Ignore:
Timestamp:
27/08/08 11:48:57 (12 years ago)
Author:
cbyrom
Message:

Implement consistent use of keywords throughout the codebase - using
the wssecurity class as the guide - effectively changing the xml
property file key names to match those of the ini files. Also remove
useSignatureHandler keyword and replace with a check for the WS-Security
property + add better checking of properties in the tac and py files
+ add new config files and remove some unnecessary ones.

Location:
TI12-security/trunk/python/ndg.security.server/ndg/security/server
Files:
14 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/AttAuthority/__init__.py

    r4135 r4138  
    115115                    } 
    116116     
     117    WS_SETTINGS_KEY = 'WS-Security' 
     118 
    117119    def __init__(self, propFilePath=None, bReadMapConfig=True): 
    118120        """Create new NDG Attribute Authority instance 
     
    149151        # Instantiate Certificate object 
    150152        log.debug("Reading and checking Attribute Authority X.509 cert. ...") 
    151         self.__cert = X509Cert(self.__prop['certFile']) 
     153        self.__cert = X509Cert(self.__prop['signingCertFilePath']) 
    152154        self.__cert.read() 
    153155 
     
    202204         
    203205        # add the WS-security properties to the main properties 
    204         self.__prop.update(self.__prop['WS-Security']) 
     206        if self.__prop.has_key(self.WS_SETTINGS_KEY): 
     207            self.__prop.update(self.__prop[self.WS_SETTINGS_KEY]) 
    205208 
    206209        # Ensure Certificate time parameters are converted to numeric type 
     
    457460 
    458461        # First cert in list corresponds to the private key 
    459         attCert.certFilePathList = [self.__prop['certFile']] + \ 
     462        attCert.certFilePathList = [self.__prop['signingCertFilePath']] + \ 
    460463                                    self.__prop['caCertFileList'] 
    461464         
    462         attCert.signingKeyFilePath = self.__prop['keyFile'] 
    463         attCert.signingKeyPwd = self.__prop['keyPwd'] 
     465        attCert.signingKeyFilePath = self.__prop['signingPriKeyFilePath'] 
     466        attCert.signingKeyPwd = self.__prop['signingPriKeyPwd'] 
    464467         
    465468         
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/SessionMgr/__init__.py

    r4129 r4138  
    5454from ndg.security.common.sessionCookie import SessionCookie 
    5555 
     56# generic parser to read INI/XML properties file 
     57from ndg.security.common.utils.ConfigFileParsers import readAndValidateProperties 
     58 
    5659# Use in SessionMgr __redirectAttCertReq to retrieve and store Public  
    5760# key 
     
    317320getMissingElem = lambda targ, ref: [e for e in targ if e not in ref] 
    318321 
    319 # Expand environment variables for ElementTree Element type.  Use in  
    320 # readProperties. 
     322# Expand environment variables for ElementTree Element type. 
    321323filtElemTxt = lambda elem: isinstance(elem.text, basestring) and \ 
    322324                os.path.expandvars(elem.text).strip() or elem.text 
     
    348350        'sslKeyFile':             None, 
    349351        'sslCACertDir':           None, 
    350         'useSignatureHandler':    None, 
    351         'caCertFileList':         [], 
    352         'certFile':               None, 
    353         'keyFile':                None, 
    354         'keyPwd':                 None, 
    355         'clntCertFile':           None, 
    356         'wssRefInclNS':           [], 
    357         'wssSignedInfoInclNS':    [], 
    358352        'sessMgrEncrKey':         None,  
    359353        'sessMgrURI':             None, 
     
    369363    __propFileName = "sessionMgrProperties.xml" 
    370364      
     365    WS_SETTINGS_KEY = 'WS-Security' 
    371366     
    372367    #_________________________________________________________________________ 
     
    403398            raise SessionMgrError("Creating MyProxy interface: %s" % e) 
    404399     
    405         # Dictionary to hold properties       
    406         self.__prop = {} 
    407          
    408400        # Set from input or use defaults based or environment variables 
    409         self.setPropFilePath(propFilePath) 
     401        self.propFilePath = propFilePath 
    410402         
    411403        # Set properties from file 
     
