Changeset 4129 for TI12-security/trunk/python/ndg.security.common/ndg

Timestamp:

20/08/08 14:03:20 (13 years ago)

Author:

cbyrom

Message:

General refactoring and updating of code, including:

Removal of refC14nKw and singnedInfoC14nKw keywords in wsssecurity session manager config
(the refC14nInclNS and signedInfoC14nInclNS keywords are sufficient);
Creation of new DOM signature handler class, dom.py, based on the wsSecurity
class;
Abstraction of common code between dom.py and etree.py into new parent
class, BaseSignatureHandler?.py.
Fixing and extending use of properties in the SignatureHandler? code.
Fixing a few bugs with the original SignatureHandler? code.
Updating of test cases to new code/code structure.

Location:

TI12-security/trunk/python/ndg.security.common/ndg/security/common

Files:

• AttAuthority/__init__.py (modified) (2 diffs)
• CredWallet.py (modified) (1 diff)
• SessionMgr/__init__.py (modified) (2 diffs)
• __init__.py (modified) (1 diff)
• ca/__init__.py (modified) (1 diff)
• wsSecurity.py (deleted)
• wssecurity/BaseSignatureHandler.py (added)
• wssecurity/__init__.py (modified) (3 diffs)
• wssecurity/dom.py (added)
• wssecurity/etree.py (modified) (20 diffs)

TI12-security/trunk/python/ndg.security.common/ndg/security/common/AttAuthority/__init__.py

@@ -33 +33 @@
 
 from AttAuthority_services import AttAuthorityServiceLocator
-from ndg.security.common.wsSecurity import SignatureHandler
+from ndg.security.common.wssecurity.dom import SignatureHandler
 from ndg.security.common.AttCert import AttCert, AttCertParse
 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \
@@ -267 +267 @@
             raise AttributeError, \
     "Signature Handler must be %s type or None for no message security" % \
-        "ndg.security.common.wsSecurity.SignatureHandler"
+        "ndg.security.common.wssecurity.dom.SignatureHandler"
                             
         self.__signatureHandler = signatureHandler

TI12-security/trunk/python/ndg.security.common/ndg/security/common/CredWallet.py

@@ -36 +36 @@
     
     # Reference 'X509PKIPathv1' BinarySecurityToken ValueType
-    from wsSecurity import SignatureHandler
+    from wssecurity.dom import SignatureHandler
 except ImportError:
     log.warning('Loading CredWallet without SOAP interface imports')

TI12-security/trunk/python/ndg.security.common/ndg/security/common/SessionMgr/__init__.py

@@ -23 +23 @@
 from ZSI.wstools.Utility import HTTPResponse
 
-from ndg.security.common.wsSecurity import SignatureHandler
+from ndg.security.common.wssecurity.dom import SignatureHandler
 from ndg.security.common.X509 import *
 from ndg.security.common.AttCert import AttCert, AttCertParse
@@ -323 +323 @@
             raise AttributeError, \
     "Signature Handler must be %s type or None for no message security" % \
-        "ndg.security.common.wsSecurity.SignatureHandler"
+        "ndg.security.common.wssecurity.dom.SignatureHandler"
                             
         self.__signatureHandler = signatureHandler

TI12-security/trunk/python/ndg.security.common/ndg/security/common/__init__.py

@@ -26 +26 @@
     'sessionCookie',
     'SessionMgr',
-    'wsSecurity',
+    'wssecurity',
     'X509',
     'XMLSec',

TI12-security/trunk/python/ndg.security.common/ndg/security/common/ca/__init__.py

@@ -25 +25 @@
 
 from CertificateAuthority_services import CertificateAuthorityServiceLocator
-from ndg.security.common.wsSecurity import SignatureHandler
+from ndg.security.common.wssecurity.dom import SignatureHandler
 from ndg.security.common.openssl import OpenSSLConfig
 

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/__init__.py

@@ -39 +39 @@
              addTimestamp=True,
              applySignatureConfirmation=False,
-             refC14nKw={'unsuppressedPrefixes': []},
              refC14nInclNS=[],
-             signedInfoC14nKw = {'unsuppressedPrefixes': []},
              signedInfoC14nInclNS=[])
     
@@ -85 +83 @@
             # Options may be omitted and set later
             if self._cfg.has_option(section, paramName):
-                # Switch based defParam type - TODO: refC14nKw and 
-                # signedInfoC14nKw - maybe these should be removed as they're
-                # clumsy
                 if isinstance(WSSecurityConfig.defParam[paramName], list):
                     try:
@@ -198 +193 @@
     def itervalues(self):
         return self._param.itervalues()
-
-# Temporary measure - until...
-# TODO: Move wsSecurity module into this package
-from ndg.security.common.wsSecurity import *
    

TI12-security/trunk/python/ndg.security.common/ndg/security/common/wssecurity/etree.py

@@ -10 +10 @@
 License, version 1.0 or later."""
 __contact__ = "P.J.Kershaw@rl.ac.uk"
-__revision__ = '$Id: wsSecurity.py 3790 2008-04-17 12:46:30Z pjkersha $'
-
+__revision__ = '$Id:  $'
+
+from BaseSignatureHandler import _WSU, OASIS, BaseSignatureHandler
 import re
 
