Changeset 2932


Ignore:
Timestamp:
08/10/07 09:17:08 (12 years ago)
Author:
pjkersha
Message:

ndg.security.common/ndg/security/common/AttAuthority/init.py:

  • fix to AttAuthorityClient?.getAllHostInfo - RoleList? attribute is returned from ZSI ZPI call even if the SOAP XML element is nulled - include in return as [] 'role' dict key regardless.

ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py:

  • new exception InvalidCertDN - use to raise an exception if peer cert DN doesn't match list of acceptedDNs
  • new keyword to HostCheck?.init - acceptedDNs. This enables validation by a check of the peer cert DN against a limited list of certs.
Location:
TI12-security/trunk/python/ndg.security.common/ndg/security/common
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

    r2931 r2932  
    388388                'loginServerDN': host.LoginServerDN, 
    389389                'loginRequestServerDN': host.LoginRequestServerDN, 
     390                'role': host.RoleList 
    390391            } 
    391              
    392             # The Attribute Authority called doesn't have a role list for its 
    393             # entry 
    394             if hasattr(host, 'RoleList'): 
    395                allHostInfo[hostname]['role']= host.RoleList 
    396392 
    397393        return allHostInfo    
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/m2CryptoSSLUtility.py

    r2931 r2932  
    2222class InvalidCertSignature(SSL.Checker.SSLVerificationError): 
    2323    """Raise if verification against CA cert public key fails""" 
    24      
     24 
     25class InvalidCertDN(SSL.Checker.SSLVerificationError): 
     26    """Raise if verification against a list acceptable DNs fails""" 
     27    
    2528 
    2629class HostCheck(SSL.Checker.Checker, object): 
     
    3033    def __init__(self,  
    3134                 peerCertDN=None,  
    32                  peerCertCN=None,  
     35                 peerCertCN=None, 
     36                 acceptedDNs=[],  
    3337                 caCertList=[], 
    3438                 caCertFilePathList=[],  
     
    4044        @param peerCertDN: Set the expected Distinguished Name of the 
    4145        server to avoid errors matching hostnames.  This is useful 
    42         where the hostname is not fully qualified.  Alternatively set a list  
    43         of acceptable DNs.  This enables validation where the expected DN is 
    44         could be one a number of different identities. 
     46        where the hostname is not fully qualified.   
     47 
     48        *param acceptedDNs: a list of acceptable DNs.  This enables validation where the expected DN is 
     49        where against a limited list of certs. 
    4550         
    4651        @type peerCertCN: string 
     
    6166        self.peerCertDN = peerCertDN 
    6267        self.peerCertCN = peerCertCN 
     68        self.acceptedDNs = acceptedDNs 
     69         
    6370        if caCertList: 
    6471            self.caCertList = caCertList 
     
    7380        @param host: name of host to check 
    7481        """ 
    75          
     82        peerCertDN = '/'+peerCert.get_subject().as_text().replace(', ', '/') 
    7683        try: 
    7784            SSL.Checker.Checker.__call__(self, peerCert, host=self.peerCertCN) 
    7885             
    7986        except SSL.Checker.WrongHost, e: 
    80             # Try match against peerCertDN set 
    81             # file setting 
    82             peerCertDN='/'+peerCert.get_subject().as_text().replace(', ', '/') 
    83              
    84             if isinstance(self.peerCertDN, list): 
    85                 # At least one match should be found in the list 
    86                 if not len([dn for dn in self.peerCertDN if peerCertDN==dn]): 
    87                     raise e 
    88             else: 
    89                 if peerCertDN != self.peerCertDN: 
    90                     raise e 
     87            # Try match against peerCertDN set    
     88            if peerCertDN != self.peerCertDN: 
     89                raise e 
     90 
     91        # At least one match should be found in the list 
     92        if self.acceptedDNs and \ 
     93           not len([dn for dn in self.acceptedDNs if peerCertDN==dn]): 
     94            raise InvalidCertDN, \ 
     95                "Peer cert DN %s doesn't match verification list" % peerCertDN 
    9196 
    9297        if len(self.__caCertStack) > 0: 
Note: See TracChangeset for help on using the changeset viewer.