    568560        """Set properties file from input or based on environment variable 
    569561        settings""" 
     562        log.debug("Setting property file path") 
    570563        if not val: 
    571564            if 'NDGSEC_SM_PROPFILEPATH' in os.environ: 
     
    594587                                 "string.") 
    595588       
    596         self.__propFilePath = val 
     589        self._propFilePath = val 
     590        log.debug("Path set to: %s" %val) 
     591         
     592    def getPropFilePath(self): 
     593        log.debug("Getting property file path") 
     594        if hasattr(self, '_propFilePath'): 
     595            return self._propFilePath 
     596        else: 
     597            return "" 
    597598         
    598599    # Also set up as a property 
    599600    propFilePath = property(fset=setPropFilePath, 
     601                            fget=getPropFilePath, 
    600602                            doc="Set the path to the properties file")    
    601603             
    602604 
    603605    #_________________________________________________________________________ 
    604     def readProperties(self, propElem=None): 
    605         """Read Session Manager properties from an XML file or cElementTree 
    606         node 
    607          
    608         @type propElem: Element 
    609         @param propElem: pass in existing ElementTree treeroot 
    610         """ 
    611  
    612         log.debug("Reading properties file ...") 
    613          
    614         if not propElem: 
    615             try: 
    616                 tree = ElementTree.parse(self.__propFilePath) 
    617                 propElem = tree.getroot() 
    618  
    619             except IOError, e: 
    620                 raise SessionMgrError( 
    621                                 "Error parsing properties file \"%s\": %s" % \ 
    622                                 (e.filename, e.strerror))               
    623             except Exception, e: 
    624                 raise SessionMgrError( 
    625                     "Error parsing properties file: \"%s\": %s" % \ 
    626                     (self.__propFilePath, e)) 
    627  
    628         if propElem is None: 
    629             raise SessionMgrError( 
    630                             "Parsing properties: root element is not defined") 
    631   
     606    def readProperties(self): 
     607        ''' 
     608        Read the properties files and do some checking/converting of input values 
     609        ''' 
     610        # Configuration file properties are held together in a dictionary 
     611        self.__prop = readAndValidateProperties(self.propFilePath, validKeys=SessionMgr.__validElem) 
     612        #, \ 
     613                                     #sections = ['myProxyProp', 'credReposProp', 'simpleCACltProp']) 
     614         
     615        # add the WS-security properties to the main properties 
     616        if self.__prop.has_key(self.WS_SETTINGS_KEY): 
     617            self.__prop.update(self.__prop[self.WS_SETTINGS_KEY]) 
     618 
    632619        missingElem = [] 
    633         invalidElem = [] 
    634         try: 
    635             for elem in propElem: 
    636                 if elem.tag == 'myProxyProp': 
    637                     self.__myPx.readProperties(propElem=elem) 
    638      
    639                 elif elem.tag == 'credReposProp': 
    640                     self.__prop['credReposProp'] = \ 
    641                                 dict([(e.tag, filtElemTxt(e)) for e in elem]) 
     620        # Further process the input config detail - to ensure subelement details 
     621        # are properly set up 
     622        for key, val in self.__prop.items(): 
     623            if key == 'myProxyProp': 
     624                self.__myPx.readProperties(propElem = val) 
     625                 
     626            elif key == 'credReposProp': 
     627                self.__prop['credReposProp'] = \ 
     628                    dict([(e.tag, filtElemTxt(e)) for e in val]) 
    642629                             
    643                     # Check for missing elements 
    644                     missingElem.extend(getMissingElem(\ 
     630                # Check for missing elements 
     631                missingElem.extend(getMissingElem(\ 
    645632                                           self.__validElem['credReposProp'], 
    646633                                           self.__prop['credReposProp'])) 
    647634                     
    648                 elif elem.tag == 'simpleCACltProp': 
    649                     self.__prop['simpleCACltProp'] = \ 
    650                                 dict([(e.tag, filtElemTxt(e)) for e in elem]) 
     635            elif key == 'simpleCACltProp': 
     636                self.__prop['simpleCACltProp'] = \ 
     637                    dict([(e.tag, filtElemTxt(e)) for e in val]) 
    651638                             
    652                     # Check for missing elements 
    653                     missingElem.extend(getMissingElem(\ 
     639                # Check for missing elements 
     640                missingElem.extend(getMissingElem(\ 
    654641                                       self.__validElem['simpleCACltProp'], 
    655642                                       self.__prop['simpleCACltProp'])) 
    656643                     
    657                 elif elem.tag in self.__validElem: 
    658                     # Strip white space but not in the case of password  
    659                     # field as password might contain leading or  
    660                     # trailing white space 
    661                     if isinstance(self.__validElem[elem.tag], list): 
    662                         if len(elem) == 0 and elem.text is not None: 
    663                             # Treat as a list of space separated elements 
    664                             self.__prop[elem.tag] = elem.text.split() 
    665                         else: 
    666                             # Parse from a list of sub-elements 
    667                             self.__prop[elem.tag] = [filtElemTxt(subElem) \ 
    668                                                      for subElem in elem] 
    669                          
    670                     elif elem.text is not None and elem.tag != 'keyPwd':                         
    671                         if elem.text.isdigit(): 
    672                             self.__prop[elem.tag] = int(elem.text) 
    673                         else:                             
    674                             # Check for environment variables in file paths 
    675                             self.__prop[elem.tag] = filtElemTxt(elem)         
    676                     else: 
    677                         self.__prop[elem.tag] = elem.text 
    678                 else: 
    679                     invalidElem.append(elem.tag) 
    680                  
    681         except Exception, e: 
    682             raise SessionMgrError( 
    683                 'Error parsing tag "%s" in properties file: %s' % (elem.tag,e)) 
    684644 
    685645        missingElem.extend(getMissingElem(self.__prop, self.__validElem)) 
    686646        errMsg = '' 
    687647         
    688         if invalidElem != []: 
    689             errMsg = 'Invalid elements: "%s"\n' % '", "'.join(invalidElem) 
    690  
    691         if missingElem != []: 
    692             errMsg += 'Missing elements: "%s"\n' % '", "'.join(missingElem) 
    693  
    694         if errMsg: 
    695             raise SessionMgrError(errMsg +  " for properties file") 
    696  
    697         log.info('Loaded properties from "%s"' % self.__propFilePath) 
     648        if missingElem: 
     649            raise SessionMgrError('Missing elements: "%s"\n' %  
     650                                  '", "'.join(missingElem) + \ 
     651                                  " for properties file") 
     652 
     653        log.info('Loaded properties from "%s"' % self._propFilePath) 
    698654        
    699655 
     