@@ -41 +42 @@
 
 import ZSI
-from ZSI.wstools.Namespaces import DSIG, ENCRYPTION, WSU, WSA200403, \
+from ZSI.wstools.Namespaces import DSIG, WSA200403, \
                                    SOAP, SCHEMA # last included for xsi
-                                   
-from ZSI.wstools.Namespaces import WSU as _WSU
-from ZSI.wstools.Namespaces import OASIS as _OASIS
-                                  
+
 from ZSI.TC import ElementDeclaration,TypeDefinition
 from ZSI.generate.pyclass import pyclass_type
@@ -73 +71 @@
 log = logging.getLogger(__name__)
 
-
-class _ENCRYPTION(ENCRYPTION):
-    '''Derived from ENCRYPTION class to add in extra 'tripledes-cbc' - is this
-    any different to 'des-cbc'?  ENCRYPTION class implies that it is the same
-    because it's assigned to 'BLOCK_3DES' ??'''
-    BLOCK_TRIPLEDES = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
-
-class WSU(_WSU):
-    '''Try different utility namespace for use with WebSphere'''
-    #UTILITY = "http://schemas.xmlsoap.org/ws/2003/06/utility"
-    UTILITY = \
-"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
-
-class OASIS(_OASIS):
-    # wss4j 1.5.3
-    WSSE11 = \
-    "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
-    # wss4j 1.5.1
-    #WSSE11 = "http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-wssecurity-secext-1.1.xsd"
-       
-def getElements(node, nameList):
-    '''DOM Helper function for getting child elements from a given node'''
-    # Avoid sub-string matches
-    nameList = isinstance(nameList, basestring) and [nameList] or nameList
-    return [n for n in node.childNodes if str(n.localName) in nameList]
-
-
-def getChildNodes(node, nodeList=None):
-    if nodeList is None:
-        nodeList = [node] 
-    return _getChildNodes(node, nodeList)
-           
-def _getChildNodes(node, nodeList):
-
-    if node.attributes is not None:
-        nodeList += node.attributes.values() 
-    nodeList += node.childNodes
-    for childNode in node.childNodes:
-        _getChildNodes(childNode, nodeList)
-    return nodeList
-
-
-class WSSecurityError(Exception):
-    """For WS-Security generic exceptions not covered by other exception
-    classes in this module"""
-
-class InvalidCertChain(WSSecurityError):    
-    """Raised from SignatureHandler.verify if the certificate submitted to
-    verify a signature is not from a known CA"""
-    
-class VerifyError(WSSecurityError):
-    """Raised from SignatureHandler.verify if an error occurs in the signature
-    verification"""
-
-class NoSignatureFound(WSSecurityError): 
-    """Incoming message to be verified was not signed"""
-    
-class TimestampError(WSSecurityError):
-    """Raised from SignatureHandler._verifyTimestamp if there is a problem with
-    the created or expiry times in an input message Timestamp"""
-    
-class InvalidSignature(WSSecurityError):
-    """Raised from verify method for an invalid signature"""
-
-class SignatureError(WSSecurityError):
-    """Flag if an error occurs during signature generation"""
-        
-class SignatureHandler(object):
+class SignatureHandler(BaseSignatureHandler):
     """Class to handle signature and verification of signature with 
     WS-Security
-    
-    @cvar binSecTokValType: supported ValueTypes for BinarySecurityToken
-    element in WSSE header
-    @type binSecTokValType: dict
-    
-    @ivar addTimestamp: set to true to add a timestamp to outbound messages
-    @type addTimestamp: bool 
-
-    @ivar applySignatureConfirmation: for servers - set this flag to enable the 
-    signature value of a request to be recorded and included with a 
-    SignatureConfirmation element in the response.
-    @type applySignatureConfirmation: bool
-    
-    @param b64EncSignatureValue: base 64 encoded signature value for the last 
-    message verified
-    @type b64EncSignatureValue: string/None"""
-
-    
-    binSecTokValType = {
-        "X509PKIPathv1": OASIS.X509TOKEN.X509PKIPathv1,
-        "X509":          OASIS.X509TOKEN.X509,
-        "X509v3":        OASIS.X509TOKEN.X509+"v3"
-    }
-
-    binSecTokEncType = \
+    """
+
+    _binSecTokEncType = \
 "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
 
@@ -174 +83 @@
     {
         'ds':       DSIG.BASE, 
-        'wsu':      WSU.UTILITY, 
+        'wsu':      _WSU.UTILITY, 
         'wsse':     OASIS.WSSE, 
         'SOAP-ENV': SOAP.ENV 
-#        'soapenv':  SOAP.ENV
     }
 
