Changeset 3135 for TI12-security


Ignore:
Timestamp:
12/12/07 14:40:04 (12 years ago)
Author:
pjkersha
Message:

Working Attribute Authority unit tests with WS-Security multiple CAs support. This will be needed for deployment of MyProxy? with Simple CA at partner sites.

Added CA cert and certs and keys for a *TEST* CA for use with unit tests. This CA is NOT for production use.

python/ndg.security.server/setup.py: include .crt certs in conf/ package data

python/ndg.security.server/ndg/security/server/AttAuthority/init.py: added sslCACertDir param. It enables M2Crypto SSL server side to pick up multiple CA certs for a dir.

python/ndg.security.server/ndg/security/server/conf/certs/ca/init.py: make new ca/ dir a package so that it's exported with egg package data.

python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac,
python/ndg.security.server/ndg/security/server/conf/attAuthority.tac:

  • alter WS-Security SOAP handler init to accept multiple CA certs.
  • load multiple CA certs from sslCACertDir key of SessionMgr/AttAuthority? instance

python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml,
python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml

  • added new sslCACertDir elem
  • fixed caCertFile - only single elem required

python/ndg.security.test/setup.py: include TEST CA and certs and keys issued from it for use in unit tests. These are fro test only.

python/ndg.security.test/ndg/security/test/AttAuthority/ca/ndg-test-ca.crt,
python/ndg.security.test/ndg/security/test/AttAuthority/siteA-aa.key,
python/ndg.security.test/ndg/security/test/AttAuthority/siteA-aa.crt: test CA certs and key.

python/ndg.security.test/ndg/security/test/AttAuthority/init.py: fix description

python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py: ditto + added NDGSEC_INT_DEBUG env var option

python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg: fixed for new location of CA cert in ca/ sub-dir

python/ndg.security.test/ndg/security/test/sessionMgrClient/ca/init.py,
python/ndg.security.test/ndg/security/test/sessionMgr/ca/init.py,
python/ndg.security.test/ndg/security/test/AttAuthority/ca/init.py: ensure ca/ dir gets included in egg package data

Location:
TI12-security/trunk/python
Files:
13 added
13 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r3133 r3135  
    100100                    'sslKeyFile':          '', 
    101101                    'sslKeyPwd':           '', 
     102                    'sslCACertDir':        '', 
    102103                    'useSignatureHandler': True, 
    103104                    'certFile':            '', 
     
    428429        attCert = AttCert() 
    429430 
     431        # First cert in list corresponds to the private key 
    430432        attCert.certFilePathList = [self.__prop['certFile']] + \ 
    431433                                    self.__prop['caCertFileList'] 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthority.tac

    r3085 r3135  
    247247    # Initialise WS-Security signature handler passing Attribute Authority 
    248248    # public and private keys 
    249     caCertFile = srv.aa.get('caCertFile') 
    250     if caCertFile: 
    251         caCertFilePathList = (caCertFile,)  
    252     else: 
    253                 caCertFilePathList = None 
    254      
    255249    WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    256250                                verifyingCertFilePath=srv.aa['clntCertFile'], 
     
    258252                                signingPriKeyFilePath=srv.aa['keyFile'], 
    259253                                signingPriKeyPwd=srv.aa['keyPwd'], 
    260                                 caCertFilePathList=caCertFilePathList) 
     254                                caCertFilePathList=srv.aa.get('caCertFileList')) 
    261255 
    262256# Add Service to Attribute Authority branch 
     
    294288        ctx.set_verify(SSL.verify_client_once, 1) 
    295289         
    296         ctx.load_verify_locations(cafile=os.path.basename(srv.aa['caCertFile']),  
    297                                                   capath=os.path.dirname(srv.aa['caCertFile'])) 
     290        ctx.load_verify_locations(capath=srv.aa['sslCACertDir']) 
    298291         
    299292        class ContextFactory: 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

    r3133 r3135  
    1111    --> 
    1212    <useSSL></useSSL> <!-- leave blank to use http --> 
    13     <<sslCertFileList> 
    14         <sslCertFile>$NDGSEC_DIR/conf/certs/ssl-cert.pem</sslCertFile> 
    15     </sslCertFileList> 
     13    <sslCertFile>$NDGSEC_DIR/conf/certs/ssl-cert.pem</sslCertFile> 
    1614    <sslKeyFile>$NDGSEC_DIR/conf/certs/ssl-key.pem</sslKeyFile> 
    1715    <sslKeyPwd></sslKeyPwd> 
     16    <!--  
     17    Directory containing CA cert.s to verify SSL peer cert against  
     18     - ignored if useSSL is blank --> 
     19    <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir> 
    1820    <!-- 
    1921    PKI settings for signature of outbound SOAP messages 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac

    r3133 r3135  
    214214 
    215215if srv.sm['useSignatureHandler']: 
    216         # Initialise WS-Security signature handler passing Attribute Authority 
    217         # public and private keys 
    218         caCertFile = srv.sm.get('caCertFile') 
    219         if caCertFile: 
    220                 caCertFilePathList = (caCertFile,)  
    221         else: 
    222                 caCertFilePathList = None 
    223          
    224216        # Initialise WS-Security signature handler passing Session Manager 
    225217        # public and private keys 
    226218        WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    227                                                                 verifyingCertFilePath=srv.sm['clntCertFile'], 
    228                                     signingCertFilePath=srv.sm['certFile'], 
    229                                     signingPriKeyFilePath=srv.sm['keyFile'], 
    230                                     signingPriKeyPwd=srv.sm['keyPwd'], 
    231                                     caCertFilePathList=caCertFilePathList) 
     219                                                        verifyingCertFilePath=srv.sm['clntCertFile'], 
     220                            signingCertFilePath=srv.sm['certFile'], 
     221                            signingPriKeyFilePath=srv.sm['keyFile'], 
     222                            signingPriKeyPwd=srv.sm['keyPwd'], 
     223                            caCertFilePathList=srv.aa.get('caCertFileList')) 
    232224 
    233225# Add Service to Session Manager branch 
     
    267259        ctx.set_verify(SSL.verify_client_once, 1) 
    268260 
    269         ctx.load_verify_locations(capath=srv.sm['sslCACertDir'])) 
     261        ctx.load_verify_locations(capath=srv.sm['sslCACertDir']) 
    270262 
    271263        class ContextFactory: 
  • TI12-security/trunk/python/ndg.security.server/setup.py

    r3047 r3135  
    7272                                                          '*.tac', 
    7373                                                          '*.cfg', 
    74                                                           '*.conf'],                                                
     74                                                          '*.conf'], 
     75                             'ndg.security.server.conf.ca': ['*.crt'],                                                
    7576                             'ndg.security.server.conf.certs': ['*'], 
    7677                             'ndg.security.server.conf.attCertLog': ['*'], 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/AttAuthorityClientTest.py

    r3040 r3135  
    11#!/usr/bin/env python 
    2 """NDG Attribute Authority client unit tests 
     2"""NDG Attribute Authority SOAP client unit tests 
    33 
    44NERC Data Grid Project 
     
    103103            caCertFilePathList=caCertFilePathList, 
    104104            tracefile=sys.stderr) 
     105         
     106        if 'NDGSEC_INT_DEBUG' in os.environ: 
     107            import pdb 
     108            pdb.set_trace() 
    105109             
    106110     
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/__init__.py

    r2954 r3135  
    1 """Attribute Authority unit test package 
     1"""Attribute Authority SOAP client unit test package 
    22 
    33NERC Data Grid Project 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/attAuthorityClientTest.cfg

    r3001 r3135  
    1212uri = http://localhost:5000/AttributeAuthority 
    1313#uri = https://localhost:5000/AttributeAuthority 
    14 #uri = http://glue.badc.rl.ac.uk/DEWS/MarineDataServer/AttributeAuthority 
    15 #uri = http://glue.badc.rl.ac.uk/DEWS/HealthDataServer/AttributeAuthority 
    16 #uri = http://glue.badc.rl.ac.uk/DEWS/Portal/AttributeAuthority 
    17 #uri = http://glue.badc.rl.ac.uk:41000/AttributeAuthority 
    1814 
    1915# For https connections only.  !Omit ssl* settings if using http! 
     
    2117# same as peer hostname.  
    2218sslpeercertcn = Junk 
    23 sslcacertfilepathlist = cacert.pem 
     19sslcacertfilepathlist = ./ca/cacert.pem 
    2420 
    2521# X.509 certificate for Attribute Authority - to verify the signature of 
     
    5349# Space separated list of CA certificate files used to verify certificate used 
    5450# in message signature / peer cert in SSL connection 
    55 cacertfilepathlist = ./cacert.pem 
     51cacertfilepathlist = ./ca/cacert.pem ./ca/ndg-test-ca.crt 
    5652 
    5753[test3GetTrustedHostInfo] 
     
    9692# Space separated list of CA certificate files used to verify certificate used 
    9793# in message signature 
    98 cacertfilepathlist = ./cacert.pem 
     94cacertfilepathlist = ./ca/cacert.pem 
    9995 
    10096uri = http://localhost:5100/AttributeAuthority 
     