    940896            # 
    941897            wssSignatureHandlerKw = { 
    942             'refC14nInclNS': self.__prop.get('wssRefInclNS', []), 
    943             'signedInfoC14nInclNS': self.__prop.get('wssSignedInfoInclNS', [])} 
     898            'refC14nInclNS': self.__prop.get('refC14nInclNS', []), 
     899            'signedInfoC14nInclNS': self.__prop.get('signedInfoC14nInclNS', [])} 
    944900 
    945901            try:    
     
    12301186        try: 
    12311187            sessMgrClnt = SessionMgrClient(uri=userSessMgrURI, 
    1232                                  signingCertFilePath=self.__prop['certFile'], 
    1233                                  signingPriKeyFilePath=self.__prop['keyFile'], 
    1234                                  signingPriKeyPwd=self.__prop['keyPwd'])            
     1188                                 signingCertFilePath=self.__prop['signingCertFilePath'], 
     1189                                 signingPriKeyFilePath=self.__prop['signingPriKeyFilePath'], 
     1190                                 signingPriKeyPwd=self.__prop['signingPriKeyPwd'])            
    12351191        except Exception, e: 
    12361192            raise SessionMgrError( 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/ca/__init__.py

    r2954 r4138  
    7878                    'sslCertFile', 
    7979                    'sslKeyFile', 
    80                     'caCertFile', 
    81                     'certFile', 
    82                     'keyFile', 
    83                     'keyPwd', 
    84                     'clntCertFile', 
    8580                    'openSSLConfigFilePath', 
    8681                    'certLifetimeDays', 
     