-
-    #_________________________________________________________________________
-    def __init__(self, cfgFilePath=None, cfgFileSection='DEFAULT',
-                 cfgClass=WSSecurityConfig, **kw):
-        '''
-        @reqBinSecTokValType: set the ValueType for the BinarySecurityToken
-        added to the WSSE header for a signed message.  See 
-        __setReqBinSecTokValType method and binSecTokValType class variable
-        for options.  binSecTokValType determines whether signingCert or
-        signingCertChain attributes will be used.        
-        @type binSecTokValType: string
-        
-        @param verifyingCert: X.509 certificate used by verify method to
-        verify a message.  This argument can be omitted if the message to
-        be verified contains the X.509 certificate in the 
-        BinarySecurityToken element.  In this case, the cert read from the
-        message will be assigned to the verifyingCert attribute.
-        @type verifyingCert: M2Crypto.X509.X509 / 
-        ndg.security.common.X509.X509Cert
-        
-        @param verifyingCertFilePath: alternative input to the above, pass 
-        the file path to the certificate stored in a file
-        @type verifyingCertFilePath: string
-        
-        @param signingCert: certificate associated with private key used to
-        sign a message.  The sign method will add this to the 
-        BinarySecurityToken element of the WSSE header.  binSecTokValType
-        attribute must be set to 'X509' or 'X509v3' ValueTyep.  As an 
-        alternative, use signingCertChain - see below...
-        @type signingCert: M2Crypto.X509.X509 / 
-        ndg.security.common.X509.X509Cert
-        
-        @param signingCertFilePath: alternative input to the above, pass 
-        the file path to the certificate stored in a file
-        @type signingCertFilePath: string
-        
-        @param signingCertChain: pass a list of certificates constituting a 
-        chain of trust from the certificate used to verifying the signature 
-        backward to the CA cert.  The CA cert need not be included.  To use 
-        this option, reqBinSecTokValType must be set to the 'X509PKIPathv1'
-        ValueType
-        @type signingCertChain: list or tuple 
-        
-        @param signingPriKey: private key used to be sign method to sign
-        message
-        @type signingPriKey: M2Crypto.RSA.
-        
-        @param signingPriKeyFilePath: equivalent to the above but pass 
-        private key from PEM file
-        @type signingPriKeyFilePath: string
-        
-        @param signingPriKeyPwd: password protecting private key.  Set /
-        default to None if there is no password.
-        @type signingPriKeyPwd: string or None
-        
-        @param caCertDirPath: establish trust for signature verification. 
-        This is a directory containing CA certificates.  These are used to
-        verify the certificate used to verify the message signature.
-        @type caCertDirPath: string
-        
-        @param caCertFilePathList: same as above except pass in a list of
-        file paths instead of a single directory name.
-        @type caCertFilePathList: list or tuple
-        
-        @param addTimestamp: set to true to add a timestamp to outbound 
-        messages
-        @type addTimestamp: bool 
-        
-        @param : for servers - set this flag to enable the signature value of a
-        request to be recorded and included with a SignatureConfirmation 
-        element in the response.
-        @type : bool 
-        
-        @param refC14nKw: dictionary of keywords to reference 
-        Canonicalization.  Use 'inclusive_namespaces' keyword to set 
-        inclusive_namespaces.
-        @type refC14nKw: dict
-        
-        @param signedInfoC14nKw: keywords to Signed Info Canonicalization.
-        It uses the same format as refC14nKw above.
-        @type signedInfoC14nKw: dict
-        '''
-        log.debug("SignatureHandler.__init__ ...")
-        
-        # WSSecurityConfig is the default class for reading config params but
-        # alternative derivative class may be passed in instead.
-        if not issubclass(cfgClass, WSSecurityConfig):
-            raise TypeError("%s is not a sub-class of WSSecurityConfig" % \
-                            cfgClass)
-        self.cfg = cfgClass()
-        
-        # Read parameters from config file if set
-        if cfgFilePath:
-            log.debug("SignatureHandler.__init__: Processing config file...")
-            self.cfg.read(cfgFilePath)
-            self.cfg.parse(section=cfgFileSection)
-        
-        # Also update config from keywords set 
-        log.debug("SignatureHandler.__init__: setting config from keywords...")
-        self.cfg.update(kw)
-        
-        
-        self.__setReqBinSecTokValType(self.cfg['reqBinSecTokValType'])
-        
-        # Set keywords for canonicalization of SignedInfo and reference 
-        # elements
-        # TODO: get rid of refC14nKw and signedInfoC14nKw options
-        if len(self.cfg.get('refC14nInclNS', [])):
-            self.__setRefC14nKw({'inclusive_namespaces':
-                                 self.cfg['refC14nInclNS']})
-        else:
-            self.__setRefC14nKw(self.cfg['refC14nKw'])
-
-   
-        if len(self.cfg.get('signedInfoC14nNS', [])):
-            self.__setSignedInfoC14nKw({'inclusive_namespaces':
-                                        self.cfg['signedInfoC14nNS']})
-        else:
-            self.__setSignedInfoC14nKw(self.cfg['signedInfoC14nKw'])
-            
-
-        self.__setVerifyingCert(self.cfg['verifyingCert'])
-        self.__setVerifyingCertFilePath(self.cfg['verifyingCertFilePath'])
-        
-        self.__setSigningCert(self.cfg['signingCert'])
-        self.__setSigningCertFilePath(self.cfg['signingCertFilePath'])
-
-        if self.cfg.get('signingCertChain'):
