peer cert must validate against one")
+
+
 class HTTPSConnection(_HTTPSConnection):
 
@@ -89 +124 @@
             self._postConnectionCheck = kw['postConnectionCheck']
             del kw['postConnectionCheck']
-
+        else:
+            self._postConnectionCheck = SSL.Checker.Checker
+            
         _HTTPSConnection.__init__(self, *args, **kw)
         

TI12-security/trunk/python/ndg.security.common/setup.py

@@ -68 +68 @@
 setup(
     name =                      'ndg_security_common',
-    version =                   '0.7.4',
-    description =               
+    version =                   '0.8.0',
+    description = \
 '''NERC DataGrid Security virtual package containing common utilities used
 noth by server and client packages''',

TI12-security/trunk/python/ndg.security.server/setup.py

@@ -32 +32 @@
 ]
 
-# Installation location for configuration and share files
-#ndgDir = os.environ.get('NDG_DIR') or os.environ.get('NDG_HOME') or \
-#        os.path.join('/', 'etc', 'ndg')
-#
-#dataSubDirs = ('conf', 'share')
-#dataDirs = {}.fromkeys(dataSubDirs)
-#for dir in dataSubDirs:
-#    dataDirs[dir] = os.path.join(ndgDir, dir)
-#    
-#    # Ensure path is set up OK
-#    try:
-#        os.makedirs(dataDirs[dir], 0755)
-#    except OSError, e:
-#        if e.errno != 17:
-#            raise SystemExit, "Error creating data directory: " + str(e)
-#        else:
-#            pass
     
 setup(
     name =                      'ndg_security_server',
-    version =                   '0.7.4',
+    version =                   '0.8.0',
     description =               'NERC DataGrid Security Services',
     long_description =          'Server side component for securing NDG resources',

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

@@ -10 +10 @@
 # ! SiteBMapConfig.xml trusted site A aaURI setting must agree with this 
 # setting for test6GetMappedAttCert
-#uri = http://localhost:5000/AttributeAuthority
-uri = https://localhost:5000/AttributeAuthority
+uri = http://localhost:5000/AttributeAuthority
+#uri = https://localhost:5000/AttributeAuthority
 #uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority
 #uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority
@@ -36 +36 @@
 # ValueType for BinarySecurityToken element of WSSE header.  Specify
 # 'X509PKIPathv1' for use with proxy certificates
-#reqbinsectokvaltype = X509v3
+reqbinsectokvaltype = X509v3
 #reqbinsectokvaltype = X509
-reqbinsectokvaltype = X509PKIPathv1
+#reqbinsectokvaltype = X509PKIPathv1
 
 # Test with proxy certificates or with standard certs.  Comment out as 
 # appropriate
-proxycertfilepath = ./proxy-cert.pem
+#proxycertfilepath = ./proxy-cert.pem
 
 # Test without proxy certificates - uses AA server side cert/private key for
 # client side too (!)
-#clntcertfilepath = ./aa-cert.pem
+clntcertfilepath = ./aa-cert.pem
 
-#clntprikeyfilepath = ./aa-key.pem
-clntprikeyfilepath = ./proxy-key.pem
+clntprikeyfilepath = ./aa-key.pem
+#clntprikeyfilepath = ./proxy-key.pem
 
 # Space separated list of CA certificate files used to verify certificate used
@@ -81 +81 @@
 # ValueType for BinarySecurityToken element of WSSE header.  Specify
 # 'X509PKIPathv1' for use with proxy certificates
-#reqbinsectokvaltype = X509v3
+reqbinsectokvaltype = X509v3
 #reqbinsectokvaltype = X509
-reqbinsectokvaltype = X509PKIPathv1
+#reqbinsectokvaltype = X509PKIPathv1
 
 # Test with proxy certificates or with standard certs.  Comment out as 
 # appropriate
-proxycertfilepath = ./proxy-cert.pem
-#clntcertfilepath = ./aa-cert.pem
+#proxycertfilepath = ./proxy-cert.pem
+clntcertfilepath = ./aa-cert.pem
 
 clntprikeypwd = 
 clntprikeyfilepath = ./proxy-key.pem
-#clntprikeyfilepath = ./aa-key.pem
+clntprikeyfilepath = ./aa-key.pem
 
 # Space separated list of CA certificate files used to verify certificate used

TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

@@ -3 +3 @@
     <name>Site A</name>
     <portNum>5000</portNum>
-    <useSSL>Yes</useSSL> <!-- leave blank to use http -->
+    <useSSL></useSSL> <!-- leave blank to use http -->
     <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile>
     <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile>

TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/SessionMgrClientTest.py

@@ -29 +29 @@
     
 from ndg.security.common.SessionCookie import SessionCookie
-from ndg.security.common.X509 import X509CertParse
+from ndg.security.common.X509 import X509CertParse, X509CertRead
 
 
@@ -82 +82 @@
         except:
             caCertFilePathList = []
+          
+        try:
+            sslCACertList = [X509CertRead(file) for file in \
+                         self.cfg['setUp']['sslcacertfilepathlist'].split()]
+        except KeyError:
+            sslCACertList = []
           
           
@@ -99 +105 @@
         # Omit traceFile keyword to leave out SOAP debug info
         self.clnt = SessionMgrClient(uri=self.cfg['setUp']['smuri'],
-                sslCACertList=caCertFilePathList,
+                sslCACertList=sslCACertList,
                 sslPeerCertCN=self.cfg['setUp'].get('sslpeercertcn'),
                 setSignatureHandler=setSignatureHandler,

TI12-security/trunk/python/ndg.security.test/ndg/security/test/SessionMgr/sessionMgrClientTest.cfg

@@ -12 +12 @@
 smuri = https://localhost:5700/SessionManager
 
-# For https connections only.  The expected CommonName of peer cert.  Omit
-# if it's the same as peer hostname
+# For https connections only.  !Omit ssl* settings if using http!
+# sslpeercertcn is the expected CommonName of peer cert.  Omit if it's the 
+# same as peer hostname. 
 sslpeercertcn = webSphereTest
+sslcacertfilepathlist = cacert.pem
 
 # Set to False to test service without WS-Security signature
@@ -60 +62 @@
 
 [test6GetAttCertUsingSessID]
-aaURI = http://localhost:5000/AttributeAuthority
+aaURI = https://localhost:5000/AttributeAuthority
 
 [test6aGetAttCertRefusedUsingSessID]
@@ -72 +74 @@
 
 [test7GetAttCertUsingProxyCert]
-aaURI = http://localhost:5000/AttributeAuthority
+aaURI = https://localhost:5000/AttributeAuthority
 
 

TI12-security/trunk/python/ndg.security.test/setup.py

@@ -33 +33 @@
 setup(
     name =                      'ndg_security_test',
-    version =                   '0.7.4',
+    version =                   '0.8.0',
     description =               'NERC DataGrid Security Unit tests',
     long_description =          'Unit tests client - server side',

TI12-security/trunk/python/setup.py

@@ -25 +25 @@
 setup(
     name =                      'ndg_security',
-    version =                   '0.7.4',
+    version =                   '0.8.0',
     description =               'NERC DataGrid Security Utilities',
     long_description =          'Software for securing NDG resources',