    326321                return int(txt) 
    327322             
    328             elif tag != 'keyPwd':  
     323            elif tag != 'signingPriKeyPwd':  
    329324                # Password may contain leading/trailing spaces 
    330325                return os.path.expandvars(txt.strip()) 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthority.cfg

    r4131 r4138  
    3838caCertFileList: $NDGSEC_DIR/conf/certs/ca/cacert.pem   
    3939 
    40 # Leave blank for NO SOAP signature 
    41 useSignatureHandler: Yes  
    42  
    43 # Set the certificate used to verify the signature of messages from the  
    44 # client.  This can usually be left blank since the client is expected to  
    45 # include the cert with the signature in the inbound SOAP message 
    46 clntCertFile: 
    4740# Lifetime is measured in seconds 
    4841attCertLifetime: 86400  
     
    9184signingPriKeyPwd= 
    9285 
     86# Pass a list of certificates ',' separated PEM encoded certs constituting a  
     87# chain of trust from the certificate used to verifying the signature backward  
     88# to the CA cert.  The CA cert need not be included.  To use this option,  
     89# reqBinSecTokValType must be set to the X509PKIPathv1 
     90signingCertChain= 
     91 
    9392# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
    9493# signed message.  See __setReqBinSecTokValType method and binSecTokValType  
     
    127126# message will be assigned to the verifyingCert attribute. 
    128127 
     128verifyingCert: 
    129129# ... or provide file path PEM encode cert here 
    130130verifyingCertFilePath:  
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthority.tac

    r4129 r4138  
    8484 
    8585        # Derive designated holder cert differently according to whether 
    86         # a signed message is expected from the client 
    87         if srv.aa['useSignatureHandler']: 
     86        # a signed message is expected from the client - NB, this is dependent 
     87        # on WS-Security properties having been set 
     88        if srv.aa.has_key('WS-Security'): 
    8889            # Get certificate corresponding to private key that signed the 
    8990            # message - i.e. the user's proxy 
     
    234235        request, response = AttAuthorityService.soap_getX509Cert(self, ps) 
    235236         
    236         x509Cert = X509CertRead(srv.aa['certFile']) 
     237        x509Cert = X509CertRead(srv.aa['signingCertFilePath']) 
    237238        response.X509Cert = base64.encodestring(x509Cert.asDER()) 
    238239        return request, response 
     
    243244# Create Service 
    244245srv = AttAuthorityServiceSub() 
    245 if srv.aa['useSignatureHandler']: 
     246if srv.aa.has_key('WS-Security'): 
    246247    # Initialise WS-Security signature handler passing Attribute Authority 
    247248    # public and private keys 
    248249     
    249250    # Inclusive namespaces for Exclusive C14N 
    250     refC14nInclNS = srv.aa['wssRefInclNS'] 
    251     signedInfoC14nInclNS = srv.aa['wssSignedInfoInclNS'] 
     251    refC14nInclNS = srv.aa['refC14nInclNS'] 
     252    signedInfoC14nInclNS = srv.aa['signedInfoC14nInclNS'] 
    252253     
    253254    WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    254                                         verifyingCertFilePath=srv.aa['clntCertFile'], 
    255                                         signingCertFilePath=srv.aa['certFile'], 
    256                                         signingPriKeyFilePath=srv.aa['keyFile'], 
    257                                         signingPriKeyPwd=srv.aa['keyPwd'], 
     255                                        verifyingCertFilePath=srv.aa['verifyingCertFilePath'], 
     256                                        signingCertFilePath=srv.aa['signingCertFilePath'], 
     257                                        signingPriKeyFilePath=srv.aa['signingPriKeyFilePath'], 
     258                                        signingPriKeyPwd=srv.aa['signingPriKeyPwd'], 
    258259                                        caCertFilePathList=srv.aa.get('caCertFileList'), 
    259260                                        refC14nInclNS=refC14nInclNS, 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/attAuthorityProperties.xml