-            self.__setSigningCertChain(self.cfg['signingCertChain'])
-        else:
-            self.__signingCertChain = None   
-             
-        # MUST be set before __setSigningPriKeyFilePath / __setSigningPriKey
-        # are called
-        self.__setSigningPriKeyPwd(self.cfg['signingPriKeyPwd'])
-        
-        if self.cfg.get('signingPriKey'):
-            # Don't allow None for private key setting
-            self.__setSigningPriKey(self.cfg['signingPriKey'])
-            
-        self.__setSigningPriKeyFilePath(self.cfg['signingPriKeyFilePath'])
-        
-        # CA certificate(s) for verification of X.509 certificate used with
-        # signature.
-        if self.cfg.get('caCertDirPath'):
-            self.caCertDirPath = self.cfg['caCertDirPath']
-            
-        elif self.cfg.get('caCertFilePathList'):
-            self.caCertFilePathList = self.cfg['caCertFilePathList']
-            
-        self.addTimestamp = self.cfg['addTimestamp']
-        self.applySignatureConfirmation=self.cfg['applySignatureConfirmation']
-        self.b64EncSignatureValue = None
-        
-        log.debug("WSSE Config = %s" % self.cfg)
-
-                
-    #_________________________________________________________________________
-    def __setReqBinSecTokValType(self, value):
-        """Set ValueType attribute for BinarySecurityToken used in a request
-         
-        @type value: string
-        @param value: name space for BinarySecurityToken ValueType check
-        'binSecTokValType' class variable for supported types.  Input can be 
-        shortened to binSecTokValType keyword if desired.
-        """
-        
-        if value in self.__class__.binSecTokValType:
-            self.__reqBinSecTokValType = self.__class__.binSecTokValType[value]
- 
-        elif value in self.__class__.binSecTokValType.values():
-            self.__reqBinSecTokValType = value
-        else:
-            raise WSSecurityError, \
-                'Request BinarySecurityToken ValueType "%s" not recognised' %\
-                value
-            
-        
-    reqBinSecTokValType = property(fset=__setReqBinSecTokValType,
-         doc="ValueType attribute for BinarySecurityToken used in request")
-        
-
-    #_________________________________________________________________________
-    def __checkC14nKw(self, kw):
-        """Check keywords for canonicalization in signing process - generic
-        method for setting keywords for reference element and SignedInfo
-        element c14n
-        
-        @type kw: dict
-        @param kw: keyword used with ZSI.wstools.Utility.Canonicalization"""
-        
-        # Check for dict/None - Set to None in order to use inclusive 
-        # canonicalization
-        if kw is not None and not isinstance(kw, dict):
-            # Otherwise keywords must be a dictionary
-            raise AttributeError, \
-                "Expecting dictionary type for reference c14n keywords"
-                
-        elif kw.get('inclusive_namespaces') and \
-             not isinstance(kw['inclusive_namespaces'], list) and \
-             not isinstance(kw['inclusive_namespaces'], tuple):
-            raise AttributeError, \
-                'Expecting list or tuple of prefix names for "%s" keyword' % \
-                'inclusive_namespaces'
-        
-                
-    #_________________________________________________________________________
-    def __setRefC14nKw(self, kw):
-        """Set keywords for canonicalization of reference elements in the 
-        signing process"""
-        self.__checkC14nKw(kw)                    
-        self.__refC14nKw = kw
-        
-    refC14nKw = property(fset=__setRefC14nKw,
-                         doc="Keywords for c14n of reference elements")
-        
-                
-    #_________________________________________________________________________
-    def __setSignedInfoC14nKw(self, kw):
-        """Set keywords for canonicalization of SignedInfo element in the 
-        signing process"""
-        self.__checkC14nKw(kw)                    
-        self.__signedInfoC14nKw = kw
-        
-    signedInfoC14nKw = property(fset=__setSignedInfoC14nKw,
-                                doc="Keywords for c14n of SignedInfo element")
-
-
-    #_________________________________________________________________________
-    def __refC14nIsExcl(self):
-        return isinstance(self.__refC14nKw, dict) and \
-               isinstance(self.__refC14nKw.get('inclusive_namespaces'), list)
-               
-    refC14nIsExcl = property(fget=__refC14nIsExcl,
-    doc="Return True/False c14n for reference elements set to exclusive type")
-     
-
-    #_________________________________________________________________________
-    def __signedInfoC14nIsExcl(self):
-        return isinstance(self.__signedInfoC14nKw, dict) and \
-        isinstance(self.__signedInfoC14nKw.get('inclusive_namespaces'), list)
-               
-    signedInfoC14nIsExcl = property(fget=__signedInfoC14nIsExcl,
-    doc="Return True/False c14n for SignedInfo element set to exclusive type")
-    
-    
-    #_________________________________________________________________________
-    def __setCert(self, cert):
-        """filter and convert input cert to signing verifying cert set 
-        property methods.  For signingCert, set to None if it is not to be
-        included in the SOAP header.  For verifyingCert, set to None if this
-        cert can be expected to be retrieved from the SOAP header of the 
-        message to be verified
-        
-        @type: ndg.security.common.X509.X509Cert / M2Crypto.X509.X509 /
-        string or None
-        @param cert: X.509 certificate.  
-        
-        @rtype ndg.security.common.X509.X509Cert
-        @return X.509 certificate object"""
-        
-        if cert is None or isinstance(cert, X509Cert):