    127123# Space separated list of CA certificate files used to verify certificate used 
    128124# in message signature 
    129 cacertfilepathlist = ./cacert.pem 
     125cacertfilepathlist = ./ca/cacert.pem 
    130126 
    131127uri = http://localhost:5000/AttributeAuthority 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteAAttAuthorityProperties.xml

    r3133 r3135  
    44    <portNum>5000</portNum> 
    55    <useSSL></useSSL> <!-- leave blank to use http --> 
    6     <sslCertFileList> 
    7         <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    8     </sslCertFileList> 
     6    <sslCertFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</sslCertFile> 
    97    <sslKeyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</sslKeyFile> 
    108    <sslKeyPwd></sslKeyPwd> 
     9    <!--  
     10    Directory containing CA cert.s to verify SSL peer cert against  
     11     - ignored if useSSL is blank 
     12    --> 
     13    <sslCACertDir>$NDGSEC_AA_UNITTEST_DIR/ca</sslCACertDir> 
    1114    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    12     <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    13     <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 
     15    <certFile>$NDGSEC_AA_UNITTEST_DIR/siteA-aa.crt</certFile> 
     16    <keyFile>$NDGSEC_AA_UNITTEST_DIR/siteA-aa.key</keyFile> 
    1417    <keyPwd></keyPwd> 
    1518    <caCertFileList> 
    16         <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
     19        <caCertFile>$NDGSEC_AA_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile> 
     20        <caCertFile>$NDGSEC_AA_UNITTEST_DIR/ca/cacert.pem</caCertFile> 
    1721    </caCertFileList> 
    1822    <!--  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/AttAuthority/siteBAttAuthorityProperties.xml

    r3133 r3135  
    55    <useSSL></useSSL> <!-- leave blank to use http --> 
    66    <sslCertFile></sslCertFile> 
    7     <sslCertFileList> 
    8         <sslKeyFile></sslKeyFile> 
    9     <sslCertFileList> 
    107    <sslKeyPwd></sslKeyPwd> 
     8    <!--  
     9    Directory containing CA cert.s to verify SSL peer cert against  
     10     - ignored if useSSL is blank  
     11    --> 
     12    <sslCACertDir>$NDGSEC_AA_UNITTEST_DIR/ca</sslCACertDir> 
    1113    <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    1214    <certFile>$NDGSEC_AA_UNITTEST_DIR/aa-cert.pem</certFile> 
    1315    <caCertFileList> 
    14         <caCertFile>$NDGSEC_AA_UNITTEST_DIR/cacert.pem</caCertFile> 
     16        <caCertFile>$NDGSEC_AA_UNITTEST_DIR/ca/cacert.pem</caCertFile> 
     17        <caCertFile>$NDGSEC_AA_UNITTEST_DIR/ca/ndg-test-ca.crt</caCertFile> 
    1518    </caCertFileList> 
    1619    <keyFile>$NDGSEC_AA_UNITTEST_DIR/aa-key.pem</keyFile> 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/__init__.py

    r3028 r3135  
    1 """NDG Security Session Manager unit test package 
     1"""NDG Security Session Manager SOAP Client unit test package 
    22 
    33NERC Data Grid Project 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/sessionMgrClient/sessionMgrProperties.xml

    r3133 r3135  
    66    <sslCertFile>$NDGSEC_SM_UNITTEST_DIR/sm-cert.pem</sslCertFile> 
    77    <sslKeyFile>$NDGSEC_SM_UNITTEST_DIR/sm-key.pem</sslKeyFile> 
     8    <!--  
     9    Directory containing CA cert.s to verify SSL peer cert against  
     10     - ignored if useSSL is blank  
     11    --> 
     12    <sslCACertDir>$NDGSEC_SM_UNITTEST_DIR/ca</sslCACertDir> 
     13    <!-- 
     14    PKI settings for WS-Security signature of outbound SOAP messages 
     15    --> 
    816    <!-- 
    917    PKI settings for signature of outbound SOAP messages 
  • TI12-security/trunk/python/ndg.security.test/setup.py

    r3047 r3135  
    2424 
    2525_pkgData = { 
    26     'ndg.security.test.AttAuthority': ['*.xml', '*.cfg', '*.sh'], 
     26    'ndg.security.test.AttAuthority': ['*.xml',  
     27                                       '*.cfg',  
     28                                       '*.sh',  
     29                                       'siteA-aa.crt', 
     30                                       'siteA-aa.key', 
     31                                       'siteB-aa.cert' 
     32                                       'siteB-aa.key'], 
     33    'ndg.security.test.AttAuthority.ca': ['*.crt'], 
    2734    'ndg.security.test.AttCert': ['*.cfg'], 
    2835    'ndg.security.test.ca': ['*.xml', '*.cfg'], 
Note: See TracChangeset for help on using the changeset viewer.