    r4035 r4138  
    1818     - ignored if useSSL is blank --> 
    1919    <sslCACertDir>$NDGSEC_DIR/conf/certs/ca</sslCACertDir> 
     20    <!--  NB, if no signature handling is required, do not include this element --> 
     21    <WS-Security> 
    2022    <!-- 
    2123    WS-Security settings for signature of outbound SOAP messages 
    2224    --> 
    23     <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    24     <certFile>$NDGSEC_DIR/conf/certs/aa-cert.pem</certFile> 
    25     <keyFile>$NDGSEC_DIR/conf/certs/aa-key.pem</keyFile> 
    26     <keyPwd></keyPwd> 
    27         <!--  
    28         Inclusive namespace prefixes for reference and SignedInfo sections of 
    29         WS-Security digital signature 
    30         --> 
    31         <wssRefInclNS></wssRefInclNS> 
    32         <wssSignedInfoInclNS></wssSignedInfoInclNS> 
    33     <!--  
    34     CA Certificates used to verify X.509 certs used in peer SOAP messages, 
    35     and Attribute Certificates. 
    36      
    37     The CA certificates of other NDG trusted sites should go here. 
    38     --> 
    39     <caCertFileList> 
    40         <caCertFile>$NDGSEC_DIR/conf/certs/ca/cacert.pem</caCertFile> 
    41     </caCertFileList> 
    42     <!--  
    43     Set the certificate used to verify the signature of messages from the  
    44     client.  This can usually be left blank since the client is expected to  
    45     include the cert with the signature in the inbound SOAP message 
    46     --> 
    47     <clntCertFile></clntCertFile>     
     25            <signingCertFilePath>$NDGSEC_DIR/conf/certs/aa-cert.pem</signingCertFilePath> 
     26            <signingPriKeyFilePath>$NDGSEC_DIR/conf/certs/aa-key.pem</signingPriKeyFilePath> 
     27            <signingPriKeyPwd></signingPriKeyPwd> 
     28                <!--  
     29                Inclusive namespace prefixes for reference and SignedInfo sections of 
     30                WS-Security digital signature 
     31                --> 
     32                <refC14nInclNS></refC14nInclNS> 
     33                <signedInfoC14nInclNS></signedInfoC14nInclNS> 
     34            <!--  
     35        CA Certificates used to verify X.509 certs used in peer SOAP messages, 
     36            and Attribute Certificates. 
     37         
     38            The CA certificates of other NDG trusted sites should go here. 
     39        --> 
     40            <caCertFileList> 
     41            <caCertFile>$NDGSEC_DIR/conf/certs/ca/cacert.pem</caCertFile> 
     42            </caCertFileList> 
     43            <!-- Set the value type of the server cert --> 
     44        <reqBinSecTokValType>X509v3</reqBinSecTokValType> 
     45            <!-- Set the response message header to include a SignatureConfirmation element --> 
     46            <applySignatureConfirmation>True</applySignatureConfirmation> 
     47        <!--  
     48            Set the certificate used to verify the signature of messages from the  
     49            client.  This can usually be left blank since the client is expected to  
     50            include the cert with the signature in the inbound SOAP message 
     51        --> 
     52            <verifyingCertPath></verifyingCertPath>    
     53        </WS-Security> 
    4854    <attCertLifetime>86400</attCertLifetime> <!-- Measured in seconds --> 
    4955        <!--  
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/ca.tac