-            # ndg.security.common.X509.X509Cert type / None
-            return cert
-            
-        elif isinstance(cert, X509.X509):
-            # M2Crypto.X509.X509 type
-            return X509Cert(m2CryptoX509=cert)
-            
-        elif isinstance(cert, basestring):
-            return X509CertParse(cert)
-        
-        else:
-            raise AttributeError, "X.509 Cert. must be type: " + \
-                "ndg.security.common.X509.X509Cert, M2Crypto.X509.X509 or " +\
-                "a base64 encoded string"
-
-    
-    #_________________________________________________________________________
-    def __getVerifyingCert(self):
-        '''Return X.509 cert object corresponding to cert used to verify the 
-        signature in the last call to verify
-        
-         * Cert will correspond to one used in the LATEST call to verify, on
-         the next call it will be replaced
-         * if verify hasn't been called, the cert will be None
-        
-        @rtype: M2Crypto.X509.X509
-        @return: certificate object
-        '''
-        return self.__verifyingCert
-
-
-    #_________________________________________________________________________
-    def __setVerifyingCert(self, verifyingCert):
-        "Set property method for X.509 cert. used to verify a signature"
-        self.__verifyingCert = self.__setCert(verifyingCert)
-    
-        # Reset file path as it may no longer apply
-        self.__verifyingCertFilePath = None
-        
-    verifyingCert = property(fset=__setVerifyingCert,
-                             fget=__getVerifyingCert,
-                             doc="Set X.509 Cert. for verifying signature")
-
-
-    #_________________________________________________________________________
-    def __setVerifyingCertFilePath(self, verifyingCertFilePath):
-        "Set method for Service X.509 cert. file path property"
-        
-        if isinstance(verifyingCertFilePath, basestring):
-            self.__verifyingCert = X509CertRead(verifyingCertFilePath)
-            
-        elif verifyingCertFilePath is not None:
-            raise AttributeError, \
-            "Verifying X.509 Cert. file path must be None or a valid string"
-        
-        self.__verifyingCertFilePath = verifyingCertFilePath
-        
-    verifyingCertFilePath = property(fset=__setVerifyingCertFilePath,
-                    doc="file path of X.509 Cert. for verifying signature")
-
-    
-    #_________________________________________________________________________
-    def __getSigningCert(self):
-        '''Return X.509 cert object corresponding to cert used with
-        signature
-        
-        @rtype: M2Crypto.X509.X509
-        @return: certificate object
-        '''
-        return self.__signingCert
-
-
-    #_________________________________________________________________________
-    def __setSigningCert(self, signingCert):
-        "Set property method for X.509 cert. to be included with signature"
-        self.__signingCert = self.__setCert(signingCert)
-    
-        # Reset file path as it may no longer apply
-        self.__signingCertFilePath = None
-        
-    signingCert = property(fget=__getSigningCert,
-                           fset=__setSigningCert,
-                           doc="X.509 Cert. to include signature")
-
- 
-    #_________________________________________________________________________
-    def __setSigningCertFilePath(self, signingCertFilePath):
-        "Set signature X.509 cert property method"
-        
-        if isinstance(signingCertFilePath, basestring):
-            self.__signingCert = X509CertRead(signingCertFilePath)
-            
-        elif signingCertFilePath is not None:
-            raise AttributeError, \
-                "Signature X.509 cert. file path must be a valid string"
-        
-        self.__signingCertFilePath = signingCertFilePath
-        
-        
-    signingCertFilePath = property(fset=__setSigningCertFilePath,
-                   doc="File path X.509 cert. to include with signed message")
-
-    
-    #_________________________________________________________________________
-    def __setSigningCertChain(self, signingCertChain):
-        '''Signature set-up with "X509PKIPathv1" BinarySecurityToken 
-        ValueType.  Use an X.509 Stack to store certificates that make up a 
-        chain of trust to certificate used to verify a signature
-        
-        @type signingCertChain: list or tuple of M2Crypto.X509.X509Cert or
-        ndg.security.common.X509.X509Cert types.
-        @param signingCertChain: list of certificate objects making up the
-        chain of trust.  The last certificate is the one associated with the
-        private key used to sign the message.'''
-        
-        if not isinstance(signingCertChain, list) and \
-           not isinstance(signingCertChain, tuple):
-            raise WSSecurityError, \
-                        'Expecting a list or tuple for "signingCertChain"'
-        
-        self.__signingCertChain = X509Stack()
-            
-        for cert in signingCertChain:
-            self.__signingCertChain.push(cert)
-            
-    signingCertChain = property(fset=__setSigningCertChain,
-               doc="Cert.s in chain of trust to cert. used to verify msg.")
-
- 
-    #_________________________________________________________________________
-    def __setSigningPriKeyPwd(self, signingPriKeyPwd):
-        "Set method for private key file password used to sign message"
-        if signingPriKeyPwd is not None and \
-           not isinstance(signingPriKeyPwd, basestring):
-            raise AttributeError, \
-                "Signing private key password must be None or a valid string"
-        
-        self.__signingPriKeyPwd = signingPriKeyPwd
-        
-    signingPriKeyPwd = property(fset=__setSigningPriKeyPwd,