    r4129 r4138  
    9696# public and private keys 
    9797WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    98                                                         verifyingCertFilePath=srv.ca.get('clntCertFile'), 
    99                             signingCertFilePath=srv.ca['certFile'], 
    100                             signingPriKeyFilePath=srv.ca['keyFile'], 
    101                             signingPriKeyPwd=srv.ca['keyPwd']) 
     98                                                        verifyingCertFilePath=srv.ca.get('verifyingCertPath'), 
     99                            signingCertFilePath=srv.ca['signingCertFilePath'], 
     100                            signingPriKeyFilePath=srv.ca['signingPriKeyFilePath'], 
     101                            signingPriKeyPwd=srv.ca['signingPriKeyPwd']) 
    102102 
    103103# Add Service to Session Manager branch 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgr.cfg

    r4115 r4138  
    1010# version 1.0 or later. 
    1111# 
    12  
     12[DEFAULT] 
    1313# the port number the service is to run on  
    1414portNum:   
     
    2828 
    2929# CA Certificates used to verify X.509 certs used in Attribute Certificates. 
    30 # The CA certificates of other NDG trusted sites should go here. 
     30# The CA certificates of other NDG trusted sites should go here.  NB, multiple 
     31# values should be delimited by a space 
    3132caCertFileList: $NDGSEC_DIR/conf/certs/ca/cacert.pem   
    3233  
     
    3637cookieDomain:  
    3738 
    38 # Leave blank for NO SOAP signature 
    39 useSignatureHandler: Yes  
    40  
    4139# 
    4240# SOAP Signature Handler settings 
     41# Leave blank for NO SOAP signature 
    4342[WS-Security] 
    4443# 
     
    6059# Password protecting private key.  Leave blank if there is no password. 
    6160signingPriKeyPwd= 
     61 
     62# Pass a list of certificates ',' separated PEM encoded certs constituting a  
     63# chain of trust from the certificate used to verifying the signature backward  
     64# to the CA cert.  The CA cert need not be included.  To use this option,  
     65# reqBinSecTokValType must be set to the X509PKIPathv1 
     66signingCertChain= 
    6267 
    6368# Provide a space separated list of file paths 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgr.tac

    r4129 r4138  
    116116        sessID = request.SessID or None 
    117117                 
    118         if srv.sm['useSignatureHandler']: 
     118        if srv.sm.has_key('WS-Security'): 
    119119            # Get certificate corresponding to private key that signed the 
    120120            # message - i.e. the user's proxy 
     
    164164        # Get certificate corresponding to private key that signed the 
    165165        # message - i.e. the user's              
    166         if srv.sm['useSignatureHandler']: 
     166        if srv.sm.has_key('WS-Security'): 
    167167            # Get certificate corresponding to private key that signed the 
    168168            # message - i.e. the user's proxy 
     
    205205        request, response = _SessionMgrService.soap_getX509Cert(self, ps) 
    206206 
    207         x509Cert = X509CertRead(srv.sm['certFile']) 
     207        x509Cert = X509CertRead(srv.sm['signingCertFilePath']) 
    208208        response.X509Cert = base64.encodestring(x509Cert.asDER()) 
    209209        return request, response 
     
    213213srv = SessionMgrService() 
    214214 
    215 if srv.sm['useSignatureHandler']: 
     215if srv.sm.has_key('WS-Security'): 
    216216        # Initialise WS-Security signature handler passing Session Manager 
    217217        # public and private keys 
    218218     
    219219    # Inclusive namespaces for Exclusive C14N 
    220         refC14nInclNS = srv.sm['wssRefInclNS'] 
    221         signedInfoC14nInclNS = srv.sm['wssSignedInfoInclNS'] 
     220        refC14nInclNS = srv.sm['refC14nInclNS'] 
     221        signedInfoC14nInclNS = srv.sm['signedInfoC14nInclNS'] 
    222222 
    223223        WSSecurityHandler.signatureHandler = SignatureHandler(\ 
    224                                                         verifyingCertFilePath=srv.sm['clntCertFile'], 
    225                             signingCertFilePath=srv.sm['certFile'], 
    226                             signingPriKeyFilePath=srv.sm['keyFile'], 
    227                             signingPriKeyPwd=srv.sm['keyPwd'], 
     224                                                        verifyingCertFilePath=srv.sm['verifyingCertPath'], 
     225                            signingCertFilePath=srv.sm['signingCertFilePath'], 
     226                            signingPriKeyFilePath=srv.sm['signingPriKeyFilePath'], 
     227                            signingPriKeyPwd=srv.sm['signingPriKeyPwd'], 
    228228                            caCertFilePathList=srv.sm.get('caCertFileList'), 
    229229                                        refC14nInclNS=refC14nInclNS, 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/sessionMgrProperties.xml

    r4035 r4138  
    1919    PKI settings for WS-Security signature of outbound SOAP messages 
    2020    --> 
    21     <useSignatureHandler>Yes</useSignatureHandler> <!-- leave blank for no signature --> 
    22     <!-- X.509 certificate included in SOAP header --> 
    23     <certFile>$NDGSEC_DIR/conf/certs/sm-cert.pem</certFile> 
    24     <!-- corresponding private key used to sign the SOAP message --> 
    25     <keyFile>$NDGSEC_DIR/conf/certs/sm-key.pem</keyFile> 
    26     <!-- Password protecting private key file - leave blank if none set --> 
    27     <keyPwd></keyPwd> 
    28     <!--  
    29         Inclusive namespace prefixes for reference and SignedInfo sections of 
    30         WS-Security digital signature 
    31     --> 
    32     <wssRefInclNS></wssRefInclNS> 
    33         <wssSignedInfoInclNS></wssSignedInfoInclNS> 
    34     <!--  
    35     CA Certificates used to verify X.509 certs used in peer SOAP messages, 
    36     and Attribute Certificates. 
     21    <!--  NB, if no signature handling is required, do not include this element --> 
     22    <WS-Security> 
     23            <!-- X.509 certificate included in SOAP header --> 
     24            <signingCertFilePath>$NDGSEC_DIR/conf/certs/sm-cert.pem</signingCertFilePath> 
     25            <!-- corresponding private key used to sign the SOAP message --> 
     26            <signingPriKeyFilePath>$NDGSEC_DIR/conf/certs/sm-key.pem</signingPriKeyFilePath> 
     27            <!-- Password protecting private key file - leave blank if none set --> 
     28            <signingPriKeyPwd></signingPriKeyPwd> 
     29            <!--  
     30            Inclusive namespace prefixes for reference and SignedInfo sections of 
     31                WS-Security digital signature 
     32            --> 
     33        <refC14nInclNS></refC14nInclNS> 
     34                <signedInfoC14nInclNS></signedInfoC14nInclNS> 
     35        <!--  
     36        CA Certificates used to verify X.509 certs used in peer SOAP messages, 
     37            and Attribute Certificates. 
    3738     
    38     The CA certificates of other NDG trusted sites should go here. 
    39     --> 
    40     <caCertFileList> 
    41         <caCertFile>$NDGSEC_DIR/conf/certs/ca/cacert.pem</caCertFile> 
    42     </caCertFileList> 
    43     <!--  
    44     Set the certificate used to verify the signature of messages from the  
    45     client.  This can usually be left blank since the client is expected to  
    46     include the cert with the signature in the inbound SOAP message 
    47     --> 
    48     <clntCertFile></clntCertFile>  
     39            The CA certificates of other NDG trusted sites should go here. 
     40            --> 
     41        <caCertFileList> 
     42                <caCertFile>$NDGSEC_DIR/conf/certs/ca/cacert.pem</caCertFile> 
     43        </caCertFileList> 
     44            <!--  
     45        Set the certificate used to verify the signature of messages from the  
     46            client.  This can usually be left blank since the client is expected to  
     47        include the cert with the signature in the inbound SOAP message 
     48            --> 
     49            <verifyingCertPath></verifyingCertPath> 
     50        </WS-Security>  
    4951    <!-- 
    5052    Following two settings may be left blank.  These fields are likely to be 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/conf/simpleCAProperties.xml