-             doc="Password protecting private key file used to sign message")
-
- 
-    #_________________________________________________________________________
-    def __setSigningPriKey(self, signingPriKey):
-        """Set method for client private key
-        
-        Nb. if input is a string, signingPriKeyPwd will need to be set if
-        the key is password protected.
-        
-        @type signingPriKey: M2Crypto.RSA.RSA / string
-        @param signingPriKey: private key used to sign message"""
-        
-        if isinstance(signingPriKey, basestring):
-            pwdCallback = lambda *ar, **kw: self.__signingPriKeyPwd
-            self.__signingPriKey = RSA.load_key_string(signingPriKey,
-                                                       callback=pwdCallback)
-
-        elif isinstance(signingPriKey, RSA.RSA):
-            self.__signingPriKey = signingPriKey 
-                   
-        else:
-            raise AttributeError, "Signing private key must be a valid " + \
-                                  "M2Crypto.RSA.RSA type or a string"
-                
-    signingPriKey = property(fset=__setSigningPriKey,
-                             doc="Private key used to sign outbound message")
-
- 
-    #_________________________________________________________________________
-    def __setSigningPriKeyFilePath(self, signingPriKeyFilePath):
-        """Set method for client private key file path
-        
-        signingPriKeyPwd MUST be set prior to a call to this method"""
-        if isinstance(signingPriKeyFilePath, basestring):                           
-            try:
-                # Read Private key to sign with    
-                priKeyFile = BIO.File(open(signingPriKeyFilePath)) 
-                pwdCallback = lambda *ar, **kw: self.__signingPriKeyPwd                                           
-                self.__signingPriKey = RSA.load_key_bio(priKeyFile, 
-                                                        callback=pwdCallback)           
-            except Exception, e:
-                raise AttributeError, \
-                                "Setting private key for signature: %s" % e
-        
-        elif signingPriKeyFilePath is not None:
-            raise AttributeError, \
-                        "Private key file path must be a valid string or None"
-        
-        self.__signingPriKeyFilePath = signingPriKeyFilePath
-        
-    signingPriKeyFilePath = property(fset=__setSigningPriKeyFilePath,
-                      doc="File path for private key used to sign message")
-
-    def __caCertIsSet(self):
-        '''Check for CA certificate set (X.509 Stack has been created)'''
-        return hasattr(self, '_SignatureHandler__caX509Stack')
-    
-    caCertIsSet = property(fget=__caCertIsSet,
-           doc='Check for CA certificate set (X.509 Stack has been created)')
-    
-    #_________________________________________________________________________
-    def __appendCAX509Stack(self, caCertList):
-        '''Store CA certificates in an X.509 Stack
-        
-        @param caCertList: list or tuple
-        @type caCertList: M2Crypto.X509.X509 certificate objects'''
-        
-        if not self.caCertIsSet:
-            self.__caX509Stack = X509Stack()
-            
-        for cert in caCertList:
-            self.__caX509Stack.push(cert)
-
-
-    #_________________________________________________________________________
-    def __setCAX509StackFromDir(self, caCertDir):
-        '''Read CA certificates from directory and add them to the X.509
-        stack
-        
-        @param caCertDir: string
-        @type caCertDir: directory from which to read CA certificate files'''
-        
-        # Mimic OpenSSL -CApath option which expects directory of CA files
-        # of form <Hash cert subject name>.0
-        reg = re.compile('\d+\.0')
-        try:
-            caCertList = [X509CertRead(caFile) \
-                          for caFile in os.listdir(caCertDir) \
-                          if reg.match(caFile)]
-        except Exception, e:
-            raise WSSecurityError, \
-                'Loading CA certificate "%s" from CA directory: %s' % \
-                                                        (caFile, str(e))
-                    
-        # Add to stack
-        self.__appendCAX509Stack(caCertList)
-        
-    caCertDirPath = property(fset=__setCAX509StackFromDir,
-                      doc="Dir. containing CA cert.s used for verification")
-
-
-    #_________________________________________________________________________
-    def __setCAX509StackFromCertFileList(self, caCertFilePathList):
-        '''Read CA certificates from file and add them to the X.509
-        stack
-        
-        @type caCertFilePathList: list or tuple
-        @param caCertFilePathList: list of file paths for CA certificates to
-        be used to verify certificate used to sign message'''
-        
-        if not isinstance(caCertFilePathList, list) and \
-           not isinstance(caCertFilePathList, tuple):
-            raise WSSecurityError, \
-                        'Expecting a list or tuple for "caCertFilePathList"'
-
-        # Mimic OpenSSL -CApath option which expects directory of CA files
-        # of form <Hash cert subject name>.0
-        try:
-            caCertList = [X509CertRead(caFile) \
-                          for caFile in caCertFilePathList]
-        except Exception, e:
-            raise WSSecurityError, \
-                    'Loading CA certificate "%s" from file list: %s' % \
-                                                        (caFile, str(e))
-                    
-        # Add to stack
-        self.__appendCAX509Stack(caCertList)
-        
-    caCertFilePathList = property(fset=__setCAX509StackFromCertFileList,
-                      doc="List of CA cert. files used for verification")
                 