    r3652 r4138  
    66    <sslKeyFile></sslKeyFile> 
    77    <caCertFile></caCertFile> 
    8     <certFile></certFile> 
    9     <keyFile></keyFile> 
    10     <keyPwd></keyPwd> 
    11         <wssRefInclNS></wssRefInclNS> 
    12         <wssSignedInfoInclNS></wssSignedInfoInclNS> 
    13     <!--  
    14     Set the certificate used to verify the signature of messages from the  
    15     client.  This can usually be left blank since the client is expected to  
    16     include the cert with the signature in the inbound SOAP message 
    17     --> 
    18     <clntCertFile></clntCertFile>     
     8    <WS-Security> 
     9            <signingCertFilePath></signingCertFilePath> 
     10        <signingPriKeyFilePath></signingPriKeyFilePath> 
     11            <signingPriKeyPwd></signingPriKeyPwd> 
     12                <refC14nInclNS></refC14nInclNS> 
     13                <signedInfoC14nInclNS></signedInfoC14nInclNS> 
     14        <!--  
     15            Set the certificate used to verify the signature of messages from the  
     16        client.  This can usually be left blank since the client is expected to  
     17            include the cert with the signature in the inbound SOAP message 
     18        --> 
     19            <verifyingCertPath></verifyingCertPath> 
     20        </WS-Security>     
    1921        <!--  
    2022        OpenSSL configuration file - omit to use globus default 
     
    3133    <certExpiryDate>2006 08 31 00 00</certExpiryDate> 
    3234    --> 
    33     <certLifetimeDays>365*2<certLifetimeDays/> 
     35    <certLifetimeDays>365*2</certLifetimeDays> 
    3436    <!-- Directory for temporary files generated during processing --> 
    35     <certTmpDir>/tmp<certTmpDir/> 
     37    <certTmpDir>/tmp</certTmpDir> 
    3638    <!-- Executable for checking the CA pass-phrase set --> 
    3739    <chkCAPassphraseExe>openssl</chkCAPassphraseExe> 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso.cfg

    r3914 r4138  
    5050enableOpenID: True 
    5151 
    52 [WSSecurity] 
     52[WS-Security] 
    5353 
    5454# Settings for signature of an outbound message ... 
     
    6767# Password protecting private key.  Leave blank if there is no password. 
    6868signingPriKeyPwd= 
     69 
     70# Pass a list of certificates ',' separated PEM encoded certs constituting a  
     71# chain of trust from the certificate used to verifying the signature backward  
     72# to the CA cert.  The CA cert need not be included.  To use this option,  
     73# reqBinSecTokValType must be set to the X509PKIPathv1 
     74signingCertChain= 
    6975 
    7076# Provide a space separated list of file paths.  CA Certs should be included  
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/config/ssoServiceMiddleware.py

    r3994 r4138  
    103103              defSection='DEFAULT',  
    104104              layoutSection='layout', 
    105               wssSection='WSSecurity'): 
     105              wssSection='WS-Security'): 
    106106        '''Extract content of config file object into self''' 
    107107               
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/zsi/attributeauthority.py

    r4129 r4138  
    4747 
    4848        # Derive designated holder cert differently according to whether 
    49         # a signed message is expected from the client 
    50         if self.aa['useSignatureHandler']: 
     49        # a signed message is expected from the client - NB, this is dependent 
     50        # on WS-Security properties having been set 
     51        if self.aa.has_key('WS-Security'): 
    5152            # Get certificate corresponding to private key that signed the 
    5253            # message - i.e. the user's proxy 
     
    197198        request, response = _AttAuthorityService.soap_getX509Cert(self, ps) 
    198199         
    199         x509Cert = X509CertRead(self.aa['certFile']) 
     200        x509Cert = X509CertRead(self.aa['signingCertFilePath']) 
    200201        response.X509Cert = base64.encodestring(x509Cert.asDER()) 
    201202        return request, response 
Note: See TracChangeset for help on using the changeset viewer.