 
@@ -733 +108 @@
         
         # Add ID so that the element can be included in the signature
-        sigConfirmElem.set('{%s}Id' % WSU.UTILITY, "signatureConfirmation")
+        sigConfirmElem.set('{%s}Id' % _WSU.UTILITY, "signatureConfirmation")
 
         # Add ID so that the element can be included in the signature
@@ -758 +133 @@
         '''
         # Nb. wsu ns declaration is in the SOAP header elem
-        timestampElem = ElementTree.Element("{%s}%s"%(WSU.UTILITY,'Timestamp'))
+        timestampElem = ElementTree.Element("{%s}%s"%(_WSU.UTILITY,'Timestamp'))
         wsseElem.append(timestampElem)
         
         # Add ID so that the timestamp element can be included in the signature
-        timestampElem.set('{%s}Id' % WSU.UTILITY, "timestamp")
+        timestampElem.set('{%s}Id' % _WSU.UTILITY, "timestamp")
         
         # Value type can be any be any one of those supported via 
         # binSecTokValType
-        createdElem = ElementTree.Element("{%s}%s" % (WSU.UTILITY,'Created'))
+        createdElem = ElementTree.Element("{%s}%s" % (_WSU.UTILITY,'Created'))
         timestampElem.append(createdElem)
         
@@ -773 +148 @@
         
         dtExpiryTime = dtCreatedTime + timedelta(seconds=elapsedSec)
-        expiresElem = ElementTree.Element("{%s}%s" % (WSU.UTILITY, 'Expires'))
+        expiresElem = ElementTree.Element("{%s}%s" % (_WSU.UTILITY, 'Expires'))
         timestampElem.append(expiresElem)
         
@@ -872 +247 @@
         # Add X.509 cert as binary security token
         # TODO: sub encodestring with b64encode?
-        if self.__reqBinSecTokValType==self.binSecTokValType['X509PKIPathv1']:
-            binSecTokVal = base64.encodestring(self.__signingCertChain.asDER())
+        if self.reqBinSecTokValType==self.binSecTokValType['X509PKIPathv1']:
+            binSecTokVal = base64.encodestring(self.signingCertChain.asDER())
         else:
             # Assume X.509 / X.509 vers 3
-            binSecTokVal = base64.encodestring(self.__signingCert.asDER())
+            binSecTokVal = base64.encodestring(self.signingCert.asDER())
 
         self._soapEnvElem = soapWriter.dom._elem
@@ -887 +262 @@
         soapHdrElem.set("xmlns:%s" % 'wsse', OASIS.WSSE)
         soapHdrElem.set("xmlns:%s" % 'wsse11', OASIS.WSSE11)
-#        soapHdrElem.set("xmlns:%s" % 'wsu', WSU.UTILITY)
-        self._soapEnvElem.set("xmlns:%s" % 'wsu', WSU.UTILITY)
+#        soapHdrElem.set("xmlns:%s" % 'wsu', _WSU.UTILITY)
+        self._soapEnvElem.set("xmlns:%s" % 'wsu', _WSU.UTILITY)
         soapHdrElem.set("xmlns:%s" % 'ds', DSIG.BASE)
         
-        try:
-            refC14nPfxSet = len(self.__refC14nKw['inclusive_namespaces']) > 0
-        except KeyError:
-            refC14nPfxSet = False
-
-        try:
-            signedInfoC14nPfxSet = \
-                len(self.__signedInfoC14nKw['inclusive_namespaces']) > 0
-        except KeyError:
-            signedInfoC14nPfxSet = False
-                
-        if refC14nPfxSet:
+        refC14nPfxSet = False
+        if isinstance(self.refC14nKw.get('inclusive_namespaces'), list) and \
+            len(self.refC14nKw['inclusive_namespaces']) > 0:
+            refC14nPfxSet = True 
+
+        signedInfoC14nPfxSet = False
+        if isinstance(self.signedInfoC14nKw.get('inclusive_namespaces'), list) and \
+            len(self.signedInfoC14nKw['inclusive_namespaces']) > 0:
+            signedInfoC14nPfxSet = True
+                
+        if refC14nPfxSet or signedInfoC14nPfxSet:
             soapHdrElem.set("xmlns:%s" % 'ec', DSIG.C14N_EXCL)
             
@@ -929 +303 @@
         # Value type can be any be any one of those supported via 
         # binSecTokValType
-        binSecTokElem.set('ValueType', self.__reqBinSecTokValType)
-        binSecTokElem.set('EncodingType', SignatureHandler.binSecTokEncType)
+        binSecTokElem.set('ValueType', self.reqBinSecTokValType)
+        binSecTokElem.set('EncodingType', self._binSecTokEncType)
         
         # Add ID so that the binary token can be included in the signature
-        binSecTokElem.set('{%s}Id' % WSU.UTILITY, "binaryToken")
+        binSecTokElem.set('{%s}Id' % _WSU.UTILITY, "binaryToken")
         
         binSecTokElem.text = binSecTokVal
@@ -971 +345 @@
             c14nMethodElem.append(c14nInclNamespacesElem)
             
-            pfxList = ' '.join(self.__signedInfoC14nKw['inclusive_namespaces'])
+            pfxList = ' '.join(self.signedInfoC14nKw['inclusive_namespaces'])
             c14nInclNamespacesElem.set('PrefixList', pfxList)
 
@@ -1001 +375 @@
         
         # Add Reference to body so that it can be included in the signature
-        #soapBodyElem.set('xmlns:wsu', WSU.UTILITY) - results in duplicate xmlns declarations
-        soapBodyElem.set('{%s}Id' % WSU.UTILITY, 'body')
+        #soapBodyElem.set('xmlns:wsu', _WSU.UTILITY) - results in duplicate xmlns declarations
+        soapBodyElem.set('{%s}Id' % _WSU.UTILITY, 'body')
 
 
@@ -1019 +393 @@
             
             # Set URI attribute to point to reference to be signed
-            uri = '#' + refElem.get('{%s}%s' % (WSU.UTILITY, 'Id'))
+            uri = '#' + refElem.get('{%s}%s' % (_WSU.UTILITY, 'Id'))
             
             # Canonicalize reference
-#            refC14n = self.canonicalize(subset=refElem,
-#                                        exclusive=self.refC14nIsExcl,
-#                                        **self.__refC14nKw)
             refC14n = soapWriter.dom.canonicalize(subset=refElem,
                                                   exclusive=self.refC14nIsExcl,
-                                                  **self.__refC14nKw)
+                                                  **self.refC14nKw)
             log.debug('Canonicalisation for URI "%s": %s', uri, refC14n)
             
@@ -1057 +428 @@
                                                        refC14nAlg,
                                                        'InclusiveNamespaces')
-                refPfxList = ' '.join(self.__refC14nKw['inclusive_namespaces'])
+                refPfxList = ' '.join(self.refC14nKw['inclusive_namespaces'])
                 inclNamespacesElem.set('PrefixList', refPfxList)
             
@@ -1078 +449 @@
         c14nSignedInfo = soapWriter.dom.canonicalize(subset=signedInfoElem,
                                            exclusive=self.signedInfoC14nIsExcl,
-                                           **self.__signedInfoC14nKw)
+                                           **self.signedInfoC14nKw)
         log.debug('Canonicalisation for <ds:signedInfo>: %s', c14nSignedInfo)
         
@@ -1085 +456 @@
         
         # Sign using the private key and base 64 encode the result
-        signatureValue = self.__signingPriKey.sign(signedInfoDigestValue)
+        signatureValue = self.signingPriKey.sign(signedInfoDigestValue)
         
         # encodestring puts newline markers at 76 char intervals otherwise no 
@@ -1275 +646 @@
             
             valueType = binSecTokElem.get("ValueType")
-            if valueType in (SignatureHandler.binSecTokValType['X509v3'],
-                             SignatureHandler.binSecTokValType['X509']):
+            if valueType in (self.binSecTokValType['X509v3'],
+                             self.binSecTokValType['X509']):
                 # Remove base 64 encoding
                 derString = base64.decodestring(x509CertTxt)
@@ -1288 +659 @@
 
             elif valueType == \
-                SignatureHandler.binSecTokValType['X509PKIPathv1']:
+                self.binSecTokValType['X509PKIPathv1']:
                 
                 derString = base64.decodestring(x509CertTxt)
@@ -1295 +666 @@
                 # TODO: Check ordering - is the last off the stack the
                 # one to use to verify the message?
-                self.__verifyingCert = x509Stack[-1]
+                self.verifyingCert = x509Stack[-1]
             else:
                 raise WSSecurityError('BinarySecurityToken ValueType ' \
                     'attribute is not recognised: "%s"' % valueType)
 
-        if self.__verifyingCert is None:
+        if self.verifyingCert is None:
             raise VerifyError("No certificate set for verification of the " \
                               "signature")
         
         # Extract RSA public key from the cert
-        rsaPubKey = self.__verifyingCert.pubKey.get_rsa()
+        rsaPubKey = self.verifyingCert.pubKey.get_rsa()
 
         # Apply the signature verification
@@ -1319 +690 @@
         
         # Verify chain of trust 
-        x509Stack.verifyCertChain(x509Cert2Verify=self.__verifyingCert,
+        x509Stack.verifyCertChain(x509Cert2Verify=self.verifyingCert,
                                   caX509Stack=self.__caX509